Digital signatures are like electronic “fingerprints.” In the form of a coded message, the digital signature securely associates a signer with a document in a recorded transaction. Digital signatures use a standard, accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance. They are a specific signature technology implementation of electronic signature (eSignature).
Imagine a document that has legal value. Such a document may contain important information about rights and obligations, in which case you need to ensure its authenticity. You don’t want people to deny the commitments they’ve written down. Furthermore, this document probably has to be mailed to, viewed and stored by different parties. On different places in the workflow, at different moments in time, the document can be altered, be it voluntary, for instance to add an extra signature, involuntary, for example due to a transmission error, or deliberately, if somebody wants to create a forgery from the original document.
For centuries, we’ve tried to solve this problem by putting a so-called ‘wet ink signature’ on paper. Nowadays, we can use digital signatures to ensure:
- The integrity of the document— we want assurance that the document hasn’t been changed somewhere in the workflow.
- The authenticity of the document— we want assurance that the author of the document is who we think it is (and not somebody else)
- Non-repudiation— we want assurance that the author can’t deny his or her authorship.
Digital signatures, like handwritten signatures, are unique to each signer. Digital signature solution providers, such as Digital Signer (Digital Signature), follow a specific protocol, called PKI. PKI requires the provider to use a mathematical algorithm to generate two long numbers, called keys. One key is public, and one key is private.
When a signer electronically signs a document, the signature is created using the signer’s private key, which is always securely kept by the signer. The mathematical algorithm acts as a cipher, creating data matching the signed document, called a hash, and encrypting that data. The resulting encrypted data is the digital signature. The signature is also marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.
As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane’s public key. If the public key can’t decrypt the signature (via the cipher from which the keys were created), it means the signature isn’t Mr. X’s or has been changed since it was signed. The signature is then considered invalid.
To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved in a secure manner, and often requires the services of a reliable Certificate Authority (CA). Digital signature providers, like Digital Signer (Digital Signature), meet PKI requirements for safe digital signing.
Many industries and geographical regions have established eSignature standards that are based on digital signature technology, as well as specific certified CAs, for business documents. Following these local standards based on PKI technology and working with a trusted certificate authority can ensure the enforceability and acceptance of an e-signature solution in each local market. By using the PKI methodology, digital signatures utilize an international, well-understood, standards-based technology that also helps to prevent forgery or changes to the document after signing.
The broad category of electronic signatures (eSignatures) encompasses many types of electronic signatures. The category includes digital signatures, which are a specific technology implementation of electronic signatures. Both digital signatures and other eSignature solutions allow you to sign documents and authenticate the signer. However, there are differences in purpose, technical implementation, geographical use, and legal and cultural acceptance of digital signatures versus other types of eSignatures.
In particular, the use of digital signature technology for eSignatures varies significantly between countries that follow open, technology-neutral eSignature laws, including the United States, United Kingdom, Canada, and Australia, and those that follow tiered eSignature models that prefer locally defined standards that are based on digital signature technology, including many countries in the European Union, South America, and Asia. In addition, some industries also support specific standards that are based on digital signature technology.
Digital signatures rely on public and private keys. Those keys have to be protected in order to ensure safety and to avoid forgery or malicious use. When you send or sign a document, you need assurance that the documents and the keys are created securely and that they are using valid keys. CAs, a type of Trust Service Provider, are third-party organizations that have been widely accepted as reliable for ensuring key security and that can provide the necessary digital certificates. Both the entity sending the document and the recipient signing it must agree to use a given CA.
Secure, Trusted Timestamps for Long-term Signatures. Time stamping is an increasingly valuable complement to digital signing practices, enabling organizations to record when a digital item—such as a message, document, transaction or piece of software—was signed. For some applications, the timing of a digital signature is critical, as in the case of stock trades, lottery ticket issuance and some legal proceedings. Even when time is not intrinsic to the application, time stamping is helpful for record-keeping and audit processes, because it provides a mechanism to prove whether the digital certificate was valid at the time it was used. The growing importance of digital signing solutions has created a corresponding demand for time stamping, so many software programs, such as Microsoft Office, support time stamping capabilities.