How trust works online - verified digital signatures

The last article explained the mechanics of legally valid and provable consent by electronic means. However, the methods explained in the previous article require diligence from the parties to make sure that the consent is legally solid and representable. Current article explains technological methods, that assure trust by default. I must mention right away, this article is not meant to be deeply technological, thus some use of terminology can be arguable in scientific context.

Speed up e-signature processes with Agrello
Get started

14-day free trial. No credit card needed!

Try Agrello free for 14 days

Asymmetric cryptography for digital signing

The most important elements of trustworthy consent are representable proof of what was signed and who was behind the signature action. There are systems out there which are built to provide rock-solid information about just that. The intent there is that when a signature is challenged in court, then one party does not have to provide extra proof of consent anymore but the opposite side has to prove that he or she did not give consent to the challenged agreement.

This systems are enabled by some very clever mathematics. The field that harnesses this in cyber-trust and cyber-security is called cryptography. To create trust online, the most dominant cryptographic method is asymmetric cryptography or public-key cryptography. The implementations of this method can use very different mathematics (e.g RSA, ECDSA) but asymmetric cryptography has enabled digital signing and secure use of the internet.

What is asymmetric cryptography? While the details of this need further explaining than just a blog post, the idea is simple. I think it would be more fun explaining it out of ICT context.

Imagine that you have a treasure chest. You have two keys to the chest, but once you lock the chest with one of the keys, you would need the other one to unlock it. This situation opens up new possibilities. Here is an example:

You can put a message in the chest like “Hi, I am Hando” and then lock it with one of the keys. Then you can send the chest with the other key to your friend. Once your friend unlocks this chest and reads the message, then he can be sure that it was opened with your key, therefore the message came from you.  It is similar in digital signing, whereby you share a locked message together with the key which can be used to unlock the message making sure it was you sending the message. In technological terms one key that is shared is called a public key and the other one that is not shared is a private key. This is a very general illustration of how public key infrastructure (PKI) works.

This is also how creating a secure digital signature with Agrello works. However, there is more to that because your friend should somehow also be sure that the public key that is shared is actually your public key.

Identity Verification

How to link a public key to your real self? That link is created by also using similar digital signing technologies. Once the public key is generated (happens simultaneously with private key generation), then an organization that verifies your real personal identity (physically in an office or by online tools), creates something called a public certificate. Certificate is a package of information that includes the public key and personal details like name, birth date and usually an ID document number or personal identity number. To trust that the certificate is valid, the organization that has done the identity verification signs it with the organization’s signature private key that matches with a publicly available public key of the organization (the latter is called a root certificate). The organization that signs the certificate is called a certificate authority (CA), which usually also acts as a trust service provider (TSP), who is behind actual person verification process. TSP can also be a separate entity that collaborates with the CA.

This covers the chain of trust. Once you sign something by PKI, the one who needs the signature by you, receives all information needed to validate the signature together with the signature. This is the hash of the document, hashing and signature algorithm references, your public certificate with the public key and information about the issuer of the certificate (TSP, CA). The root certificate to check the validity of your certificate can usually be found online.

The nice thing is that once the root certificate is online, then the signatures and personal public certificates do not have to be stored online at all, because with the root certificate at hand, the validity of the signature can be traced back to the root certificate completely offline and theoretically even by manual calculations. Though, manually calculating a PKI signature validity is mostly an unnecessary feat, as the hashing and signing algorithms are supposed to be standard and the software for signature validation is obtainable from several sources online.

Private key protection

To close the loop of trust, there is still one more thing that holds it all together. The security of your private key, that is used for signing. There is no single standard way of securing the private key. However, there still are some standard solutions. The most prevalent method is a physical chip that is possessed by the owner of the signing certificate. Commonly it is embedded into a plastic card, and ID card for example in several countries around Europe. In Estonia, the chip is also embedded into mobile SIM-cards, issued by mobile carriers, which is called the Mobile-ID. The chip can also be embedded in a USB-stick or into a device. Currently one third of smartphones sold have the chip or hardware security module (HSM) embedded.

