Digital Signatures are forever?

By Larry Kluger posted 12-05-2013 03:23


Digital Signatures are forever?

My goal in this blog series is to cover a wide range of topics and issues relating to digital signatures. Let's get started with a hot question that comes up repeatedly at my talks and webinars, “If an employee leaves our company, and he is removed from the digital signature system, what happens to the documents he signed in the past? Do those signatures remain valid?” Yes, they remain valid.

And a related question: “Once a document is digitally signed, can the signature be revoked? Suppose the signer is fired, can we revoke some or all of her past signatures?” No.

Open standard digital signature technology (we'll talk more in the future about what that really means) is modeled after traditional pen and ink signature technology, including signature authenticity issues. You may not think of an ink pen as “technology” but it is. Just visit Fahrney's Pens in DC if you're not sure! But I digress.

Like a pen and ink signature (a “wet signature”), a digital signature cannot be remotely controlled. If a digital signature is valid at the time the document was signed, then it remains valid forever. Checking the validity can get tricky in various cases, but the signature itself, once valid, stays valid.

If a document has been signed with a wet signature, the document can be “un-signed” by scratching out the signature before the document is distributed. In the same way, a digital signature can be removed from a document before it is distributed. But for both wet and digital signatures, it is difficult or impossible to scratch out/remove your signature from all the copies once the document is distributed.

By design, it is difficult to revoke a signed document. For instance, a contract offer can’t be revoked once it is accepted. Instead, the contract must be cancelled by mutual agreement or via one of the accepted clauses. We say “your signature counts” because it is so hard to revoke your signature. And your signature counts equally for both wet and digital signatures.

What about digital certificate “revocation lists?” Can't they be used to revoke a signature? Again, no. A revocation list is used by signing software to prevent a revoked certificate from being used to make a new digital signature. It has no effect on documents correctly signed in the past.

Here’s how it works: Each certificate authority, or CA, issues a revocation list. The CA's revocation list shows the certificates that have been revoked before their expiration time. For example, Joe Employee has a digital certificate issued by his company. He digitally signs a document in June. He leaves the company in July and his certificate is cancelled by adding it to the CA's revocation list. As a result, he can no longer create valid signatures. But his prior signatures, from before he left, were valid and remain valid.

The recipient of a digitally signed document can verify the document’s signature or signatures. As a part of the process, the recipient’s software checks the CA’s revocation list to ensure that the signer’s certificate was not on the list prior to the time the document was signed.

I'll sign off now. But please use the comments to let me know your digital signature-related questions and comments.

Image credit: David Blackwell

#eSignatures #digitalsignatures


01-10-2014 10:13

I completely agree with the post. The problem is that while the act of signing remains valid post-signature, it is quite likely that the signature will not continue to be validatable (is that even a word?) in the future. That is, when a user opens a document that has been digitally signed, it is quite likely that the signature will itself display some sort of error message. This has the net effect of introducing uncertainty into what should be a done deal.
When I teach this topic, I remind students that it was the act in context that was valid - you accepted the transaction, you paid the invoice, it's a done deal. We don't go back and check the wet-ink signatures on the Declaration of Independence because they were accepted at the time and in context. But this is difficult for some to process, especially records management and legal types who tend to be more risk-averse. Not sure what the right answer is here other than education.
Very good article overall. :)

12-15-2013 02:02

Thanks for your comment Steve! The good news is that the volume of digital and electronic signatures are rising fast. As more and more people are exposed to the technology, doubts about its legality and effect should diminish.

12-05-2013 09:20

Thanks, Larry, for your simple, clear explanation. I'm always astounded when my training students or consulting clients tell me that a digital signature "doesn't count," and I appreciate your understandable distillation of why it does!