About electronic and digital signatures
In this post, we will take a closer look at the advantages of digital signatures over simple electronic ones, and explain how a proper implementation of a digital signature service can be:
- more secure, legally complete and independently verifiable,
- compliant with existing advanced electronic signature standards,
- very convenient for signature use and cost-efficient for enterprise use
so you never need to look back and use any other form of signature.
Despite numerous articles and definitions, there is still a bit of confusion about the differences between electronic and digital signatures. Particularly, many definitions are trying to introduce a digital signature through technical implementation aspects, which fails to capture the essence of the matter. For the avoidance of doubt, in this post we will adopt the following definitions:
An electronic signature
is an electronic sound, symbol, or process that is (a) attached to or logically associated with a contract or other record and (b) executed or adopted by a person with the intent to sign the record (following the widely accepted definition).
A digital signature
is a block of digitally encoded information that can (a) evidently represent a person’s signing intent by being uniquely linked to the person and being capable of identifying the person, and (b) effectively protect the person’s signing intent by ensuring that the person can use the digital signature under their sole control with a high level of confidence and sealing the data signed therewith in such a way that any subsequent change in the data is detectable, thus establishing © a robust verifiable link between the digital world and the real world (leveraging some parts of the eIDAS approach here).
Note that in this definition, a digital signature is essentially an electronic signature with advanced features, improving upon crucial aspects of a signature for the purposes of the increasingly digital world. And indeed, implementations usually employ cryptographic and advanced technological methods to achieve the desired level of capability.
But first things first, why do we need signatures at all?
Signature is a universally accepted way of expressively showing intent of a person in relation to a proposal, where the latter is often presented in the form of a document.
People have used various forms of signatures for many centuries. However, the modern world of global economy, fast business and electronic transactions creates additional requirements for signatures. Posting paper through post is not viable anymore due to the time that it takes. Faxes and scanners have brought us the instant transit of physical documents in a digital form, however they are still largely disconnected from increasingly digital systems and processes. Today, we need to be able to post transactions remotely, from anywhere in the world. We need to be able to execute them fast, in the moment. We need to be sure of their legal effect. And we want to be protected from fraud.
Simple electronic signatures face a profound challenge
The first wave of attempts to address electronic signature requirements has brought the emergence of services like DocuSign, HelloSign, AdobeSign and many others. Products from the e-signature space have been successfully adopted by many people and companies. However, whilst providing a good degree of efficiency, simple electronic signature solutions don’t really cover one very important aspect of a signature — the link to a real person behind it. Let’s have a closer look.
Here are the key attributes of a reliable method of showing intent, without which the method should not be used for any material transactions.
1. Representability — the ability to represent the signing person. A handwritten signature on a contract is always there as long as the paper is intact and it is very conveniently representable. Similarly, a banking payment transaction is also easily representable from bank statements, although slightly more cumbersome.
2. The act of signing should clearly show the intent to carry the obligations and rights included in the related content. While a signature does not clearly state for example “I agree to be responsible of the obligations set to me in this contract”, the principle of common practice is involved. In other words, something that is commonly accepted by the majority of people in the relevant group, is considered lawful. The fact that one’s signature expressively indicate the intent to be responsible, is just common practice. When we talk about a banking transaction, this comes from a logical connection, IF the transaction is made by the same person who is supposed to do that according to the terms. Most of simple electronic signature services use one step verification, usually a password. In many cases emails and accounts based on passwords authenticate automatically. This opens up many attack vectors to identity theft and many possibilities for a person to deny giving the signature by himself/herself.
3. Connection to the signed content beyond reasonable doubt. Handwritten signatures are usually placed in the corresponding place in the document, so there is no confusion about what the signature was meant for. In a payment though, if the statement has date and amount of a transaction and more importantly the description referring to the contract or to the bill that was made based on the contract, then there is no reasonable doubt to what content this action was connected to. Although, the other party must have proof that the person who transacted the money proving intent has previously seen the referred document and that the transaction refers to that particular one.
4. Link to a real person showing intent. This refers to the creation of a strong digital identity backed up by an identity verification process carried out by a trusted body, and is proving to be the most challenging one. With handwritten signatures, a signature sample is routinely added to one’s passport, so checking the signatory’s passport helps making sure that the person is not doing a random scribble in the signature field. However, there are no guaranteed methods of verifying a handwritten signature other than comparing it with a sample. Meantime, further below we will describe the digital signature approach which creates a strong technical link connecting the signature to the physical person.
