What You See Is What You Sign (WYSIWYS) refers to the part of any signature process, where you read a document you intend to sign, and ensure that you only sign it once you know it is the right document and agree with its terms. When you read something in your web browser, how can you be sure that the text you read is genuine, from the right source, and agree on the content it displays?
In the digital world, the WYSIWYS experience is part of a larger signature process involving several steps:
- The document or transaction is prepared
- The signatory views and reads it
- The signatory approves it
- The signature is created
- The terms in the document or transaction are executed
The first and last steps are about the business that needs something signed in order to proceed.
It can be pretty much anything including contracts, tax declarations or financial transactions. Once it has been signed, the applications requiring the signature can use the document and proceed with the business, e.g. open a bank account, buy a house, check declaration or transfer money.
The second step is where the user is presented with the document, that requires a signature, through their web browser.
Before the user will trust the remote system as being genuine (s)he will check that the URL appears correct and the browser displays that the connection is secure with a padlock (depending on the browser). The remote system on the other hand will not deliver a document to anyone it does not know and will ask the user to be authenticated by logging on with their authentication credentials. Having both the remote system and the user authenticated means that documents can be exchanged over a mutual authenticated channel.
When business is conducted online, it must be convenient to use and accessible from all types of devices.
User convenience firstly means that the users can readily engage with the remote service with whatever device they choose.
If dedicated hardware must be available, special software installed and the users favorite tablet and browser are unsupported, then the user journey becomes cumbersome and the business risks the user goes to a more welcoming service.
Secondly, as the electronic signature is digital, convenience relates to the cryptographic keys and processes required, and that the user must accept the terms of the signing service to apply his signature. While the terms must be understood and accepted by the user, the involvement of a public key infrastructure is not something the user should be concerned with.
In a digital world, the user does not see the actual data being signed. Who would bother presenting the raw data in e.g. a PDF or XML file for a user. Instead the system interprets and renders the data in a human readable fashion, which can be displayed in a browser.
Cryptomathic’s innovative approach is to render the data on a remote server before presenting the rendered images/data in the browser.
This approach has several advantages. Since the document to be signed (whether it’s in PDF or XML format) stays on the remote server and is never transported to the browser in its entirety, there is a real assurance that the document that is signed is the intended one.
Presenting rendered images in the browser is a trivial task on all devices and does not require any special software to be downloaded.
With a minimal client in the web browser, it is an nontrivial task to produce the advanced signature objects required for Qualified Electronic Signatures (QES) within the browser. For QES, additional formats processing, certificates, revocation information and time stamps are required to be collected. This is why, Cryptomathic leaves such complicated matters for the back-end system to carry out. The advanced signature format is created as per configuration at the remote site.
Once the user has read and agreed on the terms in the document, the digital signature has to be created. This typically means the user will provide one or more authentication factors, required to activate the signature key over an advanced protocol from the web client to the part of the remote system that has access to the signature key. The protocol and the authentication information ensure that only the intended document will be signed.
Cryptomathic delivers the tools to create a trustworthy viewer with a user experience that allows the user to read and sign documents on PCs, tables and smart phones without requirements to install software on the device. Supported by Cryptomathic Signer, WYSIWYS provides the strongest level of security, non-repudiation and end-user convenience.
References and Further Readings
- Introducing the Signature Activation Protocol for Remote Server Signing (2016), by Jan Kjærsgaard
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission
Electronic Signatures and Infrastructures Activities (2017), by ETSI
- Selected articles on eIDAS (2014-17), by Heather Walker, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Authentication (2014-17), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures(2014-17), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more