Legal and Compliance Questions
The answers to the most frequently asked questions are shown below. If you have a question that isn't answered here or would like any more in-depth information, please contact us.
- What is the difference between an electronic signature and a digital signature?
- How does SIGNificant comply with electronic and digital signature rules and regulations?
- Will you go to court with us?
- What is a biometric handwritten signature?
- Do you support ISO/IEC 19794-7:2014 standard for biometric signature exchange?
- Can documents signed by SIGNificant be viewed and verified by users who don't have SIGNificant installed?
- Can a captured signature from a signature pad be forged?
- How can I be sure that my signature is not transferred to an unauthorized document?
- What if my signature transmission is traced and re-sent later?
- How is the signer protected from signing a document he is not shown?
- Do I need consent from the signer to sign documents electronically?
- Do you support third party digital certificates?
- Why do digital signatures and annotations not appear in some PDF viewers?
- What if the quality of the captured signature data is not good enough for forensic analysis?
- How can I make sure that the encryption of a signature embedded in a document is not compromised by brute force attacks?
- How is the communication between the client and the server secured?
- Is a signature still useful?
- How does SIGNificant for biometrically signed PDF documents comply to EU Regulation 910/2014 on electronic identification and trust services for electronic transactions?
What is the difference between an electronic signature and a digital signature?
"Electronic signature" is a generic, technology-neutral term that refers to the universe of all of the various methods by which one can "sign" an electronic record. Although all electronic signatures are represented digitally (i.e., as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender or a digitized image of a handwritten signature that is attached to an electronic document.
A digital signature is an electronic signature that implements a certain well defined standard that uses RSA cryptography to create signatures on digital assets that are uniquely referenced using some hash algorithm (e.s. SHA 256). It uses a certificate that is issued by a Certificate Authority (CA) to identify the signatory. When issued to an individual this certificate is referred to as signing certificate. When issued to an organization we talk about sealing certificates.
With Namirial and its xyzmo SIGNificant products, all e-signatures are also digital signatures. While biometric or process signatures use sealing certificates, digital signatures with personal certificates use signing certificates.
How does SIGNificant comply with electronic and digital signature rules and regulations?
SIGNificant is designed for global compliance with key components of:
- eIDAS 910/2014 – see the eIDAS whitepaper for details
- the European Directive 1999/93 EC on a Community Framework for Electronic Signatures, including the UK Electronic Communication Act,
- the U.S. ESIGN Act
- US state laws modeled after 1999 UETA
- Rules from the FDA, FTC FHA, IRS, and FINRA, among many others
- German BIPRO Norm (Namirial is even a BIPRO member)
The Namirial DTM solutions allows users such as consumer clients to create e-signatures that comply to the following legal signature levels according to eIDAS:
- Qualified E-Signature
- Advanced E-Signature
- E-Signature
While captured handwritten signatures are typically at the advanced level, Namirial provides a client friendly way to turn them into a qualified signature legally equivalent to wet-ink. Details on this can be found in the eIDAS whitepaper.
Will you go to court with us?
While Namirial has a successful history of providing customers with all the evidence they need to defend their documents against repudiation, Namirial is available to assist you with legal challenges by testifying in court on the validity of SIGNificant documents.
On-top, the Namirial Trust Service Provider can also manage the biometric encryption certificate for its customers. Details on this are found here.
What is a biometric handwritten signature?
A captured handwritten signature looks identical to a person’s original, wet-ink signature. But, should one use the SIGNificant digital signature suite, it is much more than merely an electronic image. SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. Once a signature, including all the biometric parameters, has been embedded into a document, it is turned into a signed and sealed PDF. Anyone can verify the signature and content integrity anywhere and at any time. Thus, unrecognized, post-signing manipulations are impossible.
ISO/IEC 19794-7:2014 standard for biometric signature exchange
All captured biometric signatures can be exported according to the ISO/IEC 19794-7:2014 standard for biometric signature exchange, providing full vendor independence of the signed documents.