Recently a new wave of interesting private key protection technology has started to appear. Estonian Cybernetica has developed a new form of server supported signature technology, which is currently in use all over the Baltic nations in the Smart ID product for signing and logging into banks and other
e-services. This harnesses a method of sharing the private key between a server and the device. This brings with it the benefit of not needing a secure chip or HSM in the device, but instead relying on the security of the server, which preferably uses an HSM by itself. This method uses extremely complex mathematics and is complemented by several extra components like syncing and clone detection.

Smart ID has been a life-changer in the the Baltics. We in Agrello wish to promote and spread such technologies globally. Check out our signature solutions with different options to assure security at www.agrello.id.

I hope I have well covered how verified digital signing works. While going through the topic I used the guidance of Article 26 of the EU eIDAS regulation which stipulate the requirements for advanced electronic signatures followed by all accredited EU certificate authorities:

”An advanced electronic signature shall meet the following requirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and

(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.”

Speed up e-signature processes with Agrello
Get started

14-day free trial. No credit card needed!

Try Agrello free for 14 days
March 31, 2024
Finding a happy path: When simple e-signing solutions fall short but enterprise solutions seem overkill
Clock icon
Reading time about
3
min
Find out what are the levels of digital signatures according to EIDAS and which methods of signing are supported on Agrello platform. Find out what are the levels of digital signatures according to EIDAS and which methods of signing are supported on Agrello platform.
March 3, 2022
What level signatures can you give on Agrello platform?
Clock icon
Reading time about
1
min
What to take into account when choosing Between Free and Paid E-Signature Tools: A ComparisonWhat to take into account when choosing Between Free and Paid E-Signature Tools: A Comparison
February 8, 2024
Choosing Between Free and Paid E-Signature Tools: Which Way To Go?
Clock icon
Reading time about
7
min
In this article we give an overview of how the signing process has changed over time. In this article we give an overview of how the signing process has changed over time.
September 15, 2023
The Evolution of Signing Processes: From Paper to Digital Signatures
Clock icon
Reading time about
5
min
In this article, we will highlight the importance of understanding a contract before signing and discuss the common risks involved.In this article, we will highlight the importance of understanding a contract before signing and discuss the common risks involved.
July 7, 2023
Signing a Contract Without Understanding It: A Guide for Savvy Professionals
Clock icon
Reading time about
7
min
In this article we will focus on different type of signatures and highlight some ways how you can seal your contracts with ease.In this article we will focus on different type of signatures and highlight some ways how you can seal your contracts with ease.
July 6, 2023
The Art of Contract Signing: Sealing the Deal with Ease
Clock icon
Reading time about
6
min
In this post we will explore the broad strokes of e-signatures, and how they can fit into your business processes.In this post we will explore the broad strokes of e-signatures, and how they can fit into your business processes.
July 4, 2023
Harnessing E-Signatures for a Smooth Operational Flow
Clock icon
Reading time about
4
min
Learn what PAdES signature is, how it works and how to use it to securely sign your PDF-documents. Learn what PAdES signature is, how it works and how to use it to securely sign your PDF-documents.
April 18, 2023
Secure Your PDF Documents with PAdES Signatures
Clock icon
Reading time about
10
min
Discover how Workspaces can help you and your team collaborate more efficiently, streamline tasks, and manage projects from start to finish. Discover how Workspaces can help you and your team collaborate more efficiently, streamline tasks, and manage projects from start to finish.
February 13, 2023
Workspaces for more efficient teamwork
Clock icon
Reading time about
4
min
Looking back at the year 2022, what big events and changes happened? Read on to find out the highlights of the year 2022 and what happened globally. Looking back at the year 2022, what big events and changes happened? Read on to find out the highlights of the year 2022 and what happened globally.
