What is an e-Signature? Part I.

By Dave Venance

There are two kinds of signatures today:

 

•        Electronic Signatures

 

An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign or confirm their approval of a document or transaction.

 

•        Digital Signatures

 

These are a subset of electronic signatures because they are also in electronic form. Digital signatures, are a cryptographic mechanism often used to implement electronic signatures.  Digital signatures go much further in terms of providing security and trust services. 

 

 

Let’s consider the differences between electronic signatures and digital signatures in more detail.

 

Electronic Signature

 

Examples of electronic signatures include: a scanned image of the person’s ink signature, a mouse squiggle on a screen or a hand-signature created on a tablet using your finger or stylus, a signature at the bottom of your email, a typed name, a biometric hand-signature signed on a specialized signing hardware device, a video signature, a voice signature, an “I Agree” checkbox, etc. The list is endless.

 

 

Digital Signature

 

•        Signer authentication
Proof of who actually signed the document. This links the digital signatures to an actual identifiable entity.

 

•        Data integrity
Proof that the document has not been tampered with since signing. The digital signature depends on every binary bit in the document and therefore can’t be re-attached to any other document.

 

•        Non-repudiation
The signer should not be able to falsely deny having signed their signature. That is, it should be possible to prove in a court that the signer in fact created the signature.

 

 

We will discuss four different types of signatures:

 

·       Certificate-based Signatures

·       Electronic Signature

·       Signing Services (Adobe Sign)

·       Signatures to Certify Documents

 

What is a Certificate-Based Signature?

 

•   A Digital Certificate – provided by a third party Certificate Authority (CA) like Verisign/Symantec, Entrust, GlobalSign, etc.

 

•        Adobe Self-Signed Signature – you create yourself with a copy of Adobe Acrobat

 

 

Both types of certificates mentioned above are used to identify a person signing a document along with some ceremony information (date, time, reason…).  A certified certificate authority will go through a comprehensive process in order to determine a user’s identity before issuing a digital certificate as these are used in cases of law.  These types of “Digital Certificates” provide the highest level of security around signatures.  When a user applies their signature to a document, typically a hash of the document being signed (or a subset of it) is generated and encrypted with the private key from the digital certificate.   The recipient of a signed document can always query the certificate authority that was used to sign a document to determine who specifically signed the document, if the document has been tampered with since it was signed, and the intent of the signer.

 

 

As compared to a self-sign certificate like Adobe Acrobat can allow you to create which is still a certificate based signature, it does not have the signer authentication feature as anyone can use a copy of Acrobat Professional to create a self-sign certificate with any data they want.  In this case, there is no centralized certificate authority to verify the authenticity of the signature, but the document will still support the data integrity.

 

When would a client use one of these signatures?

 

  • Digital Certificates from a Certificate Authority

-   Highly secure transactions (usually financial)

-   Digital certificate requires a password to authenticate

  • Adobe Self-Sign Certificate

-   Day to day internal PDF form processes

-   Does not provide the non-repudiation as there is no CA (you are who you say you are)

 

You can have multiple digital IDs that you use for different purposes, particularly if you sign documents in different roles or using different certification methods. Digital Certificates or IDs are usually password protected. They can be stored on your device (trust store), a USB key, or a Hardware Security Module (HSM). These all require a password in order to apply the signature to a document. It enhances security on your system so that if someone gets on your system, they need a special password to sign documents with your certificate.

 

In a PDF document, the signature can have any kind of appearance, but it’s not the appearance that is important but the fact that the password challenge was successful to put the appearance on the PDF. You can configure the appearance of a signature on your local copy of Adobe Reader/Acrobat which can include an image. 

 

 

In the next blog post we’ll continue considering different types of e-signatures and we’ll also discuss legal aspects of electronic signing the documents.

 

Need a hand?
Contact Us