e-Signatures and Digital Signatures
The expression electronic signature refers to data in electronic form which is attached to or logically associated with other data in electronic form. In its most basic form, the e-signature can be as simple as a name entered in an electronic document and which is used by the signatory to sign. The concept includes the objective element, which basically consists of the signing method, and the subjective element, that is the intent to sign. As long as the e-signature adheres to the requirements of the specific regulation it was created under, it provides the same legal standing as a handwritten signature.
The generic term e-signature is often used in a broad sense to embrace all types of methods used to sign electronic documents, including the digital signatures. However, these are two distinct concepts and they cannot be used interchangeably.
The digital signatures are cryptographic implementations of electronic signatures, based on asymmetric or public key cryptography. The definition given by the European Telecommunications Standards Institute (ETSI) is that of "data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient".
The digital signature is the signing method which ensures with most certainty the identity of the signer as well as the integrity of the message.
How do digital signatures work?
Advanced digital signatures are secure and legally binding means to implement e-signatures through a two-phases process: the creation by the signer with their private key and the verification by the recipient with the signer's public key. The process involves three cryptographic algorithms:
- the key generating algorithm, that randomly selects a private key and its corresponding public key;
- the signing algorithm, that produces the digital signature from the message and private key;
- the signature verifying algorithm, that uses public key message and digital signature to confirm the authenticity of the message.
To better understand how the process works, let's suppose that John wants to sign a document and send it to Mary.
The key generating algorithm randomly selects a private key and its corresponding public key.
John now holds two keys, a public key and a private key. The two keys are presented in the form of random numbers and letters.
The private key is used to digitally sign a message. The private key of the signer shows that the signature belongs to the private key holder because he is the only one with access to the private key.
While the signer's private key should always remain private, the public key must be shared with the recipient in order to allow the verification of the authenticity and integrity of the document. Any person can verify the identity of the author of the signature by means of the signer's public key. However, if the signer wants the document to be confidential, he can encrypt the message with the public key of the recipient, so that only the recipient using their private key can decrypt it. Eventually, the message is digitally signed and confidential.
The creation process:
After John creates a document, its content is processed through a hashing algorithm (in order to obtain a compressed digital representation of the data unit that is to be signed): the size of the document is reduced by means of this algorithm that creates a unique sequence of numbers and letters (hash value) often called "digest" of the document.
John (the signer)'s private key is applied to the digest result to sign it on his behalf.
The final output, the encrypted digest, is the digital signature of the document.
Therefore, a digital signature is a combination of the signed document and the author's private key. Any variation in the content of the document or in the private key used to sign it will create a different digital signature. The calculation of the hash result and application of the private key through the signing algorithm is a single process conducted automatically. The same applies when verifying the digital signature.
John sends the digitally signed document to the recipient, Mary, who will need John's public key to verify the authenticity of the document and the signature. Therefore, John keeps securely his private key and shares with Mary, the recipient, his public key.
The verification process:
When Mary receives them, she needs to verify the identity of the signer/sender (Authenticity) and the integrity of the signed document. To do so, she can reverse the process and verify its legitimacy.
- Mary applies John's public key to decrypt the digital signature and get the digest. The verification consists of the regeneration of the hash value on the basis of the same document and the same algorithm; this hash value is computed with the public key to produce a checksum, which should be compared with the checksum/signature attached to the document. If the result is identical, it will verify that the signer's private key was used to sign and that the document has not been altered. If Mary cannot decrypt the digital signature, then she knows it did not come from John because only John's public key is able to decrypt the digests generated with his private key. If the signature is untampered, the digests should be exactly the same.
- Once Mary gets the digest, she will check the integrity of the document. Mary can process the document through the same hashing algorithm that John used previously and she will get a digest. Finally, Mary will have two digests, one based on the digital signature and the other one based on the content of the document: if the document is untampered, the digest should also be exactly the same. Comparing them, if both digests match, then Mary can be confident that John is actually the author and that the document has not changed since he signed it, so the content and the digital signature are verified; if the digests are not equal, this will generate an error message and Mary will know the document has been altered in transit.
A same message will never produce two different hash results, as well as two different messages may not produce the same hash result. This means that, had the message been altered since its signing, the hash result calculated by the recipient would not match the hash result calculated and sent by the sender.
It is in this way that digital signatures are one of the key parts of securing data and guaranteeing immutability.
Are digital signatures legally binding?
