Type for search...
codete electronic signature digital signature how can a signature prove your identity online main 3096aef7d2
Codete Blog

Electronic Signature vs Digital Signature: How Can a Signature Prove Your Identity Online?

Ruslan Rugalov 0eec79b2f4

20/06/2021 |

10 min read

Ruslan Rugalov

2021 is a pretty rough time to live in. We've just witnessed an anniversary of what was supposed to be a two weeks long lockdown. The lasting pandemic has dramatically increased interest in digital solutions that allow people to minimize face-to-face communications and move the majority of their lives into applications. Most of the solutions that are being used for simplifying our lives right now were developed much earlier, though. One of such things is signing documents online. 

But what do most people know about the online signing process?

Offline, we’re all used to signing documents with our personal, handwritten signatures (which don’t contain any personal information that could help us verify the signer and can be forged pretty easily). Legal entities also use stamps. 

But what would you do if you were to sign a contract with someone in another country? Or if you needed several people from different parts of the world to append their signatures on the same document? How would you arrange this? By postal service? Spare me from this, please! :)

Luckily, most of the time we can use electronic signatures

But “what is an electronic signature” - you may ask? Does it provide any information about you? How can it be validated? Is there any electronic equivalent to graphological analysis which would allow a designated authority to check if the signature was really made by you? How does it work with e-signature? Is it secure? 

Let’s dive into the subject.

 

Electronic signature vs. digital signature: what’s the difference?

Simply put, the main difference between an electronic signature and a digital signature is security

An electronic signature is any electronic form of a signature. For example, a home-made scan of your handwritten signature counts as one. Whereas a digital signature could be called a secure and valid form of the electronic signature – in other words, a digital signature is a safe and verified electronic signature you can use for signing contracts.

 

What is an electronic signature? 

Electronic signature is a concept. In the simplest example, imagine you can just paste an image (even your initials) into a document and it will already be accepted as an e-signature. 

Here, a quite reasonable question might have come to your mind: 

How can such an easily-forgeable thing be used in real contract signing flow and have legal validity? 

Fortunately, in real life - it can't. Nobody accepts a simple image pasted into a document as a valid e-signature.

To make online signing possible, the electronic signature solution must provide phishing protection and be as hard to hack as possible. Here, the digital signing process as an implementation of the electronic signing concept comes into play.

 

What is a digital signature? 

As I mentioned above, the digital signing process is the implementation of the electronic signature concept. It has a much more complicated flow than simple image pasting into a document, but - thanks to the complications - it allows all parties of the contract to secure themselves against being hacked and to prove their signatures validity.

To get familiar with how it works, let's go through an example flow with some semi-technical explanation.

 

How does digital signature work?

We usually use digital signatures with PDF documents. 


Forms and fields structure

The PDF documents can contain forms. A form is a group of fields that are connected into one entity. The fields define which parts of the document can be edited by parties. They are linked to a place reserved in the document’s meta-data that allows the person filling them to insert values into the PDF without interfering in the file’s structure. 

 

form = group of fields

field = place in the form for inserting data

 

Basically, setting up a form in a document means that we reserve some place in it to be filled with different data that will be stored near the field (like the requested signer’s e-mail address etc). 

The forms and fields structure is a huge topic that could easily make another article, so if that’s something that might interest you - stay tuned, I will be glad to cover it later. :)

For now, let’s agree that we took a PDF-document and added a bunch of fields, attached to different recipients inside their meta-data. 

What’s next? 
 

Transactions

Now, such a thing as a transaction comes into play. Adobe, for example, keeps transactions as an entity to contain all information about the signers' order, their additional information, authentication of all participants, and a lot more. But in general, transactions support keeping all progress together - in one place. 

 

transaction = place for storing all progress information

 

On a side note: one transaction can contain several documents that can be signed by one certificate (I will explain it later) and serve as a confirmation that all documents within one transaction are signed by one person in one context and in one session. 

But let’s keep going: after setting up the form, we can send the transaction to all requested recipients and proceed to signing.
 

The digital signing process

So, what about signing? You opened the document, you checked all the info inside it, you agreed with all of its content - now you’re ready to put your signature in it. 

How is it done? 

Signing process can be separated into two major steps:

  1. filling annotations,
  2. appending signature.


Annotations

What is  an annotation? To put it simply, it’s additional information about the field and it’s content. In the digital signing flow, the information that you type in the fields of a form is not really stored inside those fields. It’s kept outside of the document’s body in a specific area that allows us to keep the file’s body immutable. 

An annotation can contain all the data that you put in a given field (like your signature image, text or logical value; the field types are another separate, broad topic) and a link to the field that the particular annotation is connected to.

So, once again - annotation is a place where information about the field itself and its state/value can be stored. *Technical note: annotation is a way to solve limitations of the information that is allowed in the field’s value/metadata. This is not a standard, and appears to be one of many solutions in the digital signing flow.

