|
What are digital signatures?
Digital signatures (standard electronic signatures) take the concept of traditional paper-based signing and turn it into an electronic "fingerprint.” This "fingerprint,” or coded message, is unique to both the document and the signer and binds both of them together. The digital signature ensures the authenticity of the signer. Any changes made to the document after it is signed invalidate the signature, thereby protecting against signature forgery and information tampering. Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of electronic documents and forms.
Brief history of digital signatures
For centuries, signatures have been the most accepted means of authentication. Roman law recognized a combination of seals and signatures as the primary source for authenticating documents and legal contracts. The 1830s saw the first signs of electronic communications and legally recognized “electronic” signatures with the invention of the telegraph and Morse Code.
But it was the introduction of public key cryptography by Martin Hellman and Whitfield Diffie in 1976 that established the first practical method of distributing cryptographic keys over an unprotected public network.
What is PKI?
Public Key Infrastructure (PKI) is the basis for digital signatures (standard electronic signatures) today. PKI provides each user with a pair of keys, a Private Key and a Public Key, used in every signed transaction. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s digital signature. PKI encompasses different components which include a Certificate Authority (CA), end-user enrollment software, and tools for managing, renewing, and revoking keys and certificates.
Digital vs. electronic signatures
Digital signatures are based on Public Key Infrastructure (PKI) and are a result of a cryptographic operation that guarantees signer authenticity, data integrity and non-repudiation of signed documents. The digital signature cannot be copied, tampered or altered. In addition, because they are based on standard PKI technology, signatures made within one application (e.g. Microsoft Word, Adobe PDF) can be validated by others using the same applications. On the other hand, an electronic signature is a proprietary format (there is no standard for electronic signatures) that is an electronic data, such as a digitized image of a handwritten signature, a symbol, voiceprint, etc., that identifies the author(s) of an electronic message. Electronic signatures are vulnerable to copying and tampering, making forgery easy. In many cases, they are not legally binding and will require proprietary software to validate the signature.
Why do companies adopt digital signature solutions?
It is estimated that 30 billion paper documents are copied or printed by US companies annually. When factoring copying, archiving, and time to locate activities, the cost of each document can reach $60-$120. Reducing paper is only one reason to adopt digital signature (standard electronic signatures) solutions. Organizations are implementing standard digital signatures to:
- Address legal compliance and limit liability
- Reduce time and paper costs associated with paper-based processes
- Automate and expedite business processes
- Ensure document security when moving from paper to electronic documents
Does a digital signature really seal an electronic document?
Yes. Standard digital signatures “seal” documents:
- Providing evidence of user authenticity (verifies the signer’s identity)
- Guaranteeing data integrity (data has not been altered since the document was signed)
- Ensuring non-repudiation of signed electronic documents
- Complying with regulations
For additional information, please see, “How safe are digital signatures vs. handwritten signatures?”
Choosing a digital signature solution
What considerations should be taken into account when choosing a digital signature (standard electronic signature) solution that will maximize the business benefits of moving to a paperless environment?
- Seals the document. Some solutions offer weak, non-standard electronic signatures, which can be tampered and are not legally binding. It is best to choose a solution that is based on digital signature technology (PKI – Public Key Infrastructure), thereby guaranteeing document integrity and legal compliance.
- Compliance: Review the regulations within your industry, ensuring the solution addresses all industry requirements.
- Multiple Application Support: Some solutions offer digital signature support for Word or PDF documents only. Find a solution that supports all applications in order to address current, as well as future, business requirements.
- Transportability: Ensure the digital signature is part of the document and that the signed documents may be validated by an outside user without having to install a proprietary software application.
- Graphical Signature Support: Although graphical signatures are not technically or legally mandated, a graphical signature has the psychological benefit of easing the transition to a paperless environment because the signature on the electronic document appears as it would on a paper document.
- Seamless User Registration: Ask the vendor how users are enrolled and how changes to user information are updated. Many solutions require a new user to go through a complex software “wizard” or go through several steps to enroll or update their information. For fast rollout and easy adoption within the organization, registration should be transparent to the user.
- Multiple Signings on the Same Document: Some solutions allow for only one signature on a document. Look for a solution that can support your business logic and multiple signatures on the same document.
- Simple To Use: Some solutions require multiple steps to sign a document. It should only take 1 or 2 mouse-clicks to ensure that the document is sealed and legally compliant.
