I think this article misunderstands the purpose of signatures.<p>The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.<p>Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.<p>If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.<p>Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.<p>In a digital equivalent of “no trespassing” or “cameras in use signs” a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
These signature services make no sense. My UK estate agent is trying to get me to use an American signature service to renew my lease.<p>- What I get is an email from a third party (the signature service) with whom I have no business relationship. Why would I trust <i>anything</i> they say?<p>- How do I know the agent has signed the lease?<p>- What can I do if the American service claims I signed a contract when I didn't? If I sign even a single contract with them I'm effectively giving them power of attorney to accept any contract on my behalf.<p>- Anyone who gains access to my email can enter contracts on my behalf.<p>It's mad.<p>The point of signing a contract in each other's presence is that both parties understand they are agreeing to something, and both have no doubt that the other is also entering the agreement. Online signature services do not achieve this.<p>And finally, PKI is worse. I won't rehearse the arguments. Read Ross Anderson.
For serious identity variation in paper legal land we don't use signature matching, we use notaries: show id to a trusted 3rd party who can be later dragged into court, sometimes even with an additional witness to vouch for identity.<p>(In closely related news, just try buying a house during a pandemic, I dare you. There are amusing pictures floating around online of my wife and I shoving documents back and forth through barely-cracked car windows for notarization ...)
I've been looking into this whole area recently for a project.<p>The problem isn't (only) the technical issues. As TFA points out, this is easy, and even the most naive and simplistic implementation beats physical signatures hands-down.<p>There's two main problems:<p>1. Legality. Getting a court to recognise a digital signature probably isn't that hard. It's a bit like scanned images - if you can prove that this is the best evidence, then it'll probably be accepted.
However, getting lawyers to accept digital signatures is difficult. One of those awkward situations where there's no consequences for them if they insist on a physical signature but lots of potential downside should they accept a digital signature.<p>2. File formats, or "the standards problem". To include a digitial signature in a document, we need a file format that includes digital signatures. Every document file format has a different version of this, and every digital signature service provides a different "wrapper" format with a different signature.<p>This needs to be solved top-down. The SCOTUS, or the EU Court, or some organisation of similar standing, needs to say "this wrapper format is the only type of signature legally accepted, and if a document is wrapped in this format, it is legally signed". Both problems vanish and we can have nice things again.
I don't necessarily disagree with the idea of services like this, but in order for the Certisfy Partner's certificate issuance to mean something, it can't just be J. Random Noob who works out of the café down the road selling attested signatures for five bucks. The whole point of PKI is that I'm trusting a third party to perform verifications on my behalf--it rather defeats the purpose if the third party in question is no more trustworthy than the person requesting their attestation.<p>That said, I find it interesting that a couple people on their partners list are Notaries Public--adding digital signature to the list of functions a Notary can perform would make the migration to digital signatures easier. It would probably require making the Notary's signature part of a public chain maintained and issued by the local government as part of their licensure, though, so I don't see where Certisfy comes into that picture at all.
Very recently, just before Pandemic hit India, we had to run around because one of the key Japanese counterpart was in USA and unable to send money (small amount) to complete a stock purchase.<p>My response was, "Please login to your bank's website and do the transfer."<p>That was the time I learnt that some (or maybe more) Japanese Banks still need the individual's personal Stamp/Seal to send money from their Banks.<p>I learnt an interesting thing.
