Were I to ask you what a handwritten signature looks like, with an air of confidence will you grab a pen and scrawl your name on a piece of paper, or, with a flourish, will you grip your thumb and fingers together and, sign your name in the air? 'Voila!’
Similarly, were I to ask you what a handwritten signature is used for and how it is verified, I am guessing that, with equal assurance, you would rattle off a list of examples such as an agreement to a contract, acceptance of terms and conditions, authorization for a payment; then you would tell me that the signature could be verified against one on a reference document such as on a Bank mandate.
And should I ask you why you had confidence in a handwritten signature, would that cause you pause for thought? Would you say something along the lines of ‘…..well there are established processes to validate signatures’ or ‘….at some point there was a human involved in the verification’?
Now, what if I asked you these same questions about an electronic signature? How confident would you be in your responses?
In this and future blogs, I will compare and contrast the electronic signature with the handwritten one. In doing so, I will answer the following questions:
What is an electronic signature
How does it differ from a digital signature, signature stamp, etc?
What types of electronic signatures are there?
In which countries and under which circumstances are they recognized in law?
For what purposes can I or can I not use one?
What do they look like?
How can I verify one?
How can the signer’s privacy be maintained in a digital world?
How do I know who actually created the electronic signature on a document?
For how long and under what circumstances can the ongoing validity of a document be demonstrated?
I hope this series will add to your understanding of the constituent parts and requirements of a successful electronic signature scheme; and increase your confidence that such schemes can better protect you in a world of increasing connectivity and complexity of legal relationships.
What is an electronic signature and how does it differ from a digital signature, signature stamp etc?
The majority of us have seen an example of a signature being placed onto a digital document, whether it be placing an image on the document, using a touch screen to draw a signature, typing a PIN or password into a website, using a certificate, or something different. There are numerous ways to sign a document, each having its own merits. But which of these examples are electronic signatures?
Let's start in the world of physical documents by defining:
A handwritten name on a physical document as a permanent indication that authenticates both the identity of the signer as well as the intent of the signer to witness, consent to, or otherwise provide opinion on the content of the document. Although typically a person’s name, it could equally be a pseudonym (nickname) or other representation so the signer’s name may not be present. A handwritten signature may also be referred to as a 'wet signature'
Physical stamp (signature stamp in the physical world)
Used everywhere, a signature stamp is used in place of, and with the legal equivalence of a handwritten signature. The signature stamp is an imprint of a pattern onto a document as a result of pressing down with a physical stamping device to transfer the ink pattern to the document. A ‘physical stamp’ may also be referred to as a ‘seal' and can be thought of in similar terms to a 'rubber stamp’. A well-known example is when the head of state approves a legislative document, where it is the role that matters and not the current name or number of the subject.
Transferring into the digital world we define:
Digital stamp (signature stamp in the digital world)
Typically, a digital image file that is placed on a digital document in place of a handwritten signature or a physical stamp to quickly and easily sign it. It is typically used as an indication of an individual’s intent to physically sign the digital document. The signature does not require authentication from the signee and, therefore it will be difficult to consider legally binding.
A ‘digital stamp’ may also be referred to as a ‘signature image', 'digital signature image', 'stamp image’, or 'digital stamp image’. All these terms include the word image, stamp or both.
Digital acknowledgment/Digitial consent
A signature that is the result of performing cryptographic operations over a document using a digital signature key. Depending on the type of operations performed, it may be possible to provide the ability to verify one or more of the following three attributes of the document.
authenticity of identity of the signer of the document, that is that the name, pseudonym or other representation associated with the digital signature is authentic (is inextricably linked with the individual that create the digital signature).
integrity of the document, that is the document has not changed in content or composition since the time at which it was digitally signed.
non-repudiation of the document, that is that the document’s signer cannot successfully dispute the validity of their signature on the document and its intent. Document integrity and authenticity of the identity of the signer are prerequisites of this attribute.
Essentially, a digital signature depends on prior verification of the identity of the person who was in possession of the digital signature key, and requires that it has subsequently been kept safe from theft or copying. This is possible if the persons that digitally sign the documents and those that rely on the digitally signed documents can agree and trust a mechanism by which the signature key can only be used by the intended person. Typically this can be achieved by having the digital signature key certified by a trusted certificate authority.
By itself, a digital signature does not require a visual representation of the signer's handwritten signature. That said, it is often accompanied by such a digital stamp to provide a visual cue that the document has been signed.
A legal concept. The basic premise of an electronic signature is that it is data logically associated with a digital document that was the result of the signer performing a signing operation on the digital document. An ‘electronic signature’ may also be referred to as an ‘e-signature'.