December 23, 2022
Year 2022 in review
Clock icon
Reading time about
4
min
Learn how a digital contract signing platform can help increase productivity for SMEs. Find out how to take advantage of this technology.Learn how a digital contract signing platform can help increase productivity for SMEs. Find out how to take advantage of this technology.
November 25, 2022
Ways to increase SME productivity with a contract signing platform
Clock icon
Reading time about
5
min
Loe lähemalt, kui lihtne ja mugav on digitaalne allkirjastamine Agrello platvormil peale viimaseid uuendusi. Loe lähemalt, kui lihtne ja mugav on digitaalne allkirjastamine Agrello platvormil peale viimaseid uuendusi.
October 21, 2022
Muudame allkirjastamise veel kiiremaks
Clock icon
Reading time about
4
min
Agrello just made signing documents easier and faster by introducing an improved signing experience. Agrello just made signing documents easier and faster by introducing an improved signing experience.
October 21, 2022
Signing experience just got better
Clock icon
Reading time about
4
min
Agrello and PDFTron have joined forces to bring you improved PDFs with more features and easy digital signing options.Agrello and PDFTron have joined forces to bring you improved PDFs with more features and easy digital signing options.
March 1, 2022
Agrello + PDFTron: your PDFs just got better
Clock icon
Reading time about
15
min
Agrello is now offering qualified electronic signatures to its users, allowing them to sign legally binding documents online. Discover all the benefits of this service and find out how it can help you streamline your business processes.Agrello is now offering qualified electronic signatures to its users, allowing them to sign legally binding documents online. Discover all the benefits of this service and find out how it can help you streamline your business processes.
February 23, 2022
Qualified electronic signatures now on Agrello
Clock icon
Reading time about
10
min
Read about data-rich signatures and signature meta-data on Agrello platform. Read about data-rich signatures and signature meta-data on Agrello platform.
August 6, 2021
Agrello web app 3.3: Data-rich digital signatures
Clock icon
Reading time about
4
min
E-mail is an essential tool for businesses, but it also comes with some risks. Find out if it is time to switch to a safer communication system.E-mail is an essential tool for businesses, but it also comes with some risks. Find out if it is time to switch to a safer communication system.
May 13, 2021
Should businesses stop using e-mail?
Clock icon
Reading time about
5
min
Learn how to manage your online presence, from creating an online identity to navigating the digital world with tips and advice from Agrello. Learn how to manage your online presence, from creating an online identity to navigating the digital world with tips and advice from Agrello.
March 11, 2021
Managing our online existence
Clock icon
Reading time about
7
min
Discover how trust works online and the legal basis of e-signatures. Learn about the importance of digital contracts and how to use them.Discover how trust works online and the legal basis of e-signatures. Learn about the importance of digital contracts and how to use them.
February 11, 2021
How trust works online - legal basis of e-signatures
Clock icon
Reading time about
5
min
Find out what a digital identity is and how it differs from digital persona.Find out what a digital identity is and how it differs from digital persona.
January 28, 2021
Understanding our digital existence: digital identity versus digital persona
Clock icon
Reading time about
10
min
We are proud to announce that Toomas Pihl has been appointed as Agrello's new CEO.We are proud to announce that Toomas Pihl has been appointed as Agrello's new CEO.
April 27, 2020
Welcome the new CEO Toomas Pihl
Clock icon
Reading time about
9
min
Agrello is providing a comprehensive solution for digital identity and agreements. Get an overview of the changes and how they will benefit users.Agrello is providing a comprehensive solution for digital identity and agreements. Get an overview of the changes and how they will benefit users.
April 15, 2020
Winds Of Change In Agrello
Clock icon
Reading time about
5
min

Want to know whether Agrello fits you?

Get in touch with us.  Let’s discuss your needs and see how Agrello matches those.
Harry Käsk
Harry Käsk

Soovid teada, kas Agrello vastab sinu vajadustele?

Proovi 14 päeva tasuta, ilma et peaksid midagi maksma või krediitkaarti sisetama. Küsimuste korral võta julgelt ühendust.
Laura Findley
Laura Findley
Harry Käsk
Harry Käsk