- Zero IT Management: The solution should be operational as soon as it is deployed. Help desk and IT support should be minimal.
- Low Total Cost Of Ownership: Remember to account for initial cost, deployment, help desk, digital certificates (which may be a recurring annual cost) and development of support for the applications that require signing.
There are 10 simple points to consider when choosing a Digital Signature Solution (standard electronic signature) for your organization. While not all are obvious, they are critical make-or-break factors for the smooth implementation, management and use of such a system, impacting on every aspect of your business processes. To ensure a low Total Cost of Ownership (TCO) and a speedy Return on Investment (ROI) from your Digital Signature solution, read on.
 Seals Documents
This is the basic building block of a true digital signature solution. It guarantees the document is sealed from changes, whether incidental or the result of a late night hacking of your network. Only digital signatures based on Public Key Infrastructure (PKI) technology can truly seal a document. Any other type of solution can be easily forged.
 Multiple Application Support
Many digital signature solutions support only PDF and Word applications, which may be sufficient support for some. However, if your organization needs to digitally sign in additional programs such as Excel, AutoCAD, and web applications, this type of solution will fall short of your needs. Make sure the applications you intend to sign in your organization are supported by the solution you choose.
 Graphical Signatures
Of the standard applications that have digital signature capacity, almost all lack graphical signature support. This is a major shortcoming. Graphical signatures ensure the signature is visually noticeable, and have a psychological impact: the signer is reassured they have signed the document and that it is legally compliant. Occasionally, different graphical signatures are required (e.g., initials, full signature). Verify that your solution has this capability.
 Multiple Signatures
Many digital signature solutions do not allow altering the document once a signature is applied. This is good in terms of sealing the document, but problematic if the technology also prevents additional users from adding their required signatures to the document. If your company requires several people to digitally sign a document, ensure that your solution offers this feature.
Zero IT Management
Be aware that the time to deploy a system is typically lengthy and resource-intensive. IT staff can find themselves spending weeks every year managing the selected digital signature solution. Then again, the company may opt to employ an additional staff member to manage the task, or implement a help-desk just to ensure users can digitally sign their documents. Costs can skyrocket. Ensure your solution is operational the moment it is deployed on your network, and that the “Zero-Management” requirement on your checklist is met.
 Compliance
Each regulation has its own specific requirements pertaining to electronic documents. For example, the FDA 21 CFR Part 11 regulation for the Pharmaceutical market has numerous requisites that are not met by most digital signature solutions. Review the regulations for your industry and make sure the solution covers all of those requirements.
 Transportability Worldwide Verifiable
Do you want your customers or partners to be able to validate files you’ve signed electronically? This seemingly trivial task is not so trivial at all. Not every digital signature may be transportable outside of your organization. In fact, digital signature technology is not always embedded in your document. Make sure your documents can be validated by external users without them having to install a 3rd-party application.
 Seamless User Registration
Implementing your digital signature solution must be as simple as possible. Make sure that the moment the solution has been deployed, staff at your organization can start digitally signing documents without having to start a “wizard” to enroll or call on the IT department for support. Make certain that your solution is capable of automatically and seamlessly updating user profiles from the company’s user directory.
 Simple-To-Use
Be sure to choose a system that is easy-to-use. You don’t want staff to run a wizard application when they A) load the signature application onto their PC and then B) every other time they want to sign a document. IT staff involvement should be kept to a minimum. It should take a single click to ensure your document is sealed and legally compliant.
 Total Cost of Ownership
Not everyone considers TCO when purchasing a digital signature solution. But to ensure you don’t pay too much in the long run, take the following costs into account: initial product cost, deployment, help desk, digital certificates (which may be a recurring annual cost), and development of support for the application you’re going to sign with. Project your TCO three years into the future to reveal any hidden costs, such as renewal of annual certificates.
|
Digital signature legislation & regulations
In recent years, most countries worldwide have adopted legislation and regulations that recognize the legality of a digital signature (standard electronic signatures) and deem it a binding signature. And, regulations such as the FDA 21 CFR Part 11 for the Life Sciences industry have also recognized digital signatures as a replacement for handwritten signatures.
Legislation
For additional information on other countries, visit the Digital Signature Law Survey.
