|
General
Q. What are electronic signatures?
Electronic signatures take the concept of traditional paper-based signing and turn it into an electronic "fingerprint.” This "fingerprint,” or coded message, is unique to both the document and the signer and binds both of them together. The electronic signature ensures the authenticity of the signer. Any changes made to the document after it is signed invalidate the signature, thereby protecting against signature forgery and information tampering. Electronic signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of electronic documents and forms.
 Back to Top
Q. Brief History of Electronic Signatures
For centuries, signatures have been the most accepted means of authentication. Roman law recognized a combination of seals and signatures as the primary source for authenticating documents and legal contracts. The 1830s saw the first signs of electronic communications and legally recognized “electronic” signatures with the invention of the telegraph and Morse Code.
But it was the introduction of public key cryptography by Martin Hellman and Whitfield Diffie in 1976 that established the first practical method of distributing cryptographic keys over an unprotected public network.
Back to Top
Q. What is PKI?
Public Key Infrastructure (PKI) is the basis for standard electronic signatures today. PKI provides each user with a pair of keys, a Private Key and a Public Key, used in every signed transaction. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s electronic signature. PKI encompasses different components which include a Certificate Authority (CA), end-user enrollment software, and tools for managing, renewing, and revoking keys and certificates.
Back to Top
Q. Standard vs. Proprietary Electronic Signatures
Standard electronic signatures (or digital signatures) are based on Public Key Infrastructure (PKI) and are a result of a cryptographic operation that guarantees signer authenticity, data integrity and non-repudiation of signed documents. The standard electronic signature cannot be copied, tampered or altered. Because they are based on standard PKI technology, signatures made within one application (e.g. Microsoft Word, Adobe PDF) can be validated by others using the same applications.
A proprietary electronic signature is electronic data, such as a digitized image of a handwritten signature, a symbol, voiceprint, etc., that identifies the author(s) of an electronic message. Proprietary electronic signatures are vulnerable to copying and tampering, making forgery easy. In many cases, they are not legally binding and will require proprietary software to validate the signature.
Back to Top
Q. Why do companies adopt electronic signature solutions?
It is estimated that 30 billion paper documents are copied or printed by US companies annually. When factoring copying, archiving, and time to locate activities, the cost of each document can reach $60-$120. Reducing paper is only one reason to adopt electronic signature solutions. Organizations are implementing standard electronic signatures to::
| » |
Address legal compliance and limit liability |
| » |
Reduce time and paper costs associated with paper-based processes |
| » |
Automate and expedite business processes |
| » |
Ensure document security when moving from paper to electronic documents |
Back to Top
Q. Does an electronic signature really seal an electronic document?
Yes. Standard electronic signatures “seal” documents:
| » |
Providing evidence of user authenticity (verifies the signer’s identity) |
| » |
Guaranteeing data integrity (data has not been altered since the document was signed) |
| » |
Ensuring non-repudiation of signed electronic documents |
| » |
Complying with regulations |
For additional information, please see, “How safe are electronic signatures vs. handwritten signatures?”
Back to Top
Q. Choosing an Electronic Signature Solution
What considerations should be taken into account when choosing an electronic signature solution that will maximize the business benefits of moving to a paperless environment?
Seals the document. Some solutions offer weak, non-standard electronic signatures, which can be tampered and are not legally binding. It is best to choose a solution that is based on standard electronic signature technology (PKI – Public Key Infrastructure), thereby guaranteeing document integrity and legal compliance.
- Compliance: Review the regulations within your industry, ensuring the solution addresses all industry requirements.
- Multiple Application Support: Some solutions offer electronic signature support for Word or PDF documents only. Find a solution that supports all applications in order to address current, as well as future, business requirements.
- Transportability: Ensure the electronic signature is part of the document and that the signed documents may be validated by an outside user without having to install a proprietary software application.
- Graphical Signature Support: Although graphical signatures are not technically or legally mandated… a graphical signature has the psychological benefit of easing the transition to a paperless environment, because the signature on the electronic document appears as it would on a paper document.
