Digital Signatures: A Comprehensive Guide

Understand and leverage digital signature technology to create secure electronic signatures

What is a digital signature?

Digital signatures utilize a set of accepted standards called Public Key Infrastructure (PKI) and support electronic signatures to deliver a legally binding and secure method of signing documents. The increased adoption of digital signatures means that businesses must ensure their agreement processes are compliant. Legal and regulatory requirements vary globally and by use case. Choosing the right vendor can take care of most of the compliance burden. 

OneSpan Sign is a leading e-signature solution built on digital signature technology that can help you to meet geographic requirements, such as those outlined in the European Union’s eIDAS regulation, as well as industry-specific requirements in regulated industries, such as Financial Services, Government, and Healthcare

What is the difference between electronic signature and digital signature?

What's the distinction?

“Electronic signatures” and “digital signatures” are often used interchangeably but each term carries a distinct set of defining features and functions. The broader category of e-signatures often includes digital signatures, which is a specific type of technology used to implement electronic signatures.

More specifically, an electronic signature is, like its ink equivalent on paper documents, a legal concept. Its purpose is to capture a person’s intent to be legally bound to an agreement or contract in the form of a digital document or electronic document and as part of a paperless process.

A digital signature, on the other hand, is not a different type of electronic signature. It refers to encryption/decryption technology and a subset of an electronic signature. Based on public-key cryptography (as opposed to private key), which generates two keys (public and private) using cryptographic mathematical algorithms, digital signatures secure signed documents and allow one to verify the authenticity of a signed record. A digital signature alone however is not an e-signature and therefore cannot capture a person’s intent to sign a document. When used with an e-signing application, digital signature technology secures the e-signed data. The confusion comes when terms like “digital signing” blend the two terms colloquially.

What's the solution?

A solution that simply digitally signs documents often lacks feature sets commonly found in best-in-class eSignature solutions, including an out-of-the-box user interface (UI), as well as transaction management and advanced document workflow customization capabilities used in more complex transactions that touch the customer.

The bottom line is that when looking for a solution to manage your signing processes, it’s important to ensure that it is built on digital signature technology to guarantee the integrity of the document and underlying signatures. Without the use of digital signatures, your document-based transactions may not be legally binding, putting you and your organization at risk in the event of a compliance audit or legal case.

How do digital signatures work? The e-signature process

OneSpan Sign handles all aspects of the signing process – from collecting consent to delivering and storing the e-signed document and detailed audit trail of the transaction. Our solution is managed with security, compliance, and long-term verifiability in mind. Customers gain peace of mind knowing that their documents are secure throughout their lifecycle. The following table highlights the key steps in the document signing process:

consent gray

Consent

Signer consents to the use of e‑signatures and e‑documents

intent gray

Intent

Click, type or draw action to sign at a specified location

authenticate gray

Identity Proofing

Identification and authentication methods verify the signer’s identity in order to allow them to access the documents and sign

digitally sign gray

Digitally Sign

Binds the certificate, user identity and audit trail to signed data

verfiy gray

Verify

Verify document, identity, time/date, audit trails with PDF reader

audit gray

Audit

Vendor-independent audit trails that capture events proving how the signer was identified, what they signed, when, and where. 

deployment options

Store

Documents stored in a repository or the customer's desired system of record

A deeper dive on digital signatures

OneSpan Sign computes one digital signature for each electronic signature in a document and stores these digital signatures in accordance with the ISO 32000 standard. OneSpan Sign first computes an electronic “fingerprint” or digest of the document using the SHA-256 hashing algorithm. This fingerprint or hash function, uniquely represents the document. OneSpan Sign then uses asymmetric encryption to encrypt the fingerprint to create a digital signature before embedding it in the document.

In order to verify the integrity of the document and signature, you need to decrypt the digital signature. The PDF standard does this by allowing services like OneSpan Sign to store a copy of the public key in the signed document. 
 

Digital Signature


Additional audit data
The PDF standard also allows for a timestamp to be stored with each digital signature. OneSpan Sign computes and stores timestamps with more information than is required by standards. This includes the email address of the signer, a unique identifier associated with the signer, a unique identifier associated with the overall transaction, as well as the IP address. Data is stored in a way that is visible to the user at verification time.

Subsequent digital signatures
Subsequent digital signatures are computed in the same way, however every time a new digital signature is applied to the document, the hashed data includes the entire document, updated changes (i.e., completed form fields), as well as the previous digital signatures themselves. See the figure below.

Verifying digital signatures
The process of verifying digital signatures is the reverse of the process to compute them. The process is completed automatically by most PDF viewers and begins by extracting the public key, as well as the corresponding digital signature in the signed document. The viewer then decrypts the digital signature in order to obtain the document’s fingerprint or digest. Afterwards, the viewer computes its own fingerprint using the current state of the document. If both fingerprints match, it means that the document was not modified since the digital signature was applied.

Verifying digital signatures

How to confirm the validity of a signed document

Confirming the validity of a signed document requires only a PDF viewer that is compatible with the PDF standard. The PDF viewer is capable of finding digital signatures in a document and verifying their validity. Open the signed document and either click on one of the signature blocks or open the Signature Panel.

Uniform residential loan application

By clicking a signature block, the PDF viewer verifies the validity of the corresponding digital signature. It then displays the result of the verification.

