Spoofing and Trust
If you see a cell that appears to be a signature, how can you know whose signature it is? The signer supplies the signature cell, and the cell can display anything at all. The cell is not guaranteed to reflect the signer’s identity or the purpose of the signature. The user must check the signer’s identity by inspecting the certificate associated with the signature. In particular, the user must verify that the certificate is trusted and is recognized by his organization. In some organizations, the user will also consider the signature’s annotation data and/or use a custom application to verify the authenticity of signatures.
An element that appears to be a signature is only a genuine digital signature if:
When you select an item in the Digital Signatures dialog, the corresponding element will highlight on the screen.