Industry Regulations and Standards
How safe are digital signatures vs. handwritten signatures?
Nicholas Leeson forged handwritten signatures of his boss and caused the collapse of Barings Bank, the United Kingdom's oldest investment bank. While both handwritten and digital signatures (standard electronic signatures) are legally-binding, only digital signatures ensure non-repudiation of documents. For example, any changes made to an electronically signed document are clearly indicated and will immediately invalidate the signature, thereby protecting against forgery.
Are digital signatures legally binding?
Yes. In 1999, the EU passed the “EU Directive for Electronic Signatures” and on June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN"), which made signed electronic contracts and documents as legally binding as a paper-based contract.
Today digital signatures (standard electronic signatures) carry recognized legal significance, allowing organizations to comply with regulations worldwide. Learn more about the laws passed regarding the use of digital signatures.
What is a Secure Signature-Creation Device (SSCD)?
Qualification as an SSCD is necessary for digital signature (standard electronic signatures) solutions to comply with the EU Directive for Electronic Signatures. An SSCD is defined by the EC Directive 99/93 on Electronic Signatures as follows:
- Secure signature-creation devices must, by appropriate technical and procedural means, ensure:
- The signature-creation data used for signature generation can occur only once, and that their secrecy is reasonably assured.
- The signature-creation data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology.
- The signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others.
- Secure signature-creation devices must not alter data to be signed or prevent such data from being presented to the signatory prior to the signature process.
Legal Cases
Important milestones in the acceptance of digital signatures (standard electronic signatures) into business practices took place in 1999 and 2000 respectively, when the EU passed the “EU Directive for Electronic Signatures” and President Clinton signed into law the Electronic Signatures in Global and National Commerce Act ("ESIGN").
Furthermore, legal precedents are being established that confirm the validity of electronic documents and contracts. Following are a few examples:
- Cloud Corp. v. Hasbro Inc., 314 F.3d 289 (7th Cir. 2002) - electronic documentation satisfied the Statute of Frauds.
- Sea-Land Service, Inc. v. Lozen International, LLC, 285 F.3d 808; 2002 WL 496943 (9th Cir. 2002) – ruled that an internal company e-mail was admissible evidence.
- Moore v. Microsoft Corp., 741 N.Y.S.2d 91 (April 5, 2002) – By clicking “I agree,” the terms of the End User License Agreement were valid and binding.
How do digital signatures work?
Using Victor and Kristine, we can illustrate how standard digital signatures (standard electronic signatures) are applied and verified.
Step 1: Getting a Private and Public Key
In order to electronically sign documents with standard digital signatures, Victor needs to obtain a Private and Public Key – a one-time setup/operation. The Private Key, as the name implies, is not shared and is used only by the signer to sign documents. The Public Key is openly available and used by those that need to validate the signer’s digital signature.
Step 2: Signing an Electronic Document
From Victor's perspective, the signing operation can be as simple as a click of a button. But several things are happening with that one click:
1. Initiate the signing process - Depending on the software used, Victor needs to initiate the signing process (e.g. clicking a “Sign” button on the software’s toolbar).
2. Create a digital signature - A unique digital fingerprint of the document (sometimes called Message Digest or Document Hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a different digital fingerprint of the document.
3. Append the signature to the document – The hash result and the user’s digital certificate (which includes his Public Key) are combined into a digital signature (by using the user’s Private Key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the digital signature is appended to the document.
Victor sends the signed document to Kristine. Kristine uses Victor's public key (which is included in the signature within the Digital Certificate) to authenticate Victor's signature and to ensure that no changes were made to the signed document after it was signed.
Kristine:
Initiates the validation process - Depending on the software used, Kristine needs to initiate the signing process (e.g. clicking a “Validate Signature” menu option button on the software’s toolbar).
Decrypts Victor's signature using his Public Key and gets the original document (the document fingerprint).
Step 3: Validating the Digital Signature
There is another factor still missing from this description.
How can AKristine know whether Victor is indeed the same person she intends to conduct business with, or even that it is really Victor?
Victor needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be.
These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer.
Certificates can be compared to passports issued by countries to their citizens for world travel.
When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler’s identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology: the CA)
and use the passport to authenticate its holder in the same way that Kristine uses the CA’s certificate for authenticating Victor's identity.
Public key Certification Center 
|
Ukraine