Does anyone know how to disallow someone from putting two digital signatures on a document when one signature is for the employee and the other is for the supervisor's approval? We have never allowed digital signatures because someone raised this question because they were able to create a digital signature in their supervisor's name and affix it on the document in the approval space. Is there any way to tell that both signatures were created by the same person? I only have LiveCycle Designer 9.0 and Adobe Acrobat Pro X. It seems that there should be some code in the signature details that shows that they were both created at the same source. I've checked the certificates details on multiple names that I created and they were different every time I affixed a signature (even one for my dog) so there was no way that I could see, that we could prove that the signatures were or weren't both affixed by the same person. Until I have a way to stop this from happening, we cannot use digital signatures on our documents. There needs to be a way to trace the signature back to the source.
There are many ways to generate a digital certificate (digital ID) that can be used to sign a document. In your post you are describing what are referred to as "self-signed" certificates. This means that any user can create their own identity (as you have discovered) and sign a document with it. Acrobat and many other utilities are available that can be used to generate self-signed certificates. Using self-signed certificates can be useful in a scenario where you have established some level of trust with the signer. Usually this involves a relationship with the signer where you have explicitly trusted their digital certificate by importing the public key portion of their digital id. This use of signatures is not suited for non-repudiation, but it does allow you to determine if the document was modified or tampered with after it was signed.
When you need signatures to also guarantee the identity of the signer, then you must implement some type of Public Key Infrastructure (PKI). A PKI handles the creation, issuing and revocation of digital certificates (digital ids), typically a user must prove they are who they say they are for the system to generate them a digital certificate. VeriSign and Entrust are two examples of PKI vendors. Trust of the signer can then be implicit, you "trust" the issuer (or Certificate Authority (CA)), therefore you trust the signatures generate with certificate that came from the Certificate Authority. When a certificate is created by a CA, there is a "certificate chain" so you can determine who (which CA) issued the certificate.
I hope this helps clear things up a bit.