It is a common to see people use the terms electronic signature and digital signature interchangeably. However, this is a misconception among many because the two can differ, along with the processes in which they are generated, validated and their specific legal ramifications.
What is an Electronic Signature?
As defined by eIDAS, an electronic signature refers to “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” Such a signature (subject to relevant electronic signature schemes and regulations) is given the same legal status as if it were a handwritten signature and will be recognized as such when its accompanying data is submitted to other Member States in the EU. For the US-market, read the details about NIST-DSS.
There are different types of electronic signatures, each with its own set of requirements and methods of creation that are used to attest to the validity of that specific type of signature. An advanced electronic signature, for instance, must include data that shows that the signature has been uniquely linked to and is capable of identifying the signer. There must be detection built in to the signature data that is capable of notifying the signatory and the recipient of the signed document if it has been tampered with. Finally, the signature must be created with signature creation data that is under the sole control of the signatory.
What is a Digital Signature?
A digital signature is a specific technical implementation of electronic signing by applying cryptographic algorithms. Between the European Union and the USA, profiles for digital signatures and their legal implications deviate.
In the EU, frameworks for advanced or qualified electronic signature profiles that are technically implemented through digital signatures are developed by the European Technical Standards Institute (ETSI). The following ETSI-frameworks define how to create digital signatures that comply with the European Regulation for the electronic identification and trust services for electronic transactions (eIDAS):
- XAdES, (XML Advanced Electronic Signatures)
- CAdES, (Cryptographic Message Syntax Advanced Electronic Signatures)
- PAdES, (PDF Advanced Electronic Signatures)
- ASiC, (Associated Signature Containers)
In the USA, requirements for creating digital signatures are covered under the Digital Signature Standard (DSS) that the National Institute of Standards and Technology (NIST) put into effect in 1994. A digital signature in the DSS-perspective is created through the use of cryptography with a digital signature algorithm (DSA). The DSA produces two keys that are assigned to the digital signature. One is private and the 2nd is public. The message sender has sole knowledge of the private key, while the recipient of the message will use the public key to verify the sender’s digital signature.
While DSS addresses the legal effect of the digital signature, it does not discuss its admissibility as evidence in a court of law. In comparison to eIDAS, where additional security features are required for digital signatures, DSS does not meet the assurance levels that European standards have set, which provide assurance of admissibility in court. It does not surprise that the draft for the forthcoming release DSS, FIPS 186-4 is controversely discussed in the community.
References and Further Reading
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen and Dawn M. Turner
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission
Image: courtesy of Barn Images, Flickr