Have you ever signed a document digitally, as in via your computer, and assumed that the hand drawn or typed version of your name you placed on the document was your “digital signature”?  Read on to learn (some of) the details in the closest thing to human terms that I can provide.

Note: This is Not a “White Paper”

If you are a hardcore computer scientist, a cryptologist, or understand what PKCS stands for without clicking this link you will want to skip this one because I’m not going to spend time drawing out all of the finer points of an “SSL handshake” vs the infinite ways that cryptography is used in computer science.  Partially because I don’t know them all, and partially because it’s not the point of this article and you are not the intended audience.

Cryptographic Digital Signatures

Digital Signatures, and more generally cryptography, are a technology in computer science that you use every day whether you know it or not.  Every time you’ve been to a website that had the little lock icon to the left of your browser’s address bar you were using some form of encryption.  All it really means is that your browser and the computer(s) it is talking to are doing so by passing data back and forth that has been encrypted, and thus secure from snoopers that might be sitting somewhere in the network between you (your computer) and the server whose content you are browsing.  **Breathe techies, I realize you’re dying to correct me, but just let it go!**.

E-Signature vs Digital Document Signature

But how does that relate to documents and the hand-drawn E-Signature you put on them when signing?  Well, there is a difference between the collection of an E-Signature from a document signer (when they draw their John Hancock) and the more technical version of a digital document signature that uses specially created and “trusted” digital encryption certificates.  Trust by whom, you say?  The people that issue the certificates, of course, and the software (Chrome, Firefox, Adobe Acrobat, servers) that uses them to keep your data private.

The hand drawn version is just a picture, very literally, that the user interface of whatever tool (Mac Preview, for example) you are using takes from your hand drawn signature.  When all the parties that are signing the document have drawn their signatures and placed them into the document, then one could say that the document has been “digitally signed” in the most literal terms.  Depending on the system you and your fellow document signers are using to execute the document signature and whether or not that system adheres to the requirements of the E-Sign Act, this document would be considered legally binding, just like a paper document.  An example of a system that provides just such a legally binding, E-Sign Act compliant, digital signature would be Contract Canvas, check it out.

And then there is a digital signature in terms of cryptography.  To “digitally sign” a document in the cryptographic sense, an additional step would have to be taken that would use a private encryption key and certificate to “sign” the document.  This  cryptographic digital signature is totally separate from drawing your John Hancock on the document.  The purpose for this type of digital signature is to ensure that the document, once cryptographically signed, cannot be modified by either party and still be considered valid.  This is what I’ve heard referred to as a “wrapper certificate”, and it just means that the identity of the signers is NOT part of the cryptographic digital signature, but the 3rd party that cryptographically signed it VOUCHES for the identity of the two signers and guarantees that the document has not been tampered with after the fact as long as the certificate is still valid.

Digital Document Signatures

And then there are Digital Document Signatures in the terms used by the cryptography providers such as Global Sign, Sectigo, DigiCert, the US Departments of Defense, and many others.  A digital document signature is not only about making sure that the document cannot be modified after the fact, but also about verifying the identity of the signers through each party’s cryptographic signature.  For a digital document signature to take place each party must go to one of the providers listed above and purchase (or in the case of the DoD, be allocated) a Document Signature Certificate for around $300.  To get one of these certificates, the provider will go through some form of identity verification to make sure that the holder is who they say they are.  In other words, it is the due diligence of the certificate provider that adds the additional level of security.  Then, when the signers are using some tool like Adobe Acrobat to cryptographically sign the document, their verified identity is inserted into the document so that once fully executed, each signers cryptographic signature and identity will be included in the document.  This kind of digital signature for everyday purposes is, in my humble opinion, like using a sledgehammer to squish a gnat; a bit of an overkill.

Legally Binding Is The Goal

It was after learning all of that I realized what a less-than-perfect technology and process Digital Document Signatures are.  The reason?  Because when I purchased my Document Signing Certificate from one of the Adobe Approved Trust List (AATL) providers it came in the mail as a physical thumb drive after a pretty light identity verification process.  It does require a password to use, but then so does my Reddit account.  This was a physical thumb drive that represented me and/or my company digitally.  If I left it on my desk at work and (not that anyone has ever done this) had written my password somewhere at my desk (say, on a sticky note) someone could impersonate me in signing documents, albeit in a very secure fashion.  It also made me realize that for the average business person like myself that is signing contracts of a value less than $100k, a legally binding E-Signature is sufficient.