Digital signatures are the most advanced and secure type of electronic signature.
At Penneo, being compliant with legal requirements is a must.
Digital signatures are legal, trusted and enforceable in nearly every industrialized nation around the globe and are actively in use in Europe. Penneo supports the vast majority of legal requirements worldwide.
A digital signature is as legally binding and valid as a traditional signature placed with ink on paper.
The eIDAS Regulation Art. 25 contains a decisive ban on discrimination against agreements concluded digitally, establishing that "an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form". In other words, it is contrary to the law if any enterprises or authorities refuse to accept or recognize contractual documents solely on the grounds that they are digitally signed. This prevailing principle of non-discrimination is similarly prescribed in almost all other digital signature Regulations around the world, firmly stating that the legal value of signatures cannot be exclusively based on whether they are on paper or in electronic form.
As previously mentioned, the generic term electronic signature refers broadly to any electronic process that indicates acceptance of an agreement or a record. However, not every data attached to an electronic document and used by the signatory to sign provide the same legal standing as a manuscript signature. In order to have the same value as a traditional signature placed with ink on paper, the e-signature needs to adhere to the requirements of the specific regulation it was created under, so that it can be identified as an advanced or qualified e-signature.
Digital signatures, also known as advanced or qualified e-signatures, refer to one specific type of electronic signatures. The digital signatures are cryptographic implementations of electronic signatures, based on asymmetric or public key cryptography. This particular technique uses a certificate-based digital ID to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption. The digital signature is the signing method which ensures with most certainty the identity of the signer as well as the integrity of the message.
In fact, in order for a signature to be classified as compliant and valid, art. 26 of the eIDAS lists three basic requirements that should be met (and the same requirements are similarly materialized in each other e-signature legislation). The signature must be:
- uniquely linked to the signatory and provide distinctive identifying information that confirm that the signatory is who he or she claims to be.
- created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; this can be done with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
- linked to the data signed therewith in such a way that any subsequent change in the data is detectable; the signature must be capable of identifying any subsequent alteration in the data so that the signature is marked invalid in case of tampering.
Penneo signatures can be used as a proof of trustworthiness in terms of identity of the signer, integrity of data and intent of signing, therefore they have the equivalent legal weight of a handwritten signature.
At Penneo, the Signer Authentication requires a certificate-based digital ID, a PIN plus a unique digital certificate to authenticate signer identity and demonstrate proof of signing. To further increase security, a unique PID (Personal Identifier) is also printed on the document, assuring that the signer's certificate is cryptographically bound to the document.
Penneo is designed to keep documents secure and prevent tampering of the document during and after the signing process with a watermark ID on the document and a secured and recorded audit trail. This procedure allows to be sure that the message was not altered in transit and provide proof of Content Integrity. We could say that the digital signature performs the same function as a mail sealed envelope since it ensures that the recipient receives the file in its original format.
Penneo ensures that a party to a contract or a communication cannot deny the authenticity of their signature on a document or sending the communication in the first place. In this context, Non-Repudiation refers to the ability to ensure that a party to a contract or a communication must accept the authenticity of their signature on a document or the sending of a message here. The signer's intent to sign is captured, the parameters of the transaction are communicated and the signer unequivocally intended to undergo the process and method of signing.
You can always verify the validity of your digital documents signed via Penneo with our Validator
What are the benefits of using digital signatures and why our customers choose us?
The adaptation to the modern business is not only an increasing necessity, but also an advantageous investment to fully appreciate the potentiality of the global digital market. The improvement of the efficiency of your company goes hand in hand with the adoption of digital tools. In this context digital signatures, legalized and recognized as being of equal value compared to manuscript signatures, provide even further reliability in terms of security and data protection and enable your company to enjoy lots of benefits, such as reducing waste of resources and time, automating and streamlining workflows, ensuring authenticity of both signatures and documents.
Why should you use digital signatures? What would your company gain from this adoption?
- Fast, simple, intuitive, adaptable to your needs, available anytime-anywhere
In today's fast-paced world every minute counts. Contracts and documents can now be easily and quickly signed by partners and customers spread around the world using digital signatures. It only takes some minutes, and it doesn't matter anymore where you are and what time it is, you only need an internet connection to digitally sign a document or collect signatures remotely. Penneo's configuration is customer built so that each document is different and unique but can be reused for similar cases. Our configuration capabilities include multi-signing, integrations and collaboration features, personalization possibilities and automation functions. Ensuring flexibility and control, Penneo can integrate with your organization's management systems and adapt to its specific processes, technologies and industry requirements.
