What is a digital signature? What is an electronic signature? How do they work? Why do companies use electronic signatures? The following FAQ (Frequently Asked Questions) addresses general aspects of digital and electronic signatures.
What is a Qualified Signature-Creation Device (QSCD)?
A digital signature (standard electronic signature) solution needs to be qualified as a QSCD in order to comply with the EU’s ‘Electronic Identification and Trust Services for Electronic Transactions in the Internal Market’ (eIDAS) regulation.
QSCDs are defined in the regulation as devices which must, by appropriate technical and procedural means, ensure that:
The users’ signature keys reside in a secure product that provides the signatory with sole control over the use of his/her signature key.
The generation and management of the signature creation data on behalf of the signatory is performed by a qualified Trust Service Provider.
The data to be signed will be available to be presented to the signatory prior to signing and will not be altered in any way.
The signature creation data used for signature generation:
Can practically occur only once, and its confidentiality is reasonably assured.
Cannot, with reasonable assurance, be derived and the signature is reliably protected against forgery using currently available technology.
Can be reliably protected by the legitimate signatory against use of others.
CoSign was officially certified by OCSI, the Italian information security certification organization, as an SSCD (Secure Signature Creation Device), which was the standard terminology prior to the eIDAS regulation. CoSign can be used as a QSCD (Qualified Electronic Signature Creation Device) since it addresses all the requirements detailed in the new EU eIDAS regulation, specifically in Annex II which defines the term QSCD (Qualified Signature Creation Device) as a replacement for the SSCD terminology and implicitly permits using a remote signing solution for generating qualified signatures.
How can I validate a digital signature?
Simply right-click on the signature and choose the “Validate” option. Validating the digital signature enables the recipient to authenticate the identity of the signer and view the reason, date and time of the signature. Validation guarantees the signed document was not tampered with and/or modified, ensuring the signer was a valid employee, for example, at the time of signing the document. CoSign allows receiving parties to validate signatures without requiring software installation. In some cases third parties will need to download your certificate from CoSign Nation in order to verify your digital signature. Note: Validating a signature varies slightly according to the application and its version.
What is a digital signature?
A digital signature (standard electronic signature) takes the concept of traditional paper-based signing and turns it into an electronic “fingerprint.” This “fingerprint,” or coded message, is unique to both the document and the signer and binds them together. Digital signatures ensure the authenticity of the signer. Any changes made to the document after it has been signed invalidate the signature, thereby protecting against signature forgery and information tampering. As such, digital signatures help organizations sustain signer authenticity, accountability, data integrity and the non-repudiation of signed electronic documents and forms.
Watch a video to see how a digital signature works.
What is an electronic signature?
An electronic signature can be as basic as a typed name or a digitized image of a handwritten signature. Consequently, e-signatures are very problematic when it comes to maintaining integrity and security, as nothing prevents one individual from typing another individual’s name. Due to this reality, an electronic signature that does not incorporate additional measures of security (the way digital signatures do, as described above) is considered an insecure way of signing documentation.
What is the difference between a digital signature and an electronic signature?
A digital signature, often referred to as advanced or standard electronic signature, falls into a sub-group of electronic signatures that provides the highest levels of security and universal acceptance. Digital signatures are based on Public Key Infrastructure (PKI) technology, and guarantee signer identity and intent, data integrity, and the non-repudiation of signed documents. The digital signature cannot be copied, tampered with or altered. In addition, because digital signatures are based on standard PKI technology, they can be validated by anyone without the need for proprietary verification software. On the other hand, an electronic signature is a proprietary format (there is no standard for electronic signatures) that may be a digitized image of a handwritten signature, a symbol, voiceprint, etc., used to identify the author(s) of an electronic message. An electronic signature is vulnerable to copying and tampering, and invites forgery. In many cases, electronic signatures are not legally binding and will require proprietary software to validate the e-signature.
Why do companies adopt electronic signature solutions?
It is estimated that every year, 30 billion paper documents are copied or printed by US companies. When factoring the costs of copying, scanning, archiving, routing and retrieving lost documents, each paper-based signature is estimated to cost $6.50. The average authorized employee signs 500 documents a year at a total cost of $3,250. Organizations are implementing digital signature solutions to:
Yes. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed the Electronic Signatures in Global and National Commerce Act (“ESIGN”), which made signed electronic contracts and documents as legally binding as a paper-based contract.