 

annotation = additional data in the field + link to the field

 

Signatures

Signatures, in the same way as annotations, are kept in a designated part of the PDF’s meta-data. 

Explained in a simple way, a signature is the confirmation of your awareness of the document’s content, encrypted in a pretty complicated way. In the context of coding, the signature is a pack of bits which represent a hash of the original document’s state with all the meta-data connected to it (like annotations etc.), encrypted with the private part of an asymmetric cryptographic key-pair. 

 

signature = encrypted representation of the document’s state

 

A signature can be easily read and verified, using the public part of the same, abovementioned certificate (or the root certificate that was used to enroll the signing certificate). 

 

The signing flow

Whenever you’re going through the signing flow in software like Adobe Sign, DocuSign or any other application, you finalize filling the form by pressing the glowing “Sign” button. 

That’s when the magic begins! The service:

  • enrolls your personal certificate (or uses an already existing one connected to your user),
  • extracts public and private key parts of received certificate,
  • puts the annotations and links them to the fields that you filled,
  • takes the hash of the file’s state and signs it with public key part, extracted in second step,
  • allocates the signature in a dedicated area in the file's meta-data,
  • profit! :)


*Note: to understand how this flow works in a cryptographic way we need to get a closer look on a public-key cryptography, but as you can guess, this is also a huge topic. Should we discuss it separately later? :)


The same operation is performed for any other people who sign the document. 

And as a result, you receive a document which displays all the required information in a visual form of fields, and a pack of signatures that contain all the details about the signers. The signatures can be verified (using trusted certificates) by the authority that enrolled the certificates for this whole process. 

 

Digital signature benefits

That was a lot of complicated text above, but what does a digital signature really give to customers? Is it really secure? How can it be used? 

Let’s look at some examples of benefits the digital signature provides:

  1. Digital signature contains information about the signer - any information that is allowed in certificate specification: first name, last name, e-mail, phone number, country, organization, time, date etc. The certificate authority bears responsibility for the validity of the information provided, so if you trust the company that issued the certificate - you can trust this data.
  2. Digital signature can’t be extracted and moved into another document. Because of the whole encryption mechanism, moving a signature will cause it to invalidate itself once the document’s body and the connected annotations are not the same as those that were there at the moment of signing. (Small lies everywhere: you can extract and move a signature without losing its validity, but only if you paste it into a document that has literally the same state as the one the person had signed before. The more you know. :) )
  3. The previous point leads us to an even more important security moment: updating documents or any of the connected annotations will invalidate all previously appended signatures. This feature is really valuable - after all, no one wants to be cheated in such a cheap way like having some numbers inside a contract edited after having signed it, right?

 

Digital signatures - are they really in use already?

It all sounds good and secure, but is digital document signing important and useful right now? Unfortunately, not as much as I personally would like it to be. 

Many countries (members of the European Union, for example) seem to ignore security measures in the context of e-signing documents and treat in the same way a simple image pasted into a document and a bulletproof digital signature with encryption attached. Basically, in legal context, for now digital signatures are mostly useless in practice. But as time goes by, a lot of countries and companies are getting more and more interested in digital security and electronic document management. Governmental services are issuing personal certificates for citizens to be used as authentication methods, and companies are using centralized certification to manage access to inner resources. Who knows, maybe forced secure signing is not so far from us, too?

As an example, you can dive into how Adobe Sign works. They are one of the largest investors in this area and take a huge part in defining standards and developing solutions to match them. Of course, Adobe Sign is only one of many implementations. There are different signing methods, different ways of encryption and ensuring security, but they all serve the same goal: to protect you from fraud in a legal context. And if you want to be protected and ready for a changing world - keep an eye on this topic. It’s pretty interesting and can save you a lot of time, money and nerves in future.

Take care of your privacy and don’t allow anyone to touch your certificates with their dirty hands. :) Thanks for your attention!

Rated: 5.0 / 1 opinions
Ruslan Rugalov 0eec79b2f4

Ruslan Rugalov

Software Engineer at Codete. Frontend developer specialized in JavaScript and TypeScript with experience in PDF digital signing and predictive ML models in the webcam video streaming field. Interested in ML and IA. In his free time, he enjoys video games, extreme sports, and playing the guitar.

Our mission is to accelerate your growth through technology

Contact us

Codete Przystalski Olechowski Śmiałek
Spółka Komandytowa

Na Zjeździe 11
30-527 Kraków

NIP (VAT-ID): PL6762460401
REGON: 122745429
KRS: 0000696869

Offices
  • Kraków

    Na Zjeździe 11
    30-527 Kraków

  • Lublin

    Wojciechowska 7E
    20-704 Lublin

  • Berlin

    Wattstraße 11
    13355 Berlin

Copyright 2022 Codete