Signing PDF Receipts

If you read the Help page “Emailing Receipts” in recent versions of DONATION, there’s a section at the bottom, headed “Concerns for Canadian Users”, about the Canada Revenue Agency’s requirements for electronically-transmitted (e.g. emailed) receipts. The concerns there don’t seem to apply to US receipts, which have much looser requirements. However, US readers of this blog may still have an opinion about the following, because it concerns a feature I plan to introduce into the program that they could use too.

The one CRA requirement for emailed receipts that DONATION does not currently fully satisfy is “the document should be encrypted and signed with an electronic signature”. The emailed receipts (which are PDF files) are indeed encrypted, to prevent modification, but they are not signed with an electronic signature, which guarantees that they have not been modified. N.B. This is not the same as a bitmap signature, which DONATION can already include, but rather refers to a digital signature.

Up until now, the software I use to create the PDF files in DONATION, novaPDF, has not supported the use of digital signatures. They have just released a version that does, but I have realized that there’s an issue. You can get digital signatures in two ways: either purchase them, from a recognized Certificate Authority (CA) like Verisign, or create what is called a self-signed certificate, which is free but does not come from a CA.

I cannot imagine many of my users wanting to go to the bother and expense of purchasing a digital certificate from a CA, just in order to satisfy this small CRA requirement. So creating self-signed certificates, which is fairly easy via the novaPDF software, is probably all they would do. But, if you attach a self-signed certificate to a PDF file, and then open that PDF in the regular Adobe Reader, its tool for checking a signature’s validity will say “Signature validity is unknown”, because it’s not connected to a recognized CA.

My question for you is this. Would users of DONATION not want to attach self-signed certificates to their emailed PDF receipts, because they would be afraid that their donors would see that message about the signature validity being unknown, and then think there might be something wrong with the receipt, or questionable about the charity or church issuing that receipt? Because if a lot of DOATION users would worry about this, I probably shouldn’t even include this feature into DONATION, despite the fact that the CRA officially requires it.

Thank you in advance for your thoughts on this, which as usual would best be sent to me by posting a Reply on the blog, so we can all see each other’s comments.

12 thoughts on “Signing PDF Receipts

  1. I would be inclined not to use this feature mainly for the reason you noted. It may not seem like a big deal but I probably would have to explain to those receiving the receipts about this wording.

    Thank you,

    Peter

  2. I am would agree with Peter’s comment – I know that our recipients would certainly question the wording if they received a receipt with the message “Signature validity is unknown”.

    It is not something I would like to see on my own receipt from anyone either.

    Margie

  3. In Canada, I think it is an important addition if the CRA requires it, and as far as the CRA does legally accept such an encrypted pdf file with a non verified signature. I am not sure some people understood that the message “Signature validity is unknown” IS NOT PRINTED on the official receipt, could you please confirm it. In case of doubt, the receiver of the receipt (and the CRA) could easily verify the amount of the contribution by contacting the organism.
    Thank you for your good work.
    Tom

  4. You’re right, Tom, that message is definitely not printed on the receipt. As I said above, it’s not even visible in the Adobe Reader unless you drill down a bit into the signature information, which I suspect very few people would do.

    In terms of what the CRA accepts or doesn’t accept, don’t forget, they don’t receive these electronically distributed receipts! At the most, for those donors who aren’t filing electronically, they will have to print out the receipt and submit it with their tax form. That’s no different than if the charity using DONATION printed it out and mailed it.

    So this is about the charities using DONATION, and me supplying DONATION to them, obeying every “jot and tittle” of the regulations for electronic receipts as listed on the CRA’s web site.

  5. In that case, dont bother working on it. Like many and maybe most of the charity organisms, we send our receipts by ordinary mail after signing each of them and keeping a copy of these receipts.

    • Some organizations using DONATION will definitely be sending email receipts, as it saves both time and money to do so.

      I’m starting to think I need to add this feature (digital signatures on PDF receipts) for completeness reasons, but allow users to decide whether or not to use it. If they really feel strongly about using it, and don’t like the drawbacks of self-signed certificates, they can always buy a proper one from a Certification Authority like Verisign. I really doubt many will do this (given that nobody has even asked me about it), but it at least means I am being compliant with CRA regulations, and giving my users a path to do so if they so choose.

  6. First of all, let me state that I would not be using this feature. But…. if the occasion did occur that, for instance, if someone did not receive my mailed receipt and needed one in a hurry, I might be inclined to email him one, if the feature is available.

    As far as the validity of the signature is concerned, I would say that the majority of the people to whom I might, and I stress “might”, send one to would not know how to check the signature, and I wouldn’t tell them unless they asked.

    • Robert, I trust you do understand that emailing receipts as PDF files is already a feature in the program. It’s just this addition of digital signature capability, because officially it’s a CRA requirement (though it’s hard to imagine that they would enforce it, or even have any way to detect that you were violating it) that is under discussion at this point.

      • Yes, I realize that the pdf feature of printing the receipts is already there, but, in short, I still wouldn’t use it unless I was in a pinch, and most of my “clients” wouldn’t know how to check the digital signature. So adding the digital signature, even though the message “Signature validity is unknown” were displayed if they knew how to check it, is not a problem to me because my folks would likely never see the message.

  7. Don,
    I have used this feature. I do not see a problem with the message “Signature validity is unknown”. The source is not unknown! Surely a simple
    covering message would be enough to satisfy the recipient assuming you want to make them aware in the first place. It is not exactly obvious. I think you should keep it.

Comments are closed.