Can documents signed by SIGNificant be viewed and verified by users who don't have SIGNificant installed?
SIGNificant is based on the open ISO PDF standards and true digital signatures, with no proprietary e-signature technology. All signatures and their cryptographic information are embedded into the signed PDF. You don't need to be a Namirial customer or return to our website, just to check the validity of documents. Any proper PDF reader will do the job.
Why do digital signatures and annotations not appear in some PDF viewers?
Unfortunately, some PDF-viewers, for example, for the iPad (including the default reader that comes with the iPad), do not yet fully support PDF standard annotations and digital signatures. Such applications often simply ignore the annotation "layer" of standard PDF documents. In order to be able to view PDF annotations and digital signatures in such applications, these elements must be "flattened" into the normal content layer. There are some solutions that "ignore" this issue and actually modify the normal content layer "hard-code". They simply embed a graphical representation of annotations and signatures into the normal content layer. While this approach has a certain advantage (no problem with those PDF viewers), the main disadvantage of it is that it alters the original PDF content in an irreversible manner. You won't be able to delete or modify this imitation of an annotation later and you will lose all the biometrical information in the signature. All that remains is a graphical representation. This is not how we prefer to treat your PDF documents. Our signatures and annotations comply with ISO PDF Specification, meaning that annotations can be removed or modified later by PDF processing programs, and all signatures contain all the biometric informations. Having said that, in some of our apps, we still provide you with the possibility of flattening the PDFs, if you wish.
Can a captured signature from a signature pad be forged?
SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. A forged signature is usually created by either tracing an existing signature or simply trying to re-create the signature by memory. Either way, a forged signature is either "accurate and slow or fast but inaccurate". SIGNificant is able to record the time that it takes someone to write their signature, which means that a side-by-side comparison of a legitimage signature and a forgery will be quick and simple because typically the signature will either appear visually correct but have a slower time-stamp or the time stamp will be correct but the signature will be completely visually inaccurate. Of course, the speed at which someone generates a signature is not the only characteristic considered when analyzing possible forgeries. Some other items include the size, connecting strokes, and proportions of the original signature. All of these parameters are recorded by SIGNificant and are retrievable for a forensic examiner using a tool called PenAnalyst, which is provided if the need ever arises.
How can I be sure that my signature is not transferred to an unauthorized document?
The document contains a captured signature that has been encrypted (RSA 4096 + AES256). A person’s signature is encrypted immediately as it is captured by the signature pad, using the private key of a special certificate. This special certificate is selected by the company using the SIGNificant suite, and is typically stored in a secure environment outside the company (bank safe, external notary, etc.). Thus, Namirial has no access to this certificate. For the encryption of signatures, the SIGNificant suite just needs the public key of the certificate. It is only for decryption, and the extraction of signatures from a document, that the private key is required. Only specific people, to whom the company has granted access to this certificate, will be able to decrypt the profile using the PenAnalyst tool, which is provided as part of the suite. This tool was developed in consultation with forensic experts, and is useful in legal disputes for proving who signed a particular document. Furthermore, each captured signature is bound to a specific document (“document binding”). We generate a unique “fingerprint” for each document and store it together with the captured signature. Thus, it is easily possible to prove within PenAnalyst that a certain signature belongs to a particular document.
What if my signature transmission is traced and re-sent later?
With a great deal of criminal energy, technical, in-depth knowledge about the special customer installation and, the signature pad used, and unsupervised access to the computer, it is theoretically possible to carry out this action. Compared to the ease of faking signatures on paper, this represents a really big effort. End-to-end security is only possible with the right signature pad in place. The processor of the SIGNificant ColorPad, for example, contains the public key of a second key pair (RSA 2048-bit). By means of this key, the biometric data is encrypted in the pad itself. This ensures that highly sensitive information can never be viewed in decrypted format in the unsafe “computer” environment (e.g. main memory). The private key of this second key pair is safely deposited by a notary public or in a safe deposit of your choice. With this setup, full end-to-end security is possible.
