|
General
Q. What is a digital signature?
Digital signatures (standard electronic signatures) take the concept of traditional paper-based signing and turn it into an electronic "fingerprint.” This "fingerprint,” or coded message, is unique to both the document and the signer and binds both of them together. The digital signature ensures the authenticity of the signer. Any changes made to the document after it is signed invalidate the signature, thereby protecting against signature forgery and information tampering. Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of electronic documents and forms.
 Back to Top
Q. What is the history behind digital signatures?
For centuries, signatures have been the most accepted means of authentication. Roman law recognized a combination of seals and signatures as the primary source for authenticating documents and legal contracts. The 1830s saw the first signs of electronic communications and legally recognized “electronic” signatures with the invention of the telegraph and Morse Code.
But it was the introduction of public key cryptography by Martin Hellman and Whitfield Diffie in 1976 that established the first practical method of distributing cryptographic keys over an unprotected public network.
Back to Top
Q. What is PKI?
Public Key Infrastructure (PKI) is the basis for digital signatures (standard electronic signatures) today. PKI provides each user with a pair of keys, a Private Key and a Public Key, used in every signed transaction. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s digital signature. PKI encompasses different components which include a Certificate Authority (CA), end-user enrollment software, and tools for managing, renewing, and revoking keys and certificates.
Back to Top
Q. What is the difference between digital signatures and electronic signatures?
Digital signatures are based on Public Key Infrastructure (PKI) and are a result of a cryptographic operation that guarantees signer authenticity, data integrity and non-repudiation of signed documents. The digital signature cannot be copied, tampered or altered. In addition, because they are based on standard PKI technology, signatures made within one application (e.g. Microsoft Word, Adobe PDF) can be validated by others using the same applications. On the other hand, an electronic signature is a proprietary format (there is no standard for electronic signatures) that is an electronic data, such as a digitized image of a handwritten signature, a symbol, voiceprint, etc., that identifies the author(s) of an electronic message. Electronic signatures are vulnerable to copying and tampering, making forgery easy. In many cases, they are not legally binding and will require proprietary software to validate the signature.
Back to Top
Q. Why do companies adopt digital signature solutions?
It is estimated that 30 billion paper documents are copied or printed by US companies annually. When factoring copying, archiving, and time to locate activities, the cost of each document can reach $60-$120. Reducing paper is only one reason to adopt digital signature (standard electronic signatures) solutions. Organizations are implementing standard digital signatures to:
| » |
Address legal compliance and limit liability |
| » |
Reduce time and paper costs associated with paper-based processes |
| » |
Automate and expedite business processes |
| » |
Ensure document security when moving from paper to electronic documents |
Back to Top
Q. Does a digital signature really seal an electronic document?
Yes. Standard digital signatures “seal” documents:
| » |
Providing evidence of user authenticity (verifies the signer’s identity) |
| » |
Guaranteeing data integrity (data has not been altered since the document was signed) |
| » |
Ensuring non-repudiation of signed electronic documents |
| » |
Complying with regulations |
For additional information, please see, “How safe are digital signatures vs. handwritten signatures?”
Back to Top
Q. How do I choose a digital signature solution?
What considerations should be taken into account when choosing a digital signature (standard electronic signature) solution that will maximize the business benefits of moving to a paperless environment?
- Seals the document. Some solutions offer weak, non-standard electronic signatures, which can be tampered and are not legally binding. It is best to choose a solution that is based on digital signature technology (PKI – Public Key Infrastructure), thereby guaranteeing document integrity and legal compliance.
- Compliance: Review the regulations within your industry, ensuring the solution addresses all industry requirements.
- Multiple Application Support: Some solutions offer digital signature support for Word or PDF documents only. Find a solution that supports all applications in order to address current, as well as future, business requirements.
- Transportability: Ensure the digital signature is part of the document and that the signed documents may be validated by an outside user without having to install a proprietary software application.
- Graphical Signature Support: Although graphical signatures are not technically or legally mandated, a graphical signature has the psychological benefit of easing the transition to a paperless environment because the signature on the electronic document appears as it would on a paper document.
- Seamless User Registration: Ask the vendor how users are enrolled and how changes to user information are updated. Many solutions require a new user to go through a complex software “wizard” or go through several steps to enroll or update their information. For fast rollout and easy adoption within the organization, registration should be transparent to the user.
- Multiple Signings on the Same Document: Some solutions allow for only one signature on a document. Look for a solution that can support your business logic and multiple signatures on the same document.
- Simple To Use: Some solutions require multiple steps to sign a document. It should only take 1 or 2 mouse-clicks to ensure that the document is sealed and legally compliant.
- Zero IT Management: The solution should be operational as soon as it is deployed. Help desk and IT support should be minimal.
- Low Total Cost Of Ownership: Remember to account for initial cost, deployment, help desk, digital certificates (which may be a recurring annual cost) and development of support for the applications that require signing.
Please reference “How to Choose the Best Electronic Signature Software” for more detailed information on choosing the best digital signature solution for your business.
Back to Top
Q. How safe are digital signatures vs. handwritten signatures?
Nicholas Leeson forged handwritten signatures of his boss and caused the collapse of Barings Bank, the United Kingdom's oldest investment bank. While both handwritten and digital signatures (standard electronic signatures) are legally-binding, only digital signatures ensure non-repudiation of documents. For example, any changes made to an electronically signed document are clearly indicated and will immediately invalidate the signature, thereby protecting against forgery.
Back to Top
Q. Are digital signatures legally binding?
Yes. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN"), which made signed electronic contracts and documents as legally binding as a paper-based contract.
Today digital signatures (standard electronic signatures) carry recognized legal significance, allowing organizations to comply with regulations worldwide. Learn more about the laws passed regarding the use of digital signatures.
Back to Top
Q. What legislation and regulations define the legality of digital signatures?
In recent years, most countries worldwide have adopted legislation and regulations that recognize the legality of a digital signature (standard electronic signatures) and deem it a binding signature. And, regulations such as FDA 21 CFR Part 11 for the Life Sciences industry have also recognized digital signatures as a replacement for handwritten signatures.
Legislation
For additional information on other countries, visit the Digital Signature Law Survey.
Industry Regulations and Standards
Back to Top
Q. What is a Secure Signature-Creation Device (SSCD)?
Qualification as an SSCD is necessary for digital signature (standard electronic signatures) solutions to comply with the EU Directive for Electronic Signatures. An SSCD is defined by the EC Directive 99/93 on Electronic Signatures as follows:
| » |
Secure signature-creation devices must, by appropriate technical and procedural means, ensure: |
| » |
The signature-creation data used for signature generation can occur only once, and that their secrecy is reasonably assured. |
| » |
The signature-creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology. |
| » |
The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others. |
| » |
Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process. |
Back to Top
Q. Have there been Legal Cases for the acceptance of Digital Signatures?
Important milestones in the acceptance of digital signatures (standard electronic signatures) into business practices took place in 1999 and 2000 respectively, when the EU passed the “EU Directive for Electronic Signatures” and President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN").
Furthermore, legal precedents are being established that confirm the validity of electronic documents and contracts. Following are a few examples:
| 1. |
Cloud Corp. v. Hasbro Inc., 314 F.3d 289 (7th Cir. 2002) - electronic documentation satisfied the Statute of Frauds. |
| 2. |
Sea-Land Service, Inc. v. Lozen International, LLC, 285 F.3d 808; 2002 WL 496943 (9th Cir. 2002) – ruled that an internal company e-mail was admissible evidence. |
| 3. |
Moore v. Microsoft Corp., 741 N.Y.S.2d 91 (April 5, 2002) – By clicking “I agree,” the terms of the End User License Agreement were valid and binding. |
Back to Top
Q. How do digital signatures work?
Using Bob and Alice, we can illustrate how standard digital signatures (standard electronic signatures) are applied and verified.
Step 1: Getting a Private and Public Key
In order to electronically sign documents with standard digital signatures, Bob needs to obtain a Private and Public Key – a one-time setup/operation. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s digital signature.
Step 2: Signing an Electronic Document
From Bob’s perspective, the signing operation can be as simple as a click of a button. But several things are happening with that one click:
| 1. |
Initiate the signing process - Depending on the software used, Bob needs to initiate the signing process (e.g. clicking a “Sign” button on the software’s toolbar). |
| 2. |
Create a digital signature - A unique digital fingerprint of the document (sometimes called Message Digest or Document Hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a different digital fingerprint of the document. |
| 3. |
Append the signature to the document – The hash result and the user’s digital certificate (which includes his Public Key) are combined into a digital signature (by using the user’s Private Key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the digital signature is appended to the document. |
Bob sends the signed document to Alice. Alice uses Bob’s public key (which is included in the signature within the Digital Certificate) to authenticate Bob’s signature and to ensure that no changes were made to the signed document after it was signed. Alice:
| 1. |
Initiates the validation process - Depending on the software used, Alice needs to initiate the signing process (e.g. clicking a “Validate Signature” menu option button on the software’s toolbar). |
| 2. |
Decrypts Bob’s signature using his Public Key and gets the original document (the document fingerprint). |
| 3. |
Compares Bob’s document fingerprint with her calculated one –Alice’s software then calculates the document hash of the received document and compares it with the original document hash (from the previous step). If they are the same, the signed document has not been altered. |
Step 3: Validating the Digital Signature
There is another factor still missing from this description. How can Alice know whether Bob is indeed the same person she intends to conduct business with, or even that it is really Bob? Bob needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler’s identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology: the CA) and use the passport to authenticate its holder in the same way that Alice uses the CA’s certificate for authenticating Bob’s identity.
Back to Top
Q. Glossary
For a complete glossary of digital signature-related terms, please click here.
Back to Top
Q. My question is not listed in the FAQ for electronic signatures. Who should I contact?
Please contact us with any questions you may have regarding digital and electronic signatures.
Learn more about the Cosign digital signature solution.
Back to Top
|