Today, digital signature (standard electronic signature) solutions carry recognized legal significance, enabling organizations to comply with regulations worldwide. Learn more about digital signature regulations and legislation.
What legislation and regulations define the legality of an electronic signature?
Most countries worldwide have adopted legislation and regulations that recognize the legality of a digital signature (standard electronic signature) and deem it a binding signature. In addition to governments, many industries have established regulations (such as the FDA 21 CFR Part 11) that define digital signatures as a replacement for handwritten signatures.
Since CoSign is a digital signature solution, a secure form of e-signatures, it can provide legal compliance in the most tightly regulated industries and geographies. CoSign offers a solution that is FIPS 140-2 Level 3 certified and is based on the Digital Signature Standard (FIPS 186-2). With the proper standard operating procedures in place, CoSign can comply with ESIGN, EU Directives and VAT law, FDA 21CFR Part 11, HIPAA and SOX.
Have there been legal cases for the acceptance of digital signatures?
Important milestones in the acceptance of digital signature solutions (standard electronic signature solutions) into business practices took place in 1999 and 2000, when the EU passed the “EU Directive for Electronic Signatures” and President Clinton signed the Electronic Signatures in Global and National Commerce Act (“ESIGN”). Furthermore, legal precedents are being established that confirm the validity of electronic documents and contracts.
Read more about legality/enforceability and country-specific information: Electronic signatures and Digital signatures.
How safe is a digital signature vs. a handwritten signature?
Nicholas Leeson forged handwritten signatures of his boss and caused the collapse of Barings Bank, the United Kingdom’s oldest investment bank. While both handwritten and digital signatures (standard electronic signatures) are legally-binding, only digital signatures ensure the non-repudiation of documents.
How do digital signatures work?
Using Bob and Alice, we can illustrate how a digital signature (standard electronic signature) is applied and verified.
From Bob’s perspective, the signing operation can be as simple as a click of a button. But several things happen with that one click:
Step 1: Getting a Private and Public Key
In order to digitally sign a document, Bob needs to obtain a private and public key, which is a one-time process. The private key, as the name implies, is not shared and is used only by the signer. The public key is openly available and used by those that need to validate the signer’s digital signature.
Step 2: Signing an Electronic Document Initiate the signing process - Depending on the software used, Bob needs to initiate the signing process (e.g., by clicking a “Sign” button on the software’s toolbar). Create a digital signature - A unique digital fingerprint of the document (sometimes called a message digest or document hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a separate digital fingerprint of each. Append the signature to the document - The hash result and the user’s digital certificate (which includes the user’s public key) are combined into a digital signature (by using the user’s private key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the digital signature is appended to the document. Bob sends the signed document to Alice. Alice uses Bob’s public key (which is included in the digital certificate) to authenticate Bob’s signature and to ensure that no changes were made to the document after it was signed.
Step 3: Validating a Digital Signature Initiate the validation process - Depending on the software used, Alice needs to initiate the validation process (e.g., by clicking a “Validate Signature” menu option button on the software’s toolbar). Decrypt the digital signature - Using Bob’s public key, Alice decrypts his digital signature and receives the original document (the document fingerprint). Compares the document fingerprint with her calculated one - Alice’s software then calculates the document hash of the received document and compares it with the original document hash (from the previous step). If they are the same, the signed document has not been altered.
There is yet another factor involved. How can Alice know whether Bob is indeed the same person she intends to conduct business with? Bob needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler’s identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology, this is the CA) and use the passport to authenticate its holder in the same way that Alice uses the CA’s certificate for authenticating Bob’s identity.
Does a digital signature really seal an electronic document?
Yes. Based on international standards digital signatures “seal” documents:
Providing evidence of user identity
Guaranteeing data integrity
Ensuring the non-repudiation of signed electronic documents
For additional information, please see How safe are digital signatures vs. handwritten signatures? (above)
How do I choose an electronic signature solution?
The following are some considerations that should be taken into account when choosing a digital signature solution that will maximize the business benefits of moving to a paperless environment:
Seals the document: Some solutions offer a non-standard electronic signature, that can be tampered with and that is not legally binding. It is best to choose a solution that is based on Public Key Infrastructure technology, thereby guaranteeing document integrity and legal compliance.
Compliance: Review the regulations within your industry, ensuring that the electronic signature solution addresses all industry requirements.
