What is an Electronic Signature and a Digital Signature?
What is a digital signature? What is an electronic signature? How do they work? Why do companies use electronic signatures? The following FAQ (Frequently Asked Questions) addresses both the business and technology aspects of digital and electronic signatures.
Digital signature solutions can automate your formal approvals affordably, allowing you to go paperless, cut costs and expedite your business processes.
Electronic and Digital Signature FAQ
A digital signature (standard electronic signature) takes the concept of traditional paper-based signing and turns it into an electronic "fingerprint.” This "fingerprint,” or coded message, is unique to both the document and the signer and binds both of them together. Digital signatures ensures the authenticity of the signer. Any changes made to the document after it has been signed invalidate the signature, thereby protecting against signature forgery and information tampering. As such, digital signatures help organizations sustain signer authenticity, accountability, data integrity and the non-repudiation of signed electronic documents and forms.
Watch a video to see how a digital signature works.
An electronic signature can be as basic as a typed name or a digitized image of a handwritten signature. Consequently, e-signatures are very problematic with regards to maintaining integrity and security, as nothing prevents one individual from typing another individual's name. Due to this reality, an electronic signature that does not incorporate additional measures of security (the way digital signatures do, as described above) is considered an insecure way of signing documentation.
A digital signature, often referred to as advanced or standard electronic signature, falls into a sub-group of electronic signatures that provides the highest levels of security and universal acceptance. Digital signatures are based on Public Key Infrastructure (PKI) technology, and guarantee signer identity and intent, data integrity, and the non-repudiation of signed documents. The digital signature cannot be copied, tampered with or altered. In addition, because digital signatures are based on standard PKI technology, they can be validated by anyone without the need for proprietary verification software. On the other hand, an electronic signature is a proprietary format (there is no standard for electronic signatures) that may be a digitized image of a handwritten signature, a symbol, voiceprint, etc., used to identify the author(s) of an electronic message. An electronic signature is vulnerable to copying and tampering, and invites forgery. In many cases, electronic signatures are not legally binding and will require proprietary software to validate the e-signature.
It is estimated that every year, 30 billion paper documents are copied or printed by US companies. When factoring the costs of copying, scanning, archiving, routing, and retrieving lost documents, each paper-based signature is estimated to cost $6.50. The average authorized employee signs 500 documents a year at a total cost of $3,250. Organizations are implementing digital signature solutions to:
- Automate and expedite business processes
- Cut operational costs
- Improve efficiency and collaboration
- Address legal compliance and limit liability
- Go green
Calculate the return on investment of implementing a digital signature solution in your organization by downloading our digital signature ROI whitepaper and Excel spreadsheet.
Many processes require formal authorizations or approvals. Often times, the number of signature-dependent processes within an organization or department is higher than many realize. By implementing digital signatures, organizations are able to significantly shorten process times while cutting costs and improving collaboration and efficiency.
The table below highlights some signature-dependent processes and documents:
|Executive Management / Board Documents
||Board Actions, Corporate Communications and Public Reports, Investor Relations, SEC Documents|
||Employee Actions, Employee Benefit Changes, Employee On-Boarding Documents, Employee Time Sheets, Employee Training Acknowledgements, Periodic Forms, Performance Reviews, Insurance Claims |
||Contracts, Agreements, Work orders, Master Service Agreement Forms, and Sub-contractor Agreements|
||Lease Agreements, Loan Agreements, Expense Reports & Reimbursement Approvals, Invoices, Tax Filings, Financial Spreadsheets (Data Collection and Aggregation), Disbursements (Check, Wire Transfer Orders, and ACH Transactions), Journal Entries related to Accounting and General Ledger, Purchase Requests, Gift Records|
Customer Service Documents
|Customer service change orders|
|Purchase Orders, Contracts with subcontractors|
|Sale Proposals, Point of Sale/Service, Contracts with clients|
|Applications, Submissions, etc.|
|QC Documents, Standard Operating Procedures, Policies, Work Instructions, and Training Documents, Test Procedures, Field Service, Maintenance, and Calibrations Reports |
Other Industry Specific Documents
|Designs, Drawings, Plans, Manufacturing Instructions and Reports, HIPAA patient and consent forms, Medical Records, Clinical Documentation, Lab Reports, and Certificates of Analysis|
Using Bob and Alice, we can illustrate how a digital signature (standard electronic signature) is applied and verified.
From Bob's perspective, the signing operation can be as simple as a click of a button. But several things happen with that one click:
Step 1: Getting a Private and Public KeyIn order to digitally sign a document, Bob needs to obtain a private and public key, which is a one-time process.The private key, as the name implies, is not shared and is used only by the signer. The public key is openly available and used by those that need to validate the signer's digital signature.
Step 2: Signing an Electronic Document
- Initiate the signing process - Depending on the software used, Bob needs to initiate the signing process (e.g., by clicking a "Sign" button on the software's toolbar).
- Create a digital signature - A unique digital fingerprint of the document (sometimes called a message digest or document hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a separate digital fingerprint of each.
- Append the signature to the document - The hash result and the user's digital certificate (which includes the user's public key) are combined into a digital signature (by using the user's private key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the digital signature is appended to the document.
Bob sends the signed document to Alice. Alice uses Bob's public key (which is included in the digital certificate) to authenticate Bob's signature and to ensure that no changes were made to the document after it was signed.
Step 3: Validating a Digital Signature
- Initiate the validation process- Depending on the software used, Alice needs to initiate the validation process (e.g., by clicking a "Validate Signature" menu option button on the software's toolbar).