- Automation, tracking, sharing
With digital signatures delays are minimized since there is no need to wait for mailing documents back and forth by post or for receiving signed documents from the other parties. The automated process of digital signing streamlines workflows by eliminating many sequential steps each time a document needs a signature. Penneo services will help you to simplify your working day and reduce turnaround times.
The individual archive provides a complete oversight and progress status of all documents — getting a full traceability of documents being sent, opened, activated, completed or signed — while automatic reminders notifies delays of signing. With Penneo you'll have a managerial overview and be able follow the progress of sent out documents easily.
Documents often need to be shared with colleagues, teammates, or people outside your organization. By using Penneo, you can improve effectiveness on joint tasks by sharing documents, tasks or collaborative workflows and achieve synergetic efficiency.
- Authenticity-Data Integrity-Non Repudiation: Probative Value
People are traditionally used to deal with paper documents and the lack of familiarity with electronic solutions may lead them to be afraid of higher risks in digital transactions. However, from a security point of view, digital signatures are undoubtedly one step ahead than the aged, wet ink signatures. Comparing the different signing methods in terms of security, digital signatures are the safest ones and are labelled as virtually impossible to defraud, while paper documents are easily alterable. Manuscript signatures can be defrauded, changes may be made to the content of the paper document and contractual parties can deny having signed it. A digital signature is able to protect the document in a safer way than its traditional counterpart from a triple perspective:
- The identification of the signatories: Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs). This authentication method provides security on the signers' identity and enables anyone to verify who is actually the author of the signature. It's an electronic proof that undisputedly confirms the identity of the signatory and links the electronic signature validation data to that person.
- The integrity of the content of the document: The information being sent can be, stolen or altered before the intended recipient has received it. While using digital signature, in the event that someone tries to change any part of the document there is proof that this happened. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If a modification is detected, the document is invalidated. When a document is signed through Penneo, the signers use their private key to cryptographically bound their certificate to the document. This phase allows to carry out a validation process consisting in the application of the signers' public key to both authenticate their identity and the non-alteration of the document. Eventually, you obtain evidence of each signature within the document itself.
- The impossibility to repudiate both the signature and the document: Alongside the identity of the signers, it is equally important to ensure their intent of sign. When a digital signature needs to be applied to a document through Penneo's signature platform, the user has been informed of the consequences of his actions and has had the opportunity to read that document. It's also worth mentioning that, while signing the document, signers have to accept a statement of declaration and consent which include an overview of the document itself, as well as the signer's role. This statement is stored as part of the signature itself and thus serves as further proof of the validity of the signature. Furthermore, each newly generated digital signature is time-stamped by a time-stamping authority so that the trusted time of signature generation can be identified and used as non- repudiation evidence.
In paper-based processes, you can only have uncontested certainty of these three main features by availing of the intervention of a notary public. E-signatures which ensure both the identity of the signers and the integrity of the documents, as well as the impossibility to deny the signature, may be compared to notarized signatures. That's why digital signatures actually offer a level of reliability and security that is far higher than those offered by the traditional ones, while allowing the users to save time and money.
- Security, data protection, end-to-end encryption
When using Penneo for documents or signing processes, a high level of security is included. Penneo has implemented rigorous policies to meet the security requirements of some of the most stringent certifications around the world. From authentication to encryption, Penneo protects not only your agreements but also the critical business and personal information. Having a strict focus on IT security, Penneo complies with international legislations, it is certified under ISAE-3000 issued by KPMG and meets the GDPR requirements.
With Penneo, all data transfers can be end-to-end encrypted so you can safely send cases out, even with private information in the documents. The data deletion requires that data is only collected for specified, explicit and legitimate purposes and Penneo is obliged to delete data if this is no longer the case. Using Penneo, you can create and manage users and groups, and use permissions to allow and deny their access to resources. When you create a case file, you can put validation on the individual case, so that it is the correct signer who signs the document. Penneo's high level of security ensures that no one else can access a signed document and that your documents remain inside your IT domain and are never saved on external, untrusted servers or exposed to the risk of tampering and fraud.