Multiple Application Support: Some solutions offer electronic signature support for Microsoft Word or PDF documents only. Find a solution that supports all applications in order to address current and future business requirements.
Transportability: Ensure that the electronic signature is part of the document and that the signed documents may be validated by an outside user without having to install a proprietary software application.
Graphical Signature Support: Although graphical signatures are not technically or legally mandated, a graphical e-signature has the psychological benefit of easing the transition to a paperless environment, because the e-signature on the electronic document appears as it would on a paper document.
Seamless User Registration: Ask the vendor how users are enrolled and how changes to user information are updated. Many electronic signature solutions require a new user to go through a complex software “wizard” or follow several steps to enroll or update their information. For fast rollout and easy adoption within the organization, registration should be transparent to the user.
Multiple Signatures on the Same Document: Some electronic signature solutions allow for only one e-signature on a document. Look for a solution that can support multiple signatures on the same document.
Simple to Use: Some electronic signature solutions require multiple steps to e-sign a document. It should only take 1 or 2 mouse clicks to ensure that the document is sealed and legally enforceable.
Zero IT Management: The electronic signature solution should be operational as soon as it is deployed. Help desk and IT support should be minimal.
Low Total Cost of Ownership: Remember to account for initial cost, deployment, support, digital certificates (which may be a recurring annual cost) and development for the applications that require electronic signatures.
How can digital signatures benefit business processes?
Many processes require formal authorizations or approvals. Often, the number of signature-dependent processes within an organization or department is higher than many realize. By implementing digital signatures, organizations are able to significantly shorten process times while cutting costs and improving collaboration and efficiency.
The table below highlights some signature-dependent processes and documents:
Executive Management / Board Documents
Board Actions, Corporate Communications and Public Reports, Investor Relations, SEC Documents
Employee Actions, Employee Benefit Changes, Employee On-boarding Documents, Employee Time Sheets, Employee Training Acknowledgements, Periodic Forms, Performance Reviews, Insurance Claims
Contracts, Agreements, Work Orders, Master Service Agreement Forms, and Sub-contractor Agreements
Lease Agreements, Loan Agreements, Expense Reports & Reimbursement Approvals, Invoices, Tax Filings, Financial Spreadsheets (Data Collection and Aggregation), Disbursements (Check, Wire Transfer Orders, and ACH Transactions), Journal Entries related to Accounting and General Ledger, Purchase Requests, Gift Records
Customer Service Documents
Customer Service Change Orders
Purchase Orders, Contracts with subcontractors
Sales Proposals, Point of Sale/Service, Contracts with clients
Applications, Submissions, etc.
QC Documents, Standard Operating Procedures, Policies, Work Instructions, Training Documents, Test Procedures, Field Service, Maintenance and Calibrations Reports
Other Industry Specific Documents
Designs, Drawings, Plans, Manufacturing Instructions and Reports, HIPAA Patient and Consent Forms, Medical Records, Clinical Documentation, Lab Reports and Certificates of Analysis
What is PKI?
Public Key Infrastructure (PKI) is the basis for the digital signature (standard electronic signature) today. PKI provides each user with a pair of keys, a private key and a public key, used in every signed transaction. The private key, as the name implies, is not shared and is used only by the signer to electronically sign documents. The public key is openly available and used by those that need to validate the signer’s electronic signature. PKI encompasses different components which include a Certificate Authority (CA), end-user enrollment software, and tools for managing, renewing and revoking keys and certificates.
What is a Secure Signature-Creation Device (SSCD)?
Qualification as an SSCD is necessary for a digital signature (standard electronic signature) solution to comply with the EU Directive for Electronic Signatures. An SSCD is defined by the EC Directive 99/93 on Electronic Signatures as follows:
Secure signature-creation devices must, by appropriate technical and procedural means, ensure:
The signature-creation data used for signature generation can occur only once, and that their secrecy is reasonably assured.
The signature-creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology.
The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others.
Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process.
What are digital certificates?
Learn about digital certificates, how they work and why companies use them in the Digital Certificates FAQ. The FAQ addresses both business and technology aspects of digital certificates.
What are the environmental effects of switching to an electronic signature?
The average e-signature user signs just over 2 documents per workday, or 500 documents per year (based on CoSign customer usage statistics). These numbers equal a usage reduction of half of a tree, ¾ of a barrel of oil, and 150 pounds of carbon emissions per signer, per year.