Electronic and Digital Signatures Explained.
Over time, humans have evolved from using hieroglyphics to writing on paper and sealing it with wax. We then moved on to generating electronic documents and signing them with electronic signatures.
Finally, we have a global standard - digital signatures.
But how ? What ?
With so many local and international laws and regulations that are often confusing and even contradictory to one another, how does one achieve total confidence in signing electronic documents?
The secret lies in understanding what a signature is, the difference between handwritten signatures (a.k.a. paper or wet ink signatures), electronic signatures and digital signatures.
"Handwritten signatures" mean signatures that are created when a person makes their mark by hand, on paper, using wet ink.
Most people are familiar with handwritten signatures. Historically, this has been the most accepted method of legally binding a person to a contractual commitment.
Authentication of the signer's identity is confirmed by introducing another signer (co-signer or witness). The co-signer must be present at the time of signing. By co-signing they confirm identity of the first signer.
Non-repudiation is very difficult with handwritten signatures. It most often requires a forensic handwriting expert to prove non-repudiation.
Although far from perfect, and open to forgery right from the outset, handwritten signatures served their purpose, for a period.
GLOBAL LEGAL ACCEPTANCE
The need to sign electronic documents digitally emerged when business transactions started migrating to digital processes.
As is often the case with new technologies, different opinions are formed before global standards are created. Electronic signatures are a prime example of how different opinions can create confusion in technology law.
Although many countries still accept electronic signatures, there is no official standard for them. So they too are more susceptible to forgery and non-repudiation is almost non-existent. Again, to prove authenticity, evidence is needed.
An electronic signature is nothing more than a digital image attached to an electronic message.
The very basic form of an electronic signature is when you write your name at the bottom of an email, for instance, "Regards, Mark". In many instances of eSign law, this form of signature still binds the sender to the content, making it legally binding under statutory provisions for ordinary electronic signatures.
Electronic signatures have served their purpose as a stepping-stone technology while standards are being created and laws agreed upon, but their days are numbered.
Electronic signatures will always have their place, but merely as a layer in a digital signature, as illustrated below.
GLOBAL LEGAL ACCEPTANCE
IDENTITY OF SIGNER
Frequently Asked Question: What type of signature is it when you print and sign a document, then scan and e-mail it?
This question presents another interesting case on how modern technology can create confusion in the absence of updated law.
The fact is, without the presence of the original paper document that has the wet-ink signature on it, the electronic copy is nothing more than a basic electronic signature. Therefore, the signature is open to scrutiny and has no standing in a court of Law.
Instead of asking a customer to print, sign, scan and e-mail a document, rather circulate the document via workflow and sign it with auditable digital signatures.
Digital signatures are also known as advanced electronic signatures (AES), qualified electronic signatures (QES) or trusted electronic signatures.
Across the world, digital signatures are fast becoming the only legally accepted replacement for handwritten signatures. Digital signatures offer inherent security and non-repudiation, which cannot be found in electronic signatures.
Digital signatures make use of a technology known as public-key infrastructure (PKI) cryptography. Not only does this address non-repudiation in a court of Law, it also protects the integrity of documents and makes them tamper-evident.
GLOBAL LEGAL ACCEPTANCE
IDENTITY OF SIGNER
SigniFlow digital signature multi-layer components
Electronic Signature Layer
As per the above illustration, the top layer of a SigniFlow digital signature is an electronic, graphical image. This represents an individual's handwritten signature. The image only has to be captured once, after which the system automatically layers the graphic image in the digital signature.
PKI Signing Key
Next, the top-middle (yellow) layer embeds a body of evidence about the signer and the process in the X.509 certificate. It embeds the identity of the signer, a trusted timestamp and the public key needed to verify the signature.
Digital Signature Layer
Then, the bottom-middle (red) layer stores security information about the document and the signing ceremony. When the signature is applied, it creates an encrypted hash of the document, which is signed and embedded in the PDF.
Finally, every time the signature is verified, a new hash code of the document is created and compared to the original one. If so much as one Bit in the document has changed, the verification will fail. This makes the document tamper-evident.
What is an Advanced Electronic Signature?
Advanced Electronic Signatures (AES or AESign) and Qualified Electronic Signatures (QES) are standard digital signatures, but with a higher class digital certificate.
Depending on your country, these certificates are usually issued in a face-to-face meeting, where the RA (Registration Authority) follows each CA's (Certificate Authority) pre-approved process to validate identity before issuing AES or QES certificates. These certificates are always stored on a highly secure and protected device, like a FIPS140-2 Level 2 or 3 HSM (Hardware Security Module).
SigniFlow is certificate agnostic, meaning it can sign with any of these certificates. Once the certificate is issued, you set up your SigniFlow account to point to the location of your certificate. Every time you sign, SigniFlow uses your personal digital certificate to cryptographically sign the document.
These types of signatures are the most compliant of all signatures for electronic documents.
Contact us for more information.
How to verify a digital signature.
Verifying a digital signature created requires minimal effort.
First open the document in Adobe Acrobat® Reader. The top bar will indicate the validity of the signature on the left. If the document has changed since it was signed, the Adobe Trust indicators will show red or orange exclamation marks. This indicates that the document has been tampered with.
Then, by by opening the pen icon in the middle of the left vertical bar of the PDF reader, you can view additional audit information; like the signer's identity, TSA (Timestamp Authority) timestamp, LTV (Long-term Validation) and other properties.
SigniFlow only uses Adobe Approved Trust List (AATL) certificates to sign documents, which means every signature in the document is a digital signature that can be verified.
Additionally, you can find the signature in the document and click on it. The signature validation status, containing all of the signatory's information, will pop up. By going into the Signature Properties section, you can view further details of the certificate.
Beware of electronic signature providers that claim to use digital signatures, but in fact only use e-seals to digitally sign documents. The documents often only have basic electronic signatures of the signers.
E-seals have their place, but not as personal digital signatures.