People often use the terms e-signature and digital signature interchangeably. However, they aren't the same thing. Everything from the processes that generate and validate them to the specific legal ramifications can differ.
In this article, we outline the key differences between e-signatures and digital signatures.
What is an E-signature?
As defined by eIDAS, an electronic signature, or e-signature, refers to “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” An e-signature (subject to relevant electronic signature schemes and regulations) is given the same legal status as if it were a handwritten signature and will be recognized as such when its accompanying data is submitted to other Member States in the EU. For information about the US market, read the details about NIST-DSS.
There are different types of e-signatures, each with its own set of requirements and methods of creation that are used to attest to the validity of that specific type of signature.
An advanced electronic signature, for instance, must include data that proves the signature has been uniquely linked to and is capable of identifying the signer. There must be detection built into the signature data that is capable of notifying the signatory and the recipient of the signed document if it has been tampered with. Finally, the signature must be created with signature creation data that is under the sole control of the signatory.
What is a Digital Signature?
Unlike an e-signature, a digital signature is a specific technical implementation of electronic signing by applying cryptographic algorithms. Between the European Union and the USA, profiles for digital signatures and their legal implications deviate.
In the EU, frameworks for advanced or qualified electronic signature profiles that are technically implemented through digital signatures are developed by the European Technical Standards Institute (ETSI). The following ETSI-frameworks define how to create digital signatures that comply with the European regulation for the electronic identification and trust services for electronic transactions (eIDAS):
- XAdES (XML Advanced Electronic Signatures)
- CAdES (Cryptographic Message Syntax Advanced Electronic Signatures)
- PAdES (PDF Advanced Electronic Signatures)
- ASiC (Associated Signature Containers)
As these digital signatures are compliant with the eIDAS regulation, they are legally binding in all EU member states.
In the USA, requirements for creating digital signatures are covered under the Digital Signature Standard (DSS) that the National Institute of Standards and Technology (NIST) put into effect in 1994. A digital signature from a DSS perspective is created through the use of cryptography with a digital signature algorithm (DSA). The DSA produces two keys that are assigned to the digital signature. One is private and the 2nd is public. The message sender has sole knowledge of the private key, while the recipient of the message will use the public key to verify the sender’s digital signature.
While DSS addresses the legal effect of the digital signature, it does not discuss its admissibility as evidence in a court of law. In comparison to eIDAS, where additional security features are required for digital signatures, DSS does not meet the assurance levels that European standards have set, which provide assurance of admissibility in court. Unsurprisingly, the draft for the forthcoming release DSS, FIPS 186-4 is controversely discussed in the community.
References and Further Reading
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen and Dawn M. Turner
- Trust Services and eID (retrieved 11.01.2016) by the European Commission
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission
Image: courtesy of Barn Images, Flickr