- Reduce the use of paper: save time and money while being environmentally friendly
What do you need to hand-sign your documents? Paper, ink, stationery, printing/scanning tools, mailing/shipping services are just some of the most evident extraneous costs that can be avoided by conveniently replace the old-aged processes and embracing the digital solutions. What matters even more than these cost savings is the possibility to save the most important and invaluable of the resources: time. To carry out a paper-based process, the user first needs to come into possession of the document by receiving a mail or printing an email. Then he/she would physically sign the document and need to send it to its originator or to the other parties who need to sign it; these latter would need to follow the same steps once again and then return the document to the person who started the process, who will need to verify the validity of the document and the signatures in terms of authenticity and integrity. These methods are not always secure or timely. Among the most frequent risks, delays in delivery could occur, signatures could be forged, or the enclosed documents may be altered. What's more, the issues increase as multiple signatures are required from different people who may be located in different locations: the originator/sender would probably need to forward the signed document to the other parties once he collected all the signatures, by making physical copies of the document and sending them by physical mail or scanning them to use email. The sole explanation of these steps points out how this offline traditional paper-based process is cumbersome and time/resources-consuming.
Penneo provides you with a cost-effective IT management while helping to give a contribution to the protection of the environment. Using digital signatures means adopting an eco-friendly approach in your company by reducing drastically the amount of paper you need and cut down on environmental waste.
Please visit our Features section to learn more about Penneo's digital signature capabilities and benefits.
How can I verify the validity of a digitally signed document?
The digital version of the documents signed via Penneo represents the final proof of authenticity of the signature and integrity of the content. Our files embed technical evidence that certify who signed the agreement, what was agreed on and when this happened.
With our Validator, you can always verify and confirm the validity of your documents. All you need to do is uploading your PDF and you will get a full overview, including:
- document key algorithm
- eID authentication
- confirmation of validity of the signatures
- proof of non-alteration of the document
Current eSignature laws around the world
Electronic commerce is the basis of every daily activity, today more than ever. In order to fully enjoy the benefits and advantages the digital economy brings, the need for trust and confidence in every form of trade must always be prioritized and satisfied. Building trust and legal certainty in the online environment is key to economic and social development.
For the purpose of addressing these needs in a context of day-to-day practical usage of digital signatures, it is necessary to be able to prove what was signed, and under which circumstances a party entered into the agreement. In the event of a legal dispute concerning an agreement, you need to be sure with a high level of certainty about who you were contracting with and what is the exact content of the signed agreement.
You can exploit the digital signature as valuable evidence, being equal to a witnessed signature, and with the digitally signed document is easy to prove who signed the document and when this happened.
E-signature legislations seek to increase effectiveness in the e-commerce by establishing comprehensive cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions and enabling the use of electronic equivalent to handwritten signatures in paper-based contracts.
Acknowledging both the ubiquity and the huge benefits involved and the need of a predictable regulatory framework to mitigate potential risks, all the countries have gradually lay down ad hoc legislations setting forth rules and requirements for a safe and compliant use of digital signature.
The demand of an up-to-date legislation that fully serves the needs of business and consumers has been satisfied in the European Union with the eIDAS Regulation.Providing an appropriate and coherent institutional framework for electronic commerce, the eIDAS spreads a better public perception and acceptance and aligns Europe with the rest of the world.
Enforced as of July 2016, the electronic Identification, Authentication and trust Services EU Regulation (n. 910/2014) provides a regulatory environment to enable secure access to services and safe online transactions between people, companies and public administrations.
Being a Regulation and not a directive, it has binding legal force throughout each one of the 28 Member States and does not need to be transposed into national laws in order to enter into force.
What's the difference between the legal concepts of e-signature and digital signature?
The Regulation defines the different types of e-signatures, by distinguishing the electronic signature from the advanced e-signature and the qualified e-signature:
- "electronic signature" means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign and accept the agreement or form.
- 'advanced electronic signature" means an electronic signature which meets the requirements set out in Article 26 and these requirements are that the signature:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
- "qualified electronic signature" means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. In simple terms, the difference between the advanced electronic signature and the qualified electronic signature is the addition of a qualified certificate that has been encrypted by a secure signature creation device.
Therefore, an advanced electronic signature can be used as a proof of trustworthiness in terms of authenticity, data integrity and non-repudiation of online interactions. The advanced e-signature would reach a higher probative value when enhanced to the level of a qualified electronic signature by adding a digital certificate that has been issued by a qualified trust service provider attesting to the authenticity of the qualified signature; so, the upgraded advanced signature then carries the same legal value as a handwritten signature.
