Digital signatures are the electronic version of the time-tested ink-to-paper signature, for the purpose of providing authentication and verification of a specific event or transaction.
Rather than having someone sign a document by hand at a table and video-taping the signing, digital signatures can achieve the same goals with electronic documents. Their security is based on complex mathematical calculations based on factoring of very large prime numbers.
The main benefits of digital signatures, and the digital IDs granted for users to sign, are:
- Authentication: the verification of the identity of the signatory
- Non-Repudiation: the assurance that the signatory cannot deny having signed the document
- Integrity: the assurance that the message or document has not been modified since it was signed
They are very useful in verifying parties to a legal or financial transaction, in the distribution of intellectual property, or in providing the authenticity of a product, in that it is real and has not been tampered with or forged.
But not all digital IDs leveraged to sign are created equal. This is a complex yet important point to understand.
Multiple software solutions (e.g. Microsoft Windows, Mac OS, Adobe Acrobat) allow a user to create their own digital ID. Those are called self-signed. They do not provide any authentication and digital signatures leveraging them have no legal value.
A common way is to purchase a digital ID from a commercial provider (e.g. Digicert, Entrust, Globalsign). These providers perform various levels of verification of the requester of a digital ID. Also, their own credentials (as providers of digital IDs) are embedded in common software (e.g. operating systems, browsers, document viewers) ensuring that signatures can be easily validated when signed messages or documents are opened by recipients.
Large organizations and governments tend to have internal digital ID systems leveraging their own verification processes, based on their knowledge of their own staff. For instance, the Government of Canada is using the MyKey program. Those systems work best between participants inside the organization that issued them. Interoperability with external partners create challenges as each external partner must specifically add external signing authorities in their computing environment. By default MyKey signatures appear as invalid / not trusted outside the Government of Canada (e.g. private sector, citizens, provincial governments).
Finally, an increasingly popular way to handle digital signatures with external participants is to leverage cloud digital signature platforms. Such providers (e.g. DocuSign, PandaDocs, SignNow) provide solutions that not only handle the entire signing process between participants but also offers advanced authentication options (for instance phone, SMS, ID verification) and integrate into workflows to interact with document content (e.g. prepopulating information in documents, extracting information entered by signatories to avoid manual data entry). The Covid-19 pandemic accelerated the adoption of these solutions. Nowadays, if you lease an apartment or buy a car, you will likely receive an electronic contract by email.
In summary, digital signatures allow for fast, reliable interchanges between two or more parties, regardless of time zone, physical location, geographic constraints, or other logistical barriers. Specific consideration must be given to the type of digital ID obtained to sign digitally.