While the following terms and acronyms definitions are all available via Wikipedia, ESIGN act, or eIDAS, reading individual articles is not always very helpful. On the other hand, understanding the specifics of an electronic signature (or e-signature) process helps to better identify their value. This blog will examine some of the key aspects of e-signatures and how to find the right one for your business case.
How electronic signature guarantees the signer’s identity:
An electronic signature’s classification depends on its degree of authentication regarding the e-signer’s identity. Other important factors to consider include the value of the transaction to be approved and all relevant technical requirements
Before moving further, let’s identify the two major categories of electronic signature:
A basic electronic signature confirms the signer’s intent to sign by having them acknowledge the request and recording this action into the completed document. By contrast, a digital signature(1) uses a digital certificate(2) to authenticate the signer. A digital signature is a type of electronic signature by default since it includes the intent to sign. However, the reverse is not true.
(1) The digital signature is based on a digital certificate. When applied, the e-signed PDF contains information to identify the signer as well as encrypted data guaranteeing document integrity. The digital signature can be displayed in the Acrobat Reader interface itself. Upon opening the PDF, the signature will be automatically approved, provided it is on the Adobe Approved Trust List (AATL).
(2) This file includes the signer’s identity, name of the authority delivering the certificate, and key used for encryption. The certificate may be stored in a file (e.g. pfx), certificate store, HSM, or USB key.
Does my electronic signature use a Digital Certificate?
This straightforward question helps differentiate the two major categories. Let’s look closer at what your answer might tell you about your signature process:
“No, my electronic signature is not using a digital certificate”:
E-signer identification relies on process criteria to authenticate the electronic signature. The accuracy of identifying an e-signer depends on the number and relevance of criteria. Such criteria may include the owner’s email address to receive a document URL, the cell phone number that the OTP(3) was sent to, the device IP address for accessing the document, and the e-signer’s GPS coordinates. These elements can be used to prove consent when listed in a proof file. This file is then attached to the e-signed document, which is locked with a numeric seal and timestamp. This establishes the signer’s identity.
(3) A One-Time Passcode used to open the PDF.
“Yes, my electronic signature uses a digital certificate”:
This would be considered a digital signature. As a result, the signer’s identity relies on the quality of the certificate, specifically whether it’s a self-signed certificate(4) or a qualified certificate(5)
(4) Anybody can create their own certificate with individual information. This kind of certificate can’t guarantee a signer’s identity.
(5) This means the document is delivered by a trusted third-party verifying the signer’s identity. A qualified digital certificate must remain on a USB key, card, or Hardware Security Module (HSM) to be valid. HSMs are used to handle multiple digital certificates in the same secured space.
What defines the e-signing process security level?
Let’s outline the four major classes of signature. Keep in mind that security increases with electronic signature process enrichment, and the choice of e-signing process can make all the difference.
The entry-level “standard signature” simply consists of recording the intent to sign. Whether the electronic signature is a drawing, a typed name, or an image, the signature is considered valid, as long as the signer’s intent is clearly recorded.
A “reinforced standard signature” is delivered when the e-signature process gathers additional details (6) to verify the signer’s identity. These details are recorded to guarantee the document’s integrity (7). Together, they constitute the necessary proof of an e-signer’s identity.
(6) Examples include the e-signer’s email address, cell phone number for receiving an OTP, IP address, and GPS coordinates. All such details are sequentially recorded for successive e-signers of the same document.
(7) Usually, all e-signing steps and details are logged and attached to the document, which is then sealed with a digital certificate and timestamp.
The “advanced signature” uses a digital certificate. For this category, there is no requirement regarding certificate quality. Although the e-signer may use a self-signing certificate, this cannot guarantee the signer’s identity.
Finally, a “qualified signature”, stored on a qualified device, ensures the e-signer’s identity by using a trusted third party for certificate verification(8). This signature type provides the highest level of e-signer identity security and is the legal equivalent to a handwritten signature.
(8) A trusted third-party or government authority may conduct a live video recording including the signer and their ID card or passport for verification
- Former classification is referring to the Electronic IDentification Authentication and trust Services (eIDAS)
- Some explanations are mentioning Electronic Signatures in Global and National Commerce Act (ESIGN act) terms.
- Symtrax Holdings, Inc. is listed as a major player by GlobeNewswire on 5/5/2020 in a Digital Signature Market article