Under eIDAS Regulation (Article 27) Member States are prohibited from requesting for cross-border use in an online service offered by a public sector body signatures of a higher security level than the qualified electronic signature.
Evidentiary value in legal proceedings
Recognizing the legal effects of electronic signature, Article 25 prescribes the non-discrimination principle by firmly stating that the legal value of signatures cannot be exclusively based on whether they are on paper or electronic form or they do not meet the requirements for qualified electronic signatures.
In the same article, the Regulation provides qualified electronic signatures with the equivalent legal effect of handwritten signatures and establishes that a qualified electronic signature based on a qualified certificate issued in one Member State must be recognized as a qualified electronic signature in all other Member States and cannot be dismissed in a court proceeding as evidence.
What about non-EU countries?
The ban on discrimination against agreements concluded digitally is similarly contained in almost all other digital signature legislations around the world.
The distinction between advanced and qualified e-signature is only regulated in the European Union and similarly through ZertES in Switzerland, while qualified electronic signatures are not defined in the U.S.
How to use electronic signatures internationally:
Current landscape of global e-signature laws
Three different types of legislative approaches can generally be identified in e-signature laws worldwide:
- Permissive or minimalist: all e-signatures are legal and enforceable. Also called functionalist approach because of its focus on the relevant functions of signatures, it refers to a technology-neutral approach that considers all types of "virtual signatures" (electronic, advanced, qualified, digital..) as legal and binding as manuscript signatures. There are no specific technical requirements or different levels of reliability with respect to the purposes the signatures are used (with some exceptions); the only prescription is that both parties must agree to the use of electronic signatures. Allowing the broad enforceability of e-signatures for all uses, minimalist legislations provide the widest protection and validity for e-signatures. Regions and countries that have adopted multi-tier laws include United States, Canada, Australia, New Zealand and Thailand.
- Two or multi-pronged approach: electronic signatures are legal but only digital signatures have the same legal standing of handwritten signatures. Some countries adopt a hybrid way of dealing with electronic authentication, consisting in a middle ground between the minimalist and the prescriptive approaches. These legislations choose to assign a certain minimum legal status to some electronic signing methods while reserving greater legal effect to others and this level of difference can change from one legislation to another. This approach is likely more time-resistant, leaving room for new technological developments. Jurisdictions adopting this approach usually recognize only digital signatures as carrying the same legal status as handwritten signatures. Electronic signatures are also legal and enforceable (unless stated otherwise), and it is usually prescribed the prevailing principle of non- discrimination on them; however, they are not granted with the same evidentiary weight as digital, advanced, qualified e-signatures. It's up to the parties' freedom of contract to decide what type of signature they prefer; however, businesses should recommend use digital signatures when deals and documents are particularly sensitive. Legislations which follow this approach are usually based on the UNCITRAL MLES (United Nations Commission on International Trade Law - Model Law on Electronic Signatures), that establishes criteria of technical reliability for the equivalence between electronic and hand-written signatures as well as basic rules of conduct for assessing duties and liabilities; it also contains provisions for the recognition of foreign certificates and electronic signatures based on a principle of substantive equivalence that disregards the place of origin of the foreign signature. The application of the two-tier approach involves European Union and other European countries such as Norway, the U.K., Switzerland, as well as Argentina, Bermuda, Chile, Colombia, Mexico, Taiwan, China, South Korea, Singapore, Hong Kong, Japan, India, Malaysia, South Africa.
- Prescriptive or "digital signature": only digital signatures are legally binding. Being diametrically opposite to the minimalist laws, this restrictive approach mainly focuses on the probative status of digital signature basing on the specific technique used to build it. Therefore, it regulates encryption by way of digital signatures as the only method approved in order to replace traditional signatures in the digital environment. Prescriptive e-signature laws lie down precise and strict requirements that an e-signature must meet to acquire legally binding value; sometimes these legislations do not even consider simple electronic signatures or explicitly state that no legal value can be recognized to them. The digital signature approach has only been enacted by a few countries, including Brazil, Israel, Indonesia, Peru, Russian Federation, Turkey.
Although e-signature laws vary from country to country, you can develop a corporate e-signature policy that works worldwide. Penneo meets the requirements of all major e-signature and data privacy global standards and regulations and continuously monitors the legal landscape to be sure our services comply with the latest national, EU and international regulations.
Learn more about how Penneo meets or exceeds national and international standards and Regulations.