I was interested at first because I built a signature product a few years ago. I find it a bit confusing and had to reread to catch the point.<p>There are 3 levels defined by the EU. I use these levels everywhere because it's not really a legal thing but increasing levels of technical requirement. The US has many conflicting laws on what signatures are valid.<p>The lowest level is what you first started out with. The marketing term for this is "E-signature". It's a subtle marketing speak to mean putting an image into a document. Theses are generally accepted for most things. California though has not allowed this in the past. A provider offers signatures at this level (with some nuance).<p>The second level is a "digital signature" backed up by other details. People think this means like an actual signature. In document contexts it's very confusing. But what they really mean is signing (encrypting with your private key so the public can decrypt it). This can be a verified email, phone, the more the better. What's important is at this level the signer is not actually the person, it's the service. The service has a trusted cert created from the Adobe trust chain and does additional measures to verify the person. The visible signature at this point is just a mock to make people comfortable using it. The signature is really cryptographic. This level is pretty much always court admissible.<p>The last level is signing the doc with your own trusted cert. You can get these tokens from many providers to do yourself. It's required for typically government things like stamping a document by an actual engineer (ie a PE). To get these certs you need to go to a notary to get verified. This is as legit as it gets. It's almost bulletproof.<p>Product wise, I am pretty familiar with PKI but am still confused as to what it really does or why I should use it. If this is to get wide adoption, the person using it needs to know nothing about certs and PKI. Additionally, I'm confused if this is using PKI or a web of trust. I'd think it would have to be web of trust to be practical but it seems like the examples allude more to PKI? Best of luck, I look forward to see where it goes.
I think this article misunderstands the purpose of signatures.<p>The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.<p>Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.<p>If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.<p>Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.<p>In a digital equivalent of “no trespassing” or “cameras in use” signs a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
This is a very misinformed article. The point of a signature is to make it obvious to both parties that they are making a binding agreement and to bring all the terms of the agreement together in one contract.<p>A signature also makes it so that someone must commit a felony to misrepresent what you agreed to by forging your signature, no matter how easy it might be to forge. It also creates evidence of their crime.<p>The article’s complaint seems to be that it might be easy to forge a signature, electronically or physically. Forged signatures are almost never an issue in contract disputes, and when they are, it’s almost always petty small time crime like check fraud.<p>Solving something that is not actually a problem, using an extremely complicated tool like cryptographic signatures, which require a huge amount of tooling around the storage of private keys and the identification public keys, is backwards.
I own a small payment processor. One of the biggest problems we have is on-boarding new customers. The issue is the banks and service providers we work with require physically signed documents, or we have to use their online signature solution. Their solution is often a worse experience than signing with paper, scanning and emailing. The provided solutions also are about as secure as emailing without encryption, too. Interestingly enough, most of these solutions just overlay a png image of the signature (sometimes collected from the user, sometimes picked from a list) on a PDF and then sign the document with the provider's cert. The final, signed document is delivered via email (hey, post to a webhook, it's 2020?). It would be nice to be able to have our own, better experience that worked with our vendor.
I've always seen the value of signatures as a ceremony first, not as a (serious) method of authentication. As an example, when have you last seen a merchant compare your signature to that on your credit card?<p>Conduct implying intent, together with a hand-written signature, can go a very long way in practice.<p>The value of these services to me accordingly seems to be in their accuracy of replicating the ceremony, not in trying to compete with cryptographic signatures.
This entire subject is so ridiculous. The US military has solved this problem almost as much as 15 years ago. No visible scribbles of any kind, just cryptographic signatures backed by certificate. The certificate is embedded on a photo ID hardware token that requires a PIN that locks after 3 failed attempts. The military uses digital signatures for everything.
In this day and age? Just send an email. Your service provider is almost certainly providing a DKIM signature and implicitly with it an attestation that you were authenticated. Desiring any more than that would require a witness able to confirm your identity, even in real life where I can always state that someone else walked in an signed the document.
Cryptographic signatures are a really new thing (1970's). Only a very low percentage of people actually know how they work, much less believe in them. They will eventually change a lot of things and count as a significant discovery. We still have a lot of work to do. Education is the first step.
Does anyone know id the docusign has more complex authentication behind the scenes? Like, if someone else has access to your email, how can you verify that they aren't "forging" your digital signature on docs? Maybe like, 2 factor auth would be enough for most cases.
Developer of Certisfy here. Happy to address questions.<p><i></i>Also send me an email (in profile), I can issue you a short lived trustworthy certificate to try out the service :)
Signatures generally have mostly become a total joke. <i>I suppose</i> there's some element, for many of us, that there's something vaguely scrawled that looks like other vague scrawls that indicate I may have glanced at a piece of paper. But, especially, at the current time having clean and dirty pen cups so we can sign a paper receipt or have to sign a digital pad with what's effectively just an X?<p>At least my financial institution was willing to work with a phone call, mobile phone number, and email for something rather than having to go in and do the notary thing.