As you can see this is a loose definition and does not specify the characteristics of the signature or how it is to be created. Given the different types of electronic signatures that exist today, the EU eIDAS regulation (more on this later in the blog series) sought to classify electronic signatures as either ‘simple’, ‘advanced' or 'qualified’
1. ‘Simple’ electronic signature: an umbrella term used to refer to any electronic signature that does not meet the criteria of an advanced electronic signature (as defined below).
A ‘simple’ electronic signature comes in many different forms, such as simply typing your name, clicking an ‘I accept’ button, or drawing your signature with a mouse or touchscreen. It could also take the form of, a digital stamp, a digital acknowledgment, digital consent or a digital signature.
Simple electronic signatures tend to, but do not necessarily, require some form of authentication from the signer before they can be affixed to a document. This may involve entering a password or confirming an email address associated with the signature.
2. Advanced electronic signature: an advanced electronic signature builds on the digital signature mechanism and has the following four characteristics within the applicable law that it operates.
It is a digital signature in a particular format and using a particular scheme as prescribed by the applicable law;
The signer’s identity is a ‘natural person'. That is, the signer is an individual human being and not a business or governmental organization, etc. (see 'Electronic Seal’ below);
The name, pseudonym or other representation on the digital signature is uniquely linked back to the signer’s true identity; and
It is possible to demonstrate that the signer provided consent for the creation of the digital signatures and that it was not possible for any other person to request or otherwise interfere with the creation of the signature.
The first characteristic allows for secure interoperability between the creators and verifiers of the digital signatures within the scheme. A good example is the standards and specifications provided by the European Union for the creation and validation of the ‘Advanced Electronic Signature’ (AdES)'.
The second and third characteristics provide the authenticity of identity of the signer of the document that when combined with the integrity of the document, as provided by the fourth characteristic, results in legal certainty over the digital signature in the form of non-repudiation of the document.
As with a digital signature, an electronic signature does not require a visual representation of the signer's handwritten signature (ie a digital stamp) but is often accompanied by one to provide visual assurance. Interestingly, with AdES, the integrity and authenticity of the image are also protected by the electronic signature. An ‘electronic signature’ may also be referred to as an ‘e-signature'.
There are electronic signature schemes that are not built on top of digital signature schemes. However, these schemes typically have limitations in providing strong non-repudiation of the signature or scalability of the scheme. They are typically used for specific use cases and require additional verifications to provide the necessary assurance levels. Therefore we will not discuss such schemes in this series.
3. Qualified electronic signature: This an EU-level term. It is the same advanced electronic signature with the added characteristic that it has been created using ‘qualified’ systems, services and processes that have been independently certified as being secure, specifically a qualified signature creation device (QSCD) and using qualified certificates to identify the signer.
We will explore what the term ‘qualified’ means to you, and the legal effects of different types of electronic signatures later in the series but, for now and according to EU eIDAS regulation, while an ‘electronic signature shall not be denied legal effect…..', a 'qualified electronic signature shall have the equivalent legal effect of a handwritten signature’. It is the gold standard of electronic signatures.
Electronic seal is also a legal concept that is, for the most part, identical to that of an advanced electronic signature built on top of a digital signature except that the signer’s identity is a ‘legal person’ such as a public organization, a cooperative, a company, a partnership, a role, etc.
Therefore, in essence, an electronic seal has four similar characteristics within the applicable law that it operates.
- It is a digital signature in a particular format and using a particular scheme as prescribed by the applicable law (identical to an advanced electronic signature).
- The signer’s identity is a ‘legal person' as described above and not an individual human being (see 'Advanced Electronic Signature’ above).
- The name, pseudonym or other representation on the digital signature can be linked back to the legal person’s true identity.
- It will be possible to demonstrate that the system or individual that provided consent for the creation of the digital seal had delegated authority to do so and that it was not possible for any other system or individual to request or otherwise interfere with the creation of the seal.
An ‘electronic seal’ may also be referred to as an ‘e-seal'
Qualified electronic seal is identical to a qualified electronic signature except that the signer’s identity is, again, a ‘legal person’.
Broadly one can summarise the above in the following diagram.
Join me in the next blog which will explore limitations of use and legal recognition for the different types of electronic signatures in different parts of the world.
Cryptomathic is a leader in the realm of qualified digital signature solutions, offering robust and trusted technologies that ensure the integrity, authenticity, and legal recognition of digital transactions. For information regarding digital signing solutions provided by Cryptomathic, please visit https://www.cryptomathic.com/products/authentication-signing/signer-centralised-digital-signatures or get in touch with one of our experts.