Finally, all these elements must exist in a form of proof at the possession of the counterparty to the person who signed.
Simple electronic signature services have been able to fulfill the key requirements #1 and #2, and provide satisfactory solutions for #3 by applying elements of digital signature approach. However, classical solutions such as DocuSign, HelloSign, AdobeSign etc are still substantially lacking on the #4th element of intent, making their services too weak for use in any material transactions. In practice, the coverage of the #4th element is sometimes achieved by manually checking identity, or by referring to 3rd party services, which obviously adds complexity to the signature process. Meantime, today’s technology allows creating a reliable chain of trust to a trusted source of identity verification.
Digital signatures aka advanced electronic signatures
Proper implementation of a digital signature, which seemingly in the EU is referred to as an advanced electronic signature (eIDAS Article 26), helps improve upon simple electronic signatures in two crucial aspects:
- reliably linking the signature to a real person (as opposed to just an abstract email address),
- and securing the document’s integrity in such a way that the signed content can always be verified and any subsequent change to the signed content is noticeable.
We will go further and suggest that to address one of the weaknesses of the existing systems and future-proof a signature it is also crucial to ensure that:
- even if the service provider ceased to exist, the chain of trust still independently remains as a tool for validating the signature.
Implemented this way, digital signature provides a higher degree of security and carries full provenance of signing intent in itself.
Let’s now look at how digital signatures implement the key attributes of a reliable method of showing intent.
1. Representability. The data embedded in the digital signature carries the identification information about the owner/signing person.
2. The act of signing will clearly show the intent because a digital signature can’t be issued by accident, as the owner has to consciously follow the signing procedure (e.g. enter their signature pin code) which amounts to a conscious act.
3. Connection to the signed content beyond reasonable doubt. One major advantage of digital signatures is achieved on this front through the use of cryptography and signer’s cryptographic keys to secure the document’s integrity in such a way that any change to the content subsequent to signing is detectable.
4. Link to a real person showing intent. Another major advantage comes through the ability to use cryptography and cryptographic keys to secure the identity information about the owner of the keys in such a way that it is protected from forging and can always be verified by counterparties. It is important to note that the cryptographic link to a person must trace back to the session of identity verification, which verifies the physical being of the person, the valid government issued identification document of this person, and that the person did the verification while being aware of what they were doing and what the consequences are.
Worth noting that a digital signature with the above capabilities satisfies all requirements of the legal framework to equate it to a handwritten signature.
Qualified signatures
There is a high interest in adopting digital signatures in public services. To address public services requirements, eIDASArticle 27 introduces advanced electronic signatures (we call them digital) based on qualified certificates (see eIDAS Article 28), aka qualified electronic signatures. In a nutshell, a qualified electronic signature means that the identity of a person has been previously verified by a qualified trust service provider in compliance with national laws of the member state:
- through the signatory being physically present,
- or through electronic identification means that comply with national laws and eIDAS Article 24,
- or by using other identification methods recognised at national level which provide equivalent assurance in terms of reliability to physical presence (eIDAS Article 24).
The key point here is that for a valid qualified certificate, the issuing qualified trust service provider certifies that the signature belongs to the claiming person.
Although this seems to set the requirements for identity and signature services for use in the public sector, it would be ideal if the same requirements are followed in the private sector as well. A service that complies to the requirements mentioned above is at the pinnacle of trustability amongst ID and electronic signature services.
Thereby, the classical approach implies a network of qualified trust service providers with a chain of certificates and a hierarchy of supervision. Whilst the classical approach is challenged by various initiatives such as Open Identity Exchange, the fundamental definition of a digital signature still stands.
Estonian example of Qualified electronic signatures
Estonia has been the front-runner in the most profound eID and e-signature services. There are currently 3 different models working in the country: smart card based, SIM-card based and smartphone application based. All of these models qualify to the maximum requirements of eIDAS. Estonia has shown on the regional level that it is possible to provide eID and e-signature services that comply to the highest standards, making no compromises in usability or user experience.
Conclusions
To summarise, following the requirements put down by the EU eIDAS regulation, it is possible to implement a digital signature service which is very convenient to use, highly secure and legally strong. There is no reason to use any services that compromise on security and trust any more.
