Digitally Sign DATA, Not Documents [closed]

Question

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

What constitutes a "legal" digital signature for a web form (not a document)?

OPTION 1: I worked on a project where a doctor makes notes on the health of a patient. When the web form is submitted a PDF is generated and digitally signed with a digital .CER certificate and the PDF is saved to the file system. Each doctor had their own .CER file and password which was a real PITA to maintain and the overhead of generating, storing, and backing up PDF's is quite high.

There are also third-party solutions like CoSign which allow the user to authenticate to CoSign as the form submits and, if properly authenticated, somehow digitally signs that form. I believe all of these solutions require an export to various types of documents and then storage of the document and require the end signer to have an account with CoSign. That isn't going to work...

All of these signatures require the data to be stored in a document which is not ideal for many projects.

OPTION 2: I went to the Microsoft store at the Mall of America and purchased a new Surface (to be later returned :/ ) and when checking out they gave me a tablet (ironically it wasn't a Surface) and a pen and I jotted down my signature. Another example is the Square app which also requires the user to jot down their signature on a touchscreen of some sort. I would assume the signature is stored as an image somewhere in a database but does that constitute a "legal" document?

I've worked at a small medical device company which had their doctors evaluate tests on the web and digitally "sign" their evaluation, but all that did was upload an image of their signature saved in the database.

OPTION 3: Yet another way I've seen this done is when filling out my FAFSA for college tuition aid back in the day. They'd ask you to review the terms, yada yada, and then at the bottom I had to type in my full legal name "as it appears above" and the submit the form. What are they doing behind the curtains??

The project I'm working on is a simple one-page contract for a construction company which explains all of the services to be rendered and requires a signature and date. The electronic version of this form would collect all of the required data in a web form and save it to a data store.

My initial reaction was to provide a <canvas> based HTML5 element that can be signed on an iPad or something. Does the data need to be exported to a document and then signed using a digital signature or can the data be legal and "signed" in the data store?

Answer 1

You're asking several questions, only one of which is the legality question.

Disclosure up front: I work for CoSign.

First question:

Signing a web form digitally vs signing a document (PDF, etc) Yes, this is a common application for digital signatures. CoSign supports it. The usual technique is to first express the web form as an XML file. Then digitally sign the XML file. CoSign's SAPI api directly supports digitally signing XML files according to the W3 standard. Learn more from the SAPI programmers guide. Available from the CoSign Developers site.

Verifying the digitally signed XML file You need the ability to cryptographically verify the digitally signed XML file. You can use CoSign for this or there are many other apps which will also verify the XML files. Google for "verify xml digital signature" to see a long list. Independent verification of the digital signature's identity, intent and the document's integrity are the key advantages of using standard digital signatures.

Second question:

Any way around the high costs of personal copies of digital certs for digital signing? Issuing, tracking, maintaining, replacing and retiring personal digital certs has a very high cost, as you've discovered. This is a common (and large) downside to digital signatures using hw certs issued to the individual signers (smart cards, usb tokens, etc). The way around the problem is to centrally store the certs as CoSign and some others do. CoSign automatically synchronizes with Active Directory / LDAP etc to get rid of the support and maintenance costs of the individual hw certs.

Third question:

Do outside signers need their own account on the CoSign box? That wouldn't work. In the case of outside signers (someone outside of the organization, such as a customer/client/patient who only signs once in a great while), the signing account can be created programmatically, the XML doc signed and then the account is deleted. This is not an uncommon case. The CoSign SAPI api supports account creation/maintenance/deletion for this purpose.

Fourth question:

Is it true that "All of these signatures require the data to be stored in a document which is not ideal for many projects?" No. You can digitally sign XML docs as I explain above. Signing XML docs created from web forms is also done by Microsoft's InfoPath form system, by the IBM Forms system and by others. It is a common application for digital signatures.

Fifth question:

What are Square and other web form signing apps doing?"

In many cases they are doing ""Electronic signatures" not "Digital signatures."

Briefly, an electronic signature is a graphic representation of a person's signature. That's all that's in the document. So the document by itself has no assurance of integrity or non-reputability. Ie, someone can change the document (eg by strategically adding the word "not") and the signature would still look the same.

To add strength to the inherently weak electronic signatures, the various electronic signature services will store the document on their servers, thus providing their corporate assurance of the document's integrity etc. Your option 3 may be in this category. Square, your option 2 may also be an electronic signature. In their case, Square itself is providing the assurance that nothing was changed after signing.

Electronic signatures are generally legal in the US but you should consult a lawyer for details. It is also the case that many organizations won't accept electronic signatures due to their reliance on a third party for verification (the vendor). Electronically signed documents can't be independently verified--you need to rely on the vendor. For example, drug companies cannot submit their paperwork to the FDA with electronic signatures, digital signatures are required. Outside of the US, electronic signatures are often not acceptable again due to the inherent weakness of the technology.

Digital Signatures A document or XML file, or anything else can be digitally signed. The digital signature guarantees, through cryptography techniques, that the document was not altered (integrity), signature is non-reputable (signer identification) and the signer's statement of intent at the time of signing. Digitally signed files can be verified by anyone using verification software or apps available from many places. Digital signatures adhere to open standards, electronic signatures do not.

Answer 2

What constitutes a "legal" digital signature for a web form (not a document)?

There's the matter of existing laws and practices, and there's the matter of what they should have been if the law is written by someone not ignorant of the nature of electronic signature, digital signature, and digital data.

In my opinion, electronic signature (an image of a hand-drawn signature) should never be considered legally binding, it is trivial to forge an electronically signed data, or to create a forged data that contains the image of the signature. They can and are often used in low security situation, however they are worth nothing to assert the authenticity or integrity of data. They can be somewhat secure in a very limited situation, such as when there is a trusted, tamper-proof device to collect the hand drawn signature like EFTPOS or trusted tablets, the consumer's and (usually) the merchant's tablets should not be considered trusted device.

Digital signature, on the other hand, uses cryptographic techniques to embed a signature that can be automatically verified to assert the authenticity of the document/data. It's a very strong guarantee as long as the security of the private key is kept private and no flaws are discovered with the signature algorithm. In my opinion, this is the only form of electronic signature that should be considered legally binding in every situations, assuming all parties understands digital signature.

It is possible to have a trusted third party, acting as a notary, that asserts the authenticity of a document or web form submission. The security of this system depends on the reputation of the notary, it can be legally binding when done by a trusted notary using a proper trustworthy protocol. Some electronic notary employs some form of digital signature, so their assertion adds an extra layer of guarantee on top of those provided by digital signature alone.

Many jurisdictions allow weaker forms of electronic signature for certain kind transactions. Check your local laws, consult a lawyer that is well versed in electronic transactions when in doubt about using weaker form of signature. Use digital signature properly to remove any shred of doubts.

Any finite length binary stream can be signed, it didn't have to be in a document. However, to have an embedded signature as opposed to external signature, the data contained have to have support for containing the signature.