- Seamless User Registration: Ask the vendor how users are enrolled and how changes to user information are updated. Many solutions require a new user to go through a complex software “wizard” or go through several steps to enroll or update their information. For fast rollout and easy adoption within the organization, registration should be transparent to the user.
- Multiple Signings on the Same Document: Some solutions allow for only one signature on a document. Look for a solution that can support your business logic and multiple signatures on the same document.
- Simple To Use: Some solutions require multiple steps to sign a document. It should only take 1 or 2 mouse-clicks to ensure that the document is sealed and legally compliant.
- Zero IT Management: The solution should be operational as soon as it is deployed. Help desk and IT support should be minimal.
- Low Total Cost Of Ownership: Remember to account for initial cost, deployment, help desk, digital certificates (which may be a recurring annual cost) and development of support for the applications that require signing.
Please reference “How to Choose an Electronic Signature Solution” for more detailed information on choosing the best electronic signature solution for your business.
Back to Top
Q. How safe are electronic signatures vs. handwritten signatures?
Simply right-click the signature and choose the “Validate” option.
Nicholas Leeson forged handwritten signatures of his boss and caused the collapse of Barings Bank, the United Kingdom's oldest investment bank. While both handwritten and electronic signatures are legally-binding, only standard electronic signatures ensure non-repudiation of documents. For example, any changes made to an electronically signed document are clearly indicated and will immediately invalidate the signature, thereby protecting against forgery.
Back to Top
Q. Are electronic signatures legally binding?
Yes. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN"), which made signed electronic contracts and documents as legally binding as a paper-based contract.
Today electronic signatures carry recognized legal significance, allowing organizations to comply with regulations worldwide. Click here for more info on the laws passed regarding the use of electronic signatures.
Back to Top
Q. Electronic Signature Legislation & Regulations
In recent years, most countries worldwide have adopted legislation and regulations that recognize the legality of an electronic signature and deem it a binding signature. And, regulations such as the FDA 21 CFR Part 11 for the Life Sciences industry have also recognized electronic signatures as a replacement for handwritten signatures.
Legislation
For additional information on other countries, visit the Digital Signature Law Survey.
Industry Regulations
| » |
Life Sciences - FDA's 21 CFR Part 11; |
| » |
Healthcare - Health Insurance Portability and Accountability (HIPAA); |
| » |
ISO; |
| » |
Homeland Security - Public Law 108-390; |
| » |
Finance - Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley) - Requires financial institutions to safeguard customer information, protect the security and integrity of records, and protect against unauthorized access; |
| » |
Public Companies - Sarbanes Oxley; and |
| » |
FAA's CFR Title 14. This includes support for:
| » |
Air carriers under 14 CFR parts 121, 129, or 135; |
| » |
Operators under 14 CFR parts 91, 125, 133, or 137; |
| » |
Persons performing airmen certification under 14 CFR parts 61, 63, 65, 141, and 142; |
| » |
Individuals performing maintenance or preventive maintenance under 14 CFR part 43; |
| » |
Repair stations under 14 CFR part 145; and |
| » |
Aviation maintenance technical schools under 14 CFR part 147 |
|
Back to Top
Q. What is a Secure Signature-Creation Device (SSCD)?
Qualification as an SSCD is necessary for electronic signature solutions to comply with the EU Directive for Electronic Signatures. An SSCD is defined by the EC Directive 99/93 on Electronic Signatures as follows:
| » |
Secure signature-creation devices must, by appropriate technical and procedural means, ensure: |
| » |
The signature-creation data used for signature generation can occur only once, and that their secrecy is reasonably assured. |
| » |
The signature-creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology. |
| » |
The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others. |
| » |
Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process. |
Back to Top
Q. Legal Cases
Important milestones in the acceptance of electronic signatures into business practices took place in 1999 and 2000 respectively, when the EU passed the “EU Directive for Electronic Signatures” and President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN").
