Electronic Signatures and Certificates - Differences, Standards and Application Specific Usage
This blog article deals with the different characteristics of electronic signatures and describes possible solutions with the corresponding Adobe technologies.
Since the terms "digital signature" and "electronic signature" are often used as synonyms, I would like to briefly discuss the different meanings at the beginning. The "electronic signature" is primarily a legal term that describes various methods for authenticating and ensuring the integrity of electronic documents. The term "digital signature" stands for different cryptographic procedures for the generation of electronic signatures.
In general, a distinction is made between simple, advanced and qualified electronic signatures for electronic signatures. In addition, there are possibilities of certifying documents and equipping them with a seal certificate.
Depending on the application, the appropriate signature standard should therefore be selected:
- In the case of internal approvals, verbal agreements or an e-mail are often sufficient as confirmation.
- Advanced signatures are sufficient for the majority of all contracts in B2B or B2C environments.
- For work contracts, life insurance policies, etc., on the other hand, signature standards with the highest legal relevance (handwritten signature or qualified electronic signature) are required.
- When it comes to ensuring and proving the authenticity of documents, digital certificates are the right medium.
Simple electronic signatures
Simple electronic signatures have only a low probative value, but are often sufficient for many applications. Simple signatures are often used for internal approvals, certificates, protocols, reports, etc.
Simple signatures can be applied by using a scribble field, for example. When using AEM Forms, Scribble Fields can be embedded in web forms (so-called Adaptive Forms) as well as in PDF forms.
A touch-sensitive display is needed for signing a web form.
The signature is done either with a special pen or directly with the finger. Once the signature has been applied, it is embedded in the document as an image file. This file contains no biometric data for the signature. In combination with the geo-location, IP address, date and a confirmation/text field, the signature can be enhanced.
If a scribble field is used in a PDF form, the signature is usually done via the keyboard / mouse pad. This signature is also embedded in the form as an image file.
The following applies for both variants: A simple electronic signature does not ensure verifiable unchangeability of the recorded form data.
Advanced electronic signature
For advanced electronic signatures, legal regulations apply which are regulated in the Act on Electronic Signatures (SigG) and the Ordinance on Electronic Signatures (SigV). Accordingly, advanced signatures must meet the following requirements:
- The signature must be uniquely linked to a specific person.
- The signature must be created with a unique signature key.
- A possible manipulation of data must be recognizable
Technically, the advanced signature corresponds to a software certificate. Unlike the qualified electronic signature, no signature card with certificate and no card reader (Secure Signature Creation Device = SSCD) is required to create an advanced electronic signature.
In the past, many of our customers have implemented advanced electronic signatures using signature fields in PDF, which are signed using an external hardware component (Sign Pads).
These signature pads enable the capture of biometric data at the signature (pressure, speed, angle, etc.), which can be stored encrypted in a hash value in the PDF document. This data can be used for later identification of the signer. This digital signature option works for PDF documents, but not in web forms, as web pages cannot be signed.
For advanced signatures in the web environment, other solutions are available, such as Adobe Sign.
Adobe Sign is a cloud signature process from Adobe for authenticating and certifying users in connection with documents. This signature service works with both PDF documents and adaptive forms. With Adobe Sign, simple, advanced, and even qualified signatures can be generated, provided the appropriate requirements are met. However, an online connection (cloud service) and appropriate licensing are required. The audit trail can also be attached to each signature process. With the help of this report, an approval workflow carried out using Adobe Sign can be seamlessly logged and traced.
Qualified electronic signature
Qualified electronic signatures are subject to stricter criteria than advanced electronic signatures. They are based on a qualified certificate and are created using a secure signature creation device (SSCD). Qualified signatures are legally equated with manual signatures.
For qualified signatures, signatories must use a certificate-based digital ID issued by accredited EU trust centers and stored on a suitable device for creating qualified signatures. These include USB tokens, smart cards or one-time passwords transmitted via the smartphone.
Qualified digital signatures can be embedded in a document via a certificate in conjunction with an SSCD. The signature is therefore done via an externally connected qualified signature card issued by a recognized trust center and password entry.
This possibility can also be integrated into the Adobe Sign process, so that each signer receives a digital ID from a trust service and the signing process is protected by a PKI (Public Key Infrastructure). With this additional step, the highest possible signature standard of a cloud signature can be achieved.
Since the eIDAS Regulation came into force on 01.07.2016, electronic seals have also been officially recognised. The eIDAS Regulation is a consistent legal framework for the recognition of electronic signatures and identities in all member states of the European Union.
Technically, electronic seals are comparable to electronic signatures. Unlike the latter, however, they are not assigned to a natural person, but to a legal entity (company, university, authority, etc.). An electronic seal can therefore be used, wherever a personal signature is not, required but proof of authenticity is required (e.g. for official notices, certificates, deeds, bank statements, etc.).
The Signature Service of AEM Forms allows you to apply electronic seals and thus certify a large number of documents (e.g. university certificates, insurance policies, account statements, etc.) in a batch process. This service offers operations to apply visible or invisible signature fields to documents and to provide them with signatures (Signature Field). A time stamp server can be included during or after signing. Signature cards can be integrated using a card reader.
AEM Forms, Adobe Acrobat and Adobe Reader support the PAdES signature format (PAdES = PDF Advanced Electronic Signature). This standard defines restrictions and extensions to PDF files in connection with electronic signatures. PDF documents that comply with the PAdES standard can be archived for many years. With PAdES-compliant PDF documents, it should be possible to verify the signature of the document at any time in the future (Long-Term Validation (LTV)).
Summary of the
In summary, signatures, certificates and their standards are a complex topic. The choice of the right signature method should therefore be carefully considered, since even the costs between simple and qualified signatures can differ by many factors. When deciding on the appropriate signature method, we recommend simulating the use case in detail.
- Who (applicant, approver, etc.)
- signs what (PDF document, Adaptive Forms, etc.)
- where (at the customer, in the company)
- how (if you are online or offline)
- why (use case (application for insurance, customer service report) and required legal force (simple, advanced, qualified))
It often makes sense not to go through the known (usual) procedure, but to derive a procedure and a solution on the basis of the project objective. The project goal could, for example, be to transfer structured data to a backend system after a process has been completed and to archive a sufficiently signed document. Methods such as design thinking etc. can then be used to develop solutions that are often simpler, faster and better.