- Decrypt the digital signature - Using Bob's public key, Alice decrypts his digital signature and receives the original document (the document fingerprint).
- Compares the document fingerprint with her calculated one - Alice's software then calculates the document hash of the received document and compares it with the original document hash (from the previous step). If they are the same, the signed document has not been altered.
There is yet another factor involved. How can Alice know whether Bob is indeed the same person she intends to conduct business with? Bob needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler's identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology, this is the CA) and use the passport to authenticate its holder in the same way that Alice uses the CA's certificate for authenticating Bob's identity.
Learn about digital certificates, how they work and why companies use them in the Digital Certificates FAQ
. The FAQ addresses both business and technology aspects of digital certificates.
Yes. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN"), which made signed electronic contracts and documents as legally binding as a paper-based contract.
Today, digital signature (standard electronic signature) solutions carry recognized legal significance, allowing organizations to comply with regulations worldwide. Learn more about digital signature regulations and legislation.
The average e-signature user signs just over 2 documents per workday, or 500 documents per year (based on CoSign customer usage statistics). These numbers equal a usage reduction of half of a tree, ¾ of a barrel of oil, and 150 pounds of carbon emissions per signer, per year.
Important milestones in the acceptance of digital signature (standard electronic signature solutions) solutions into business practices took place in 1999 and 2000, when the EU passed the “EU Directive for Electronic Signatures” and President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN").
Furthermore, legal precedents are being established that confirm the validity of electronic documents and contracts. Here are a few examples:
- Cloud Corp. v. Hasbro Inc., 314 F.3d 289 (7th Cir. 2002) - electronic documentation satisfied the Statute of Frauds.
- Sea-Land Service, Inc. v. Lozen International, LLC, 285 F.3d 808; 2002 WL 496943 (9th Cir. 2002) – ruled that an internal company e-mail was admissible evidence.
- Moore v. Microsoft Corp., 741 N.Y.S.2d 91 (April 5, 2002) – By clicking “I agree,” the terms of the End User License Agreement were valid and binding.
Nicholas Leeson forged handwritten signatures of his boss and caused the collapse of Barings Bank, the United Kingdom's oldest investment bank. While both handwritten and digital signatures (standard electronic signatures) are legally-binding, only digital signatures ensure the non-repudiation of documents.
Yes. Standard digital signatures “seal” documents:
- Providing evidence of user identity
- Guaranteeing data integrity
- Ensuring the non-repudiation of signed electronic documents
- Complying with regulations
For additional information, please see How safe are digital signatures vs. handwritten signatures? (above)
The following are some considerations that should be taken into account when choosing a digital signature solution that will maximize the business benefits of moving to a paperless environment:
- Seals the document: Some solutions offer a non-standard electronic signature, that can be tampered with and that is not legally binding. It is best to choose a solution that is based on Public Key Infrastructure technology, thereby guaranteeing document integrity and legal compliance.
- Compliance: Review the regulations within your industry, ensuring that the electronic signature solution addresses all industry requirements.
- Multiple Application Support: Some solutions offer electronic signature support for Microsoft® Word or PDF documents only. Find a solution that supports all applications in order to address current and future business requirements.
- Transportability: Ensure that the electronic signature is part of the document and that the signed documents may be validated by an outside user without having to install a proprietary software application.
- Graphical Signature Support: Although graphical signatures are not technically or legally mandated, a graphical e-signature has the psychological benefit of easing the transition to a paperless environment, because the e-signature on the electronic document appears as it would on a paper document.
- Seamless User Registration: Ask the vendor how users are enrolled and how changes to user information are updated. Many electronic signature solutions require a new user to go through a complex software “wizard” or go through several steps to enroll or update their information. For fast rollout and easy adoption within the organization, registration should be transparent to the user.
- Multiple Signatures on the Same Document: Some electronic signature solutions allow for only one e-signature on a document. Look for a solution that can support multiple signatures on the same document.
- Simple to Use: Some electronic signature solutions require multiple steps to e-sign a document. It should only take 1 or 2 mouse clicks to ensure that the document is sealed and legally enforceable.
- Zero IT Management: The electronic signature solution should be operational as soon as it is deployed. Help desk and IT support should be minimal.
- Low Total Cost of Ownership: Remember to account for initial cost, deployment, support, digital certificates (which may be a recurring annual cost) and development for the applications that require electronic signatures.
Please reference How to Choose the Best Electronic Signature Software for more detailed information on choosing the best e-signature solution for your business.
Public Key Infrastructure (PKI) is the basis for the digital signature (standard electronic signature) today. PKI provides each user with a pair of keys, a private key, and a public key, used in every signed transaction. The private key, as the name implies, is not shared and is used only by the signer to electronically sign documents. The public key is openly available and used by those that need to validate the signer’s electronic signature. PKI encompasses different components which include a Certificate Authority (CA), end-user enrollment software, and tools for managing, renewing, and revoking keys and certificates.
Qualification as an SSCD is necessary for a digital signature (standard electronic signature) solution to comply with the EU Directive for Electronic Signatures. An SSCD is defined by the EC Directive 99/93 on Electronic Signatures as follows:
Secure signature-creation devices must, by appropriate technical and procedural means, ensure:
- The signature-creation data used for signature generation can occur only once, and that their secrecy is reasonably assured.
- The signature-creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology.
- The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others.
- Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process.
2 Minute Overview
Want to try CoSign Central or Cloud