Ed Snowden and the different types of signatures

Electronic signatures come in four general categories:

1. Using an image of your signature

We've all done this—scan your signature, then add it to your Word document. Then print/email/fax it. If the recipient accepts it then you’re all set. After all, you were the person who “signed” it. But there are lots of downsides: you’re not protected against someone changing the document after you’ve signed it, and recipients are not protected from your claim that someone changed the document after you signed, nor from your claim that it wasn’t you who signed the document. It is trivial for someone to forge your signature, so it’s not a recommended practice.

2. “Electronic Signature” services

These are the SAAS (Software as a Service) electronic signature companies. You register with them, then “sign” the document after sending it to them. Recipients of your document need to access the SAAS provider to verify that the SAAS will verify that the document wasn’t changed since it was signed and that your identity as the signer was assured.

These are popular services but they have multiple downsides. Both you and your document recipients need to trust the signing company and trust that they won’t go out of business for as long as your documents’ signatures need to be verified.

You’re using a non-standard, proprietary solution from the vendor; you need to trust that their systems are correct since no independent third party verification is possible. You also need to send your entire document to the signing service—which means that it is exposed on the Internet.

And since Edward Snowden’s leaks, it is now clear that anything on the internet is fair game. For all of these reasons, these “electronic signature” services are not currently accepted in many European countries.  This type of signature is also not accepted within some regulated US industries either.

These services are popular in the US. They often include built-in workflow to help obtain signatures.

3. Standard digital signatures with hardware-protected certificates and self-signed organizational certificates

This is a very good system since it provides you with the power and trust of open standard digital signatures. This system is also called “Advanced Electronic Signatures.” Your organization issues itself a self-signed certificate. It also issues each signer his or her own certificate, subordinate to the organization’s certificate. All certificates are stored on special high-security appliances. The appliances also provide signing services to actually sign your documents.

Advantages: The system adheres to the open standards for digital signatures. Signatures are independently verifiable (no need to use the signing software for verification). Signer identity can be assured via the organization’s certificate. Digital signatures confirm or guarantee that the document was not changed since it was signed (which protects the signer and recipients). And digital signatures make it very difficult for someone to claim that he or she did not sign the document (non-reputability).

Disadvantages: In the olden days (last century), installing this type of Digital Signature system was costly and complicated since it required smart cards. But for the last 10 years, specialized centralized signature hardware appliances have become available. These lower costs tremendously by centralizing the certificate storage, automatically synchronizing with the organization's Active Directory system and more.

This system is used by many companies and government agencies today.

4. Digital signatures with certificates issued by recognized Certification Authorities

These have the same pluses and minuses as category three, but the signers’ certificates come from Certification Authorities (CAs). These types of signatures are also called “Qualified Electronic Signatures.” They are required for some purposes in Germany and in a couple of other countries. The big disadvantage is their cost: many times higher than solution three since each signer must prove his identity to the CA and pay through the nose for a CA-issued certificate.

Summary

Solution three is popular since it gives all of the advantages at a low cost. Some choose option four for various reasons, but unless your document recipients require CA-issued certs, there is no benefit; only added costs over solution three. If you need workflow, it can be added to solution three and is usually included with solution two.

Please comment and let us know what you think! You can also ask the vendors on your shortlist for more information about these issues.

Full disclosure:  I work for a vendor that sells solutions three and four.

Photo credit:  Laura Poitras / Praxis Films