We all know what a signature is, a classic physical signature that someone puts at the bottom of a contract. Someone signs their name on a document, and it means they approve what is on the document. A digital signature attests that the person who signed the message or document approves it, but this is done digitally. The person doesn’t sign their name, but applies a mathematical algorithm.But why do we want to sign documents digitally, why is it useful?
There are three main reasons:
First, the cost of tracking down the signer, storing, printing, and mailing cost adds up. Pfizer found the cost of one “wet signature” was USD 30, and analysts estimate the cost can be as high as USD 125 (https://www.cio.com/article/2438539/how-pfizer-did-id-management-right.html).
Second, we share and transfer documents often through digital means (email, internet, signing on a website). We do this much more often then we do so on paper. It is much faster and more convenient to transmit documents digitally than physically.
Third, it is much more secure than a physical signature. One digital signature method often used is ECDSA- (elliptic curve digital signature algorithm). It is so secure that it used by the military and by central banks. It basically cannot be forged. Getting deeply into the math is mind-boggling. The security is based on the discrete logarithm problem. The idea is that 3 numbers are used to obtain a result. If I give you the digital signature and 2 of the numbers, that means I must have the third number. But the math is such that you can not simply do a division and find the missing number. It is impossible and brute forcing it would take years. Math can be cool.
An elliptic curve digital signature has 3 important properties:
- It proves the owner of the private key has authorised the signature.
- The proof is undeniable and can not be repudiated.
- The signature was not modified by anyone after it was signed.
The second and third properties are a HUGE advantages over a classic physical signature! One can also do multisig- meaning multiple signatures, M of N. This is like saying we need 3 signatures out of 5 people for a document to be signed.
One company that offers digital signatures and whole audit trail for documents is Blocknify (https://blocknify.com). They allow anybody, anywhere in the world to sign all sorts of documents, contracts, pictures, and certificates from an auditor or a producer of a good. Their application is a thin layer running on top of the blockchain making it possible for people to sign using a key only they hold. The blockchain ensures the immutability of not just the signatures, but also the business logic such as who can sign a document and other information like expiration date or payment. The documents are encrypted and only shared on a decentralized storage for a strict period of time, to maintain privacy.
Regulatory Implications of Digital Signatures
The legality of e-signature has been a subject of confusion for a while. However, most jurisdictions have regulated it in one way or another. Digital signatures within Switzerland (ZertES) and EU (eIDAS) have three levels, simple, advance, and qualified signatures. Simple signatures generally lack the needed evidence to be upheld in court.
For a digital signature to be considered as an advanced or qualified signature within Switzerland (ZertES) and EU (eIDAS), the following properties must hold true:
- It is uniquely linked to the signatory (e.g., Private and public key)
- It’s capable of identifying the signatory (e.g., Phone, email, or passport)
- It must be created using data that the signatory can use under their sole control with a high level of confidence (i.e., The signer must have control of the data that was used to create the keys or the storage of the private key)
- It’s linked to the data signed in such a way that any subsequent change in the data is detectable.
While the signature requirements are the same for advance and qualified digital signature, qualified digital signature must use a certificate from a government certified authority (CA). Within the EU, while the member country certifies its own CA, each member country must respect each other’s CA. Switzerland has its own certified authorities but doesn’t recognize the EU’s certified authorities.
Digital signatures are great but there is prudence among regulators. The EU has given each country the ability to specify contracts that require a qualified digital signature (QES) and an ‘exclusion’ list of contracts that can’t be digitally signed. This means E-signature are valid for everything except x,y,z, and the x,y,z changes for each country. Countries however have all been reasonable with the exclusion lists not adding many items since they understand that e-signature can remove friction. So what list should you follow? All digital signature’s laws are based on the contract governing law.
Some items on the exclusion list are:
- Contracts that are required to be handwritten (e.g., Last will in Switzerland, employment contracts in Luxemburg)
- Contracts that are required to be notarized (e.g., real property transfer, deeds, articles of incorporation)
- Other contracts (e.g., Amendments to an employment contract within Austria)
The good news is that about 95% of daily signatures for most companies fall into the green zone for e-signature. Enterprises can start tomorrow using digital signatures to automate their process with partners and clients!
Digital signatures allow companies to automate the process with suppliers, clients, and partners. The document can be hashed and stored on a decentralized ledger or on a central repository. It, therefore, does not move around, greatly increasing security. Furthermore, some companies such as Blocknify will soon allow hardware wallets for signatures. So everything you sign will be as safe as the crypto on a hardware wallet!
Digital signatures are crucial to improving all sorts of business process as well as digital identity, a much larger subject that will be the object of a future piece.