Keeping It Real: How to Replicate Signatures and Wax Seals on the Web

Authentication takes center stage at the Government Printing Office.

The Government Printing Office has been making official federal documents for more than 150 years, including such important records as the annual budget, congressional legislation and the Federal Register. But once it started producing electronic documents, the agency faced a significant challenge.

Publishing federal documents electronically allows for much wider and more rapid distribution. The agency realized it needed a way to prove the authenticity of the documents that it produced as they were sent around the world via e-mail and the web.

“We’re now in an environment where over 95 percent of the documents that are created by GPO are born digital,” says Richard Davis, the agency’s chief technology officer. “We wanted to have a way that people could rely on the integrity of the documents.”

To establish document integrity, GPO began applying digital signatures to PDF documents, which serves the same purpose as handwritten ­signatures or ­traditional wax seals on printed ­documents. Users can validate a GPO document’s authenticity using Adobe Acrobat. If the software confirms that the digital signature on a document matches the signature on GPO’s original, the document has not been altered in any way.

“If a document is altered, the validation of the digital signature fails,” says John Hannan, chief information security officer at GPO.

GPO developed its Federal Digital ­System to manage, authenticate, preserve and provide access to federal documents. The agency uses FDsys as a central repository for original documents and also uses authentication to determine what access its own users have to documents in the system. “We have very clearly defined user roles and responsibilities that govern who can get on FDsys and what they can touch,” says Davis, adding that no employees can alter the content of the documents.

The next step in GPO’s authentication efforts is to make documents mobile. The agency recently launched two mobile apps, a Mobile Member Guide of the 112th ­Congress and an app for the 2012 Federal Budget. The documents still carry the digital signatures, but not all devices can read the signatures or access all the information they contain. However, GPO is making efforts to address this issue.

“GPO is working with Adobe and other manufacturers on this because mobile devices are such an important platform,” Hannan says.

Voices

Dodson_100

“Identity management is a critical cybersecurity control. Building federal information systems with strong, usable authentication technologies that protect privacy will increase trust and confidence in those systems.”

— Donna Dodson, Division Chief of the Computer Security Division at the National Institute of Standards and Technology

Cross_100

“Through our two-factor authentication remote access solution, USDA teleworkers can easily and securely access their virtual desktops, e-mail and personal files any time, from anywhere. This enables our employees to log on to the system using any computer safely and securely, without compromise or risk to the enterprise.”

— Mika J. Cross, Work/Life and Wellness Program Manager at the U.S. Department of Agriculture

Chapple_100

“Authentication forms the cornerstone of IT security efforts by providing access control systems with the assurance that a user is indeed the person that he or she claims. This is especially important in environments with large numbers of remote or mobile users who access systems sight unseen.”

— Mike Chapple, information security professional and author

Nov 01 2012