Signature Validation Status

Because OneSpan Sign computes a digital signature for each electronic signature in the document, you can access information that is specific to the signature that was clicked via the Signature Properties dialog. This dialog shows exactly when this specific signature was applied by the signer, the email address of the signer, and their IP address.

Signature Properties

The OneSpan Sign Difference

E-Signature Pioneer

25 years of electronic and digital signature experience and innovation to ensure you can achieve the highest completion rates for your signing processes.

 
 

 

Global E-Sign Laws and Regulations

Out-of-the-box support for compliance with the ESIGN Act (US), eIDAS (EU), ZertES (Switzerland), Electronic Transactions Act (Australia), and many more.

 

An Enterprise-Grade Solution that Scales with Your Needs

The only solution to provide a unified platform and integration framework that maintains high security, compliance and performance everywhere in the world.

Standards-Based Signing

Supports a broad range of local- and server-side signing certificates that adhere to global standards; instant interoperability with X.509 certificates issued by any TSP in Europe; support for signing with certificates stored on U.S. government Common Access Cards (CAC) and PIV (Personal Identity Verification) cards.

 

Wide Range of Deployment Options

Deploy OneSpan Sign in a public cloud, private cloud or on-premises behind your firewall; fulfill in-country data residency requirements with global data centers

 

Security & Trust are at the Heart of our Business

OneSpan is a global leader in digital security and e-signature solutions. We believe that our 25+ years of experience in the IT security segment is a real asset to our employees, partners and customers – who can transact digitally using our solutions with trust and confidence.

Digital Signature FAQs

What makes up a digital signature?

A digital signature possesses the following three characteristics when used in conjunction with an eSigning solution:

 

  1. Unique: the signature must identify and be uniquely linked to each signer in the transaction; the person who signed the document can be determined with a high degree of trust
  2. Data integrity: ability to detect changes to the document or data after the signature is applied; this creates tamper-evident document and signatures
  3. Non-repudiation: ability to trace who signed the document, and in the event of a dispute or compliance case, easily prove that the person in fact signed the document

 

Why would I use a digital signature?

Many industries and geographies that follow e-signature standards require digital signatures to ensure that records are enforceable, compliant and secure. Digital signatures use a standards-based technology that guarantees document and signature integrity.

What happens to the document if it is tampered with?

If a document signed with OneSpan Sign is modified or tampered with in any way, the underlying digital signature technology will detect it and the PDF reader will visibly invalidate the document. The e-signed PDF will display a red “X” indicating that the document is unsecure and should not be trusted. Look for a solution with a “Long-term Validation (LTV)” capability and 1-click offline signature verification process.

What is a digital certificate?

A digital certificate is prepared and delivered by a trusted issuer (such as a Trust Service Provider or TSP) who follows a specific process to verify the identity of the requestor. The digital certificate attaches a specific identity to a signing key. Like a passport, it allows third parties to verify the identity of its holder. OneSpan Sign enables users to sign with digital certificates that reside on a smart card, USB token or on their computer.

What is a qualified certificate?

A qualified certificate under eIDAS is a digital certificate that has been issued by a qualified Trust Service Provider (TSP) in Europe.

What if my organization decides to no longer use OneSpan Sign?

Documents signed by OneSpan Sign can be verified by any PDF viewer that complies with the ISO 32000 standard. Because documents signed by OneSpan Sign are self-contained, anyone can verify them – independent of OneSpan or its e-signature service.

How does signing with a smart card work?

Watch our “How to E-Sign Documents with Smart Cards” video to see how this works. OneSpan Sign supports signing with Common Access Cards (CAC), PIV (Personal Identity Verification) cards, as well as smart cards and tokens issued by TSPs in Europe.

Does OneSpan Sign support the requirements in the EU directive / EIDAS regulation?

Yes. OneSpan Sign meets the eIDAS requirements for the basic, advanced and qualified e-signature out-of-the-box with no additional development required. To learn how OneSpan Sign complies with the regulation and supports signing with digital signature certificates issued by a certificate authority or TSPs in Europe, download the white paper: eIDAS & E-Signatures: A Legal Perspective.

Does OneSpan Sign support Time-Stamping?

Yes. For EU customers that want the ability to leverage a “qualified” timestamp, OneSpan Sign includes digital signature services that binds data with trusted timestamp to independently prove when a particular transaction took place. The resulting timestamp further strengthens the integrity of the electronic signature. Contact us for more details.

How does electronic signature software make the signing process easy for senders and end users?

Compared to handwritten signatures, e-signature software supported by digital signature technology can streamline your paper processes in a number of ways. 

  • First, OneSpan Sign fully supports remote signing through the OneSpan Sign mobile app which allows your signers to apply their electronic signature in real-time using their preferred mobile device. 
  • From there, OneSpan Sign also includes automation features and reusable templates and a drag and drop document builder to ensure your senders can quickly prepare and send their documents for e-signatures. 
  • Finally, OneSpan Sign includes multiple connectors, SDKs, and open APIs to seamlessly integrate e-signatures in popular business apps. 

What if the digital certificate stored in the document has expired?

OneSpan Sign uses long-term validation to clearly indicate that the signing certificate was valid at the time of signing. PDF viewers can verify this information years after the certificate has expired.

The information on this site is for informational purposes only and does not constitute legal advice. We recommend that you seek independent professional advice. OneSpan does not accept liability for the contents of these materials.