How is the signer protected from signing a document he is not shown?
It is possible for the original document that is intended to be signed to be replaced by another one, which is typically done by a “man-in-the-middle” attack. If deployed on a distributed server architecture, SIGNificant uses SSL encryption for all network communication throughout the entire signing process. In this way the data can neither be sniffed nor manipulated by attackers. It is also crucial to allow the signer to read the actual document that is to be signed. Obviously it is better to enable this directly on the signing device itself, instead of relying on an external screen. SIGNificant enables this, as described above.
Do I need consent from the signer to sign documents electronically?
Between businesses, the nature of the parties’ consent to do business electronically can be established explicitly or by implication based on the parties’ interactions. However, consumers receive special protection under EU law, ESIGN and some state UETA enactments. Electronic documents may be used only if the consumer:
- receives certain disclosures (e.g. UETA Consumer Consent Disclosures) has affirmatively consented to use electronic signatures for the transaction and has not withdrawn such consent
Do you support third party certificates and smart-cards?
Yes, in fact, we even have dedicated products especially for this reason. You can e-sign based on digital certificates (smart card, USB token, software certificate, HSM).
Learn MoreWhat if the quality of the captured signature data is not good enough for forensic analysis?
Generally, the quality of the data from signature capturing devices is very good. Nevertheless, signature capturing devices can also be used within thin client environments, such as Citrix, RDP, or VMWare.
In that case, you require a local software component running on the thin client device that receives the data packets from the USB signature pad; otherwise you will lose some of the biometrical data packets due to latency issues. The reason is that signature pads send the data they record with file-and-forget, which is not an issue if the receiving software runs locally. However, in a thin client environment, the buffer that stores the received biometrical data packets may not be read in-time, because access from the receiving software is delayed by the network’s latency. Thus, a simple pass-through that uses USB redirection does not work for signature tablets. Therefore SIGNificant provides a local software component that runs directly on the thin client in the background to read the data packets from the data buffer without any delay, as required for a flawless operation.
How can I make sure that the encryption of a signature embedded in a document is not compromised by brute force attacks?
Theoretically there is a chance that AES/RSA encryption could be hacked using a brute force approach, once the required processing power becomes available. Consequently, the signature data embedded in a document could be decrypted and misused with intent to defraud. In an online scenario, where the SIGNificant Server is used, the original documents are always kept securely on the server. Every document the user views on the client computer is only an image of the original PDF document, and thus it cannot be manipulated fraudulently. Moreover, it is possible to provide the signer only a digitally signed copy (flattened version) of the original PDF file, which only contains the graphical representation of the handwritten signature without its biometrical data. The signed original document, which includes the biometrical data to enable a forensic analysis of its contained signatures, is stored in a centralized and secured archive.
How is the communication between the client and the server secured?
When the solution transmits its data in a client-server environment, it must traverse the company network or in some cases (e.g. mobile) the mobile device's carrier network and the internet. Thus agents might exploit vulnerabilities to intercept sensitive data while it is traveling across the wire. We recommend the use of SSL/https for all client-server communication. The configuration of the SSL certificate is done directly on the IIS server used by the SIGNificant Server. The system administrator is responsible for that task. Several additional security mechanisms (such as reverse proxy, basic/Windows authentication, web single sign-on, etc.) can be used together with the SIGNificant Server Platform.
Is a signature still useful?
Quote from a BBC news report: The signature may have more life in it than some techno-enthusiasts might imagine. If it survives, it won't be because it's safer or more efficient, but because people develop an emotional attachment to their own one. "It's not like a Pin," Mike Allen, a forensic document analyst with 30 years experience. "It's someone making their mark and saying 'I agree with this.' It's not about being safer - the value of it is that it's you." More than that, it's also uniquely and entirely yours.
How does SIGNificant for biometrically signed PDF documents comply to EU Regulation 910/2014 on electronic identification and trust services for electronic transactions?
Please see the document A guide on eIDAS 910/2014 for details..