What’s in a Name? Digital Signature vs. E-Signature (Part 3)

Rahim Kaba, December 4, 2017

In part 1 and part 2 of this blog series, we looked at the differences between a digital signature and an electronic signature, and their role in building detailed audit trails as part of the signing process. In the third and last installment of this blog series, we’ll explore how digital signatures use a digital certificate-based ID to establish trust between participants in a digital transaction.

What’s a Digital Certificate?

Digital signatures use Public Key Infrastructure (PKI) and rely on public and private keys in order to ensure that the underlying digital transactions are secure. When you sign a document electronically for example, you need assurance that all participants in a transaction are using valid keys.

That’s where the role of the digital certificate comes into play. A digital certificate is an electronic document issued to a signer by a Certificate Authority (CA) or Trust Service Provider (TSP) and binds a public key with the signer’s identity. The legal definition of an electronic signature always includes language around signer identity, which is why best-in-class eSignature solutions use digital certificates as part of the e-sign process to authenticate the signer.

The purpose of the certificate is to validate and certify that an e-signature corresponds to a specific signer, since it contains data related to the identity of signer (e.g., name, ID number, signature keys, certificate issuer, etc.). Certificates are often stored on signature creation devices such as secure smart cards, tokens and centrally in a Hardware Security Module (HSM) in the cloud, and are required to create a digital signature. During the signing process, the signer’s certificate is cryptographically bound to the document using the signer’s private key.

Types of Digital Certificates

Depending factors such as geography, industry and the risk profile of the transaction, organizations may have different requirements for digital certificates and how they are managed. There are multiple ways in which signing can take place and this largely relates to where the certificates are stored:

  • Server-signing Certificate: The signer is securely authenticated and document is digitally signed with the trusted certificate in the cloud (or on-premises for applications deployed in-house).
  • Local-signing Certificate: The signer’s identity is attached to a personal certificate (locally stored on a PIN-protected smart card, USB token or computer) that digitally signs the document.

According to Forrester, "the US predominantly opts for simpler e-signature authentication" and have adopted for the advanced e-signature (AES) that uses several forms of authentication and a common server-signing certificate hosted in the vendor’s cloud service. Firms in the EU on the other hand "place a higher priority on authentication" and may require an AES coupled with strong forms of authentication or the Qualified E-Signature (QES), which relies on third-party digital certificates. In Belgium, for example, all citizens are issued electronic identity (eID) cards that include a unique digital certificate and used for processes such as a signing contracts and agreements. This creates a QES, in accordance with the requirements of the EU’s eIDAS regulation.

User Authentication for E-Signatures

User Authentication for E-Signatures

Learn how to select the right authentication methods to prove who signed.

Download Now

What About Timestamping?

Electronically signed documents include details such as the signer’s digital certificate (i.e., a local- or server-side signing certificate), timestamp, and the signer’s information (e.g., email address and IP address). While most e-signature solutions will apply a timestamp to indicate the date and time associated to the signing process, there may be scenarios (i.e., high risk, high value transactions) where organizations may want to opt for what’s called a "qualified timestamp" – a timestamp generated by a trusted third-party for each signing event – to further strengthen the integrity of the electronic signature. The eSignLive solution supports timestamping by connecting to a qualified timestamp server – binding the e-signature data with a trusted timestamp to independently provide when a particular transaction took place.

Not All Solutions Are Created Equal

Many solutions in the market do not provide complete support for the wide range of certificates available. Look for a solution like eSignLive by VASCO, which utilizes standards-based digital signatures and supports X.509 certificates to ensure universal acceptance. You get immediate interoperability with digital certificates issued by any TSP and CA – unlike other vendors whose platforms require development work to support certificates from specific issuers. See how this works.digital signature Our latest eSignLive release includes user experience (UX) enhancements for certificate signing. Unlike other e-signature solutions that rely on Java applets and browser plug-ins (and dependent on supporting individual browsers from vendors such as Microsoft, Google and Mozilla) to support local-signing certificate based processes, eSignLive has implemented an approach that leverages certificate client software, which is compatible with the most widely used browsers in the market.

A similar workflow is used by U.S. government personnel and contractors that routinely e-sign forms and documents using a digital certificate that is stored on a smart card, such as a U.S. Department of Defense Common Access Card (CAC) or a Personal Identity Verification (PIV) card. This provides strong two-factor authentication with something the user knows (the PIN for their card), and something the user has (the card).

In practical terms, our open and standards-based approach means that certificates from any one of the hundreds of CAs and TSPs work with eSignLive out-of-the-box, ensuring that you can accelerate your time-to-market with e-signatures and achieve the highest adoption possible. The added benefit of selecting a standards-based solution also means that you get a future proof product that supports your signing needs – today and tomorrow.

Final Thoughts

eSignLive uses digital signatures and digital certificate-based ID to establish trust and signer identity. Our solution supports the most rigorous local- and server-certificate signing requirements, including the Advanced (AES) and Qualified (QES) electronic signatures, as defined in the EU’s eIDAS regulation and in other e-signature laws around the world. Maintaining high levels of security and trust is what has made our business so successful over the last 20+ years. We have a deep understanding of e-signature technology, including how to leverage digital signatures and certificates to authenticate signers and guarantee the integrity of e-signed documents. Visit our digital signature page to learn about the top 5 "must-have" criteria to keep in mind when evaluating solutions in the market.

Rahim Kaba is a passionate and results-driven digital technology leader who has played a key role in advancing digitization initiatives at organizations around the world. As VP Product Marketing at OneSpan, he leads the go-to-market strategy of the company's growing portfolio of solutions.