Furthermore, legal precedents are being established that confirm the validity of electronic documents and contracts. Following are a few examples:
| 1. |
Cloud Corp. v. Hasbro Inc., 314 F.3d 289 (7th Cir. 2002) - electronic documentation satisfied the Statute of Frauds. |
| 2. |
Sea-Land Service, Inc. v. Lozen International, LLC, 285 F.3d 808; 2002 WL 496943 (9th Cir. 2002) – ruled that an internal company e-mail was admissible evidence. |
| 3. |
Moore v. Microsoft Corp., 741 N.Y.S.2d 91 (April 5, 2002) – By clicking “I agree,” the terms of the End User License Agreement were valid and binding. |
Back to Top
Q. How do electronic signatures work?
Using Bob and Alice, we can illustrate how standard electronic signatures are applied and verified.
Step 1: Getting a Private and Public Key
In order to electronically sign documents with standard electronic signatures, Bob needs to obtain a Private and Public Key – a one-time setup/operation. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s electronic signature.
Step 2: Signing an Electronic Document
From Bob’s perspective, the signing operation can be as simple as a click of a button. But several things are happening with that one click:
| 1. |
Initiate the signing process - Depending on the software used, Bob needs to initiate the signing process (e.g. clicking a “Sign” button on the software’s toolbar). |
| 2. |
Create an electronic signature - A unique digital fingerprint of the document (sometimes called Message Digest or Document Hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a different digital fingerprint of the document. |
| 3. |
Append the signature to the document – The hash result and the user’s digital certificate (which includes his Public Key) are combined into an electronic signature (by using the user’s Private Key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the electronic signature is appended to the document. |
Step 3: Validating the Electronic Signature
Bob sends the signed document to Alice. Alice uses Bob’s public key (which is included in the signature within the Digital Certificate) to authenticate Bob’s signature and to ensure that no changes were made to the signed document after it was signed. Alice:
| 1. |
Initiates the validation process - Depending on the software used, Alice needs to initiate the signing process (e.g. clicking a “Validate Signature” menu option button on the software’s toolbar). |
| 2. |
Decrypts Bob’s signature using his Public Key and gets the original document (the document fingerprint). |
| 3. |
Compares Bob’s document fingerprint with her calculated one – Alice’s software then calculated the document hash of the received documents and compared it with the original document hash (from the previous step). If they are the same, the signed document has not been altered. |
There is another factor still missing from this description. How can Alice know whether Bob is indeed the same person she intends to conduct business with, or even that it is really Bob? Bob needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler’s identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology: the CA) and use the passport to authenticate its holder in the same way that Alice uses the CA’s certificate for authenticating Bob’s identity.
Back to Top
Q. Glossary
Term |
Definition |
Advanced Electronic Signature |
See Digital Signature. |
Asymmetric cryptography |
There are two types of encryption:
- Symmetric - Identical secret key for encryption and decryption
- Asymmetric - Two Keys: a Private Key for decryption and signing and a Public key for encryption and validating signatures. Knowledge of Public Key does not reveal the Private Key.
|
CA |
An authority that creates and signs Digital Certificates for one or more users. Usually CA's form a hierarchy. The top of this hierarchy is called the root CA.
See also RA. |
CAPI |
Cryptographic API (Application Programming Interface). An API provided by Microsoft to let applications encrypt or digitally sign data. |
CDP |
CRL Distribution Point – Definition used by applications to locate the CRL location. |
CRL |
Certificate Revocation List - the place where a CA stores the IDs of all the Digital Certificates that have been revoked. |
Data Integrity |
Assures document authenticity; Any changes made to the contents of the document will invalidate the signature. |
Detached Signature |
A possible method of adding a Digital Signature to signed data, where the Digital Signature and the signed data are kept separately. |
Digest |
Used in the process of creating a Digital Signature, a Digest is a unique digital representation or "fingerprint" of the signed data.
See also "Hashing". |
Digital Certificate |
Similar to a passport identifying a trusted person (or entity such as an application).
A Digital Certificate is issued by a CA and is used to ensure the authenticity of the Public key belonging to a certain user.
A Digital Certificate prevents hackers from claiming someone else's identity, because the CA issued the certificate after ensuring the authenticity of Public keys belonging to the original users. |
Digital Signature |
Digital Signature (sometime referred as Advanced Electronic Signatures) takes the concept of the traditional paper based signature into the digital realm, by cryptographically signing a digital "fingerprint" of the document. This signed "fingerprint" is unique to both the document and the signer. |
Electronic Signature |
While Digital Signatures and Electronic Signatures are sometimes used interchangeably, there is a significant difference between the two.
An Electronic Signature merely adds data (text, sound, symbol, picture etc.) to a document as means of identifying the signer. These signatures should be considered as forgeable. |
Enrollment |
The process of signing up a user for a Digital Signature "account", which includes generating a Key Pair and creating a Digital Certificate. |
Enveloped Signature |
A possible method of adding a Digital Signature to signed data, where the Digital Signature is embedded within the signed document. |
Enveloping Signature |
A possible method of adding a Digital Signature to signed data, where the signed data is actually embedded within the Digital Signature. |
Graphical Signature |
See Wet Signature. |
Hashing |
A mathematical process that converts a message (e.g. document) into a unique "message digest" that represents the original message. A hash function will not produce the same message digest from two different inputs.
A hash is a one-way function, making it infeasible to reverse the process to determine the original message from the "message digest". |
Key Pair |
The Public and Private keys generated for a user. |
Non-Repudiation |
Avoid denial of transactions. |
OTP |
One Time Password – An authentication method using a password that is only valid for a single use. |
PKCS#1 |
A Public-key cryptography Standard published by RSA Laboratories defining the basic syntax/format for a Digital Signature. This format doesn't include anything else other than the signature data. |
PKCS#7 |
A Public-key cryptography Standard published by RSA Laboratories defining the syntax/format for a Digital Signature. This format includes on top of PKCS#1 information such as timestamp, Digital Certificate and more. |
PKCS#11 |
A Public-key cryptography Standard published by RSA Laboratories defining an API, called Cryptokit, to devices which hold cryptographic information and perform cryptographic functions. |
PKCS#12 |
A Public-key Cryptography Standard published by RSA Laboratories defining a format for storing or transporting a user's private key, certificate, etc. |
PKI |
Public Key Infrastructure. The combination of standards, protocols and policies that support Digital Signatures and Encryption. |
Private Key |
The secret key in a PKI system, used to decrypt incoming messages and sign outgoing ones. A Private Key is always paired with its Public Key during key generation. |
Public Key |
The publicly available key in a PKI system, used to encrypt messages bound for its owner and to validate signatures made by its owner. A Public Key is always paired with its Private Key during key generation. |
Qualified Certificate |
A Digital Certificate issued by a CA that has a national accreditation for providing those. |
Qualified Digital Signature |
A Digital Signature based on a Qualified Certificate. |
Qualified Electronic Signature |
See Qualified Digital Signature. |
RA |
Registration Authority – An RA does the required identification for certain certificate data, which is then passed to the CA for issuing the Digital Certificate. |
Signature Pad |
An electronic device with a touch sensitive LCD screen which allows users to acquire and register a Wet Signature. |
Smart Card |
A card, typically the size as a credit card that contains a built-in microprocessor and memory. In traditional PKI systems, Smart Cards are used to store a user's Private Keys and in some cases, also perform the Hashing. |
Wet Signature |
A graphical representation of a wet-ink signature. The combination of a Graphical Signature and a Digital Signature provides a visual indication that the user is reassured by, as well as an assured method of sealing documents. |
X.509 |
An ITU (International Telecommunication Union) standard for Digital Certificates used in many PKI implementations. |
Back to Top
Q. I couldn't find an answer to my question. Who should I contact?
Please contact us with any questions you may have regarding electronic signatures.
Back to Top
|
