Trustworthiness and a maximum in reliability is what audit departments are expecting from an eSigning solution and its vendor.
SOFTPRO stands for these values and its solution SignDoc provides document authenticity and integrity so that you can eliminate paper to capture signatures now - like the companies within our ever growing customer base who already taking advantage of our SignDoc solution suite.
This page explains the aspects of trustworthy capturing and processing of handwritten signatures in a digital workflow.
The original aim of signing on paper is that the signer declares an intent which is related to the content of the document.
Nowadays many companies are capturing a signature image (graphic file, i.e. JPG, GIF) and paste it into documents or even a e-mail message. This image will not allow any further verification process if its authenticity is in doubt. It is more or less "decoration".
Handwritten signatures on paper are often also described as "wet ink signatures". The electronic equivalent is a "digital ink signature". "Digital ink" became a common feature in the mainstream PCs with the launch of Windows Vista, e.g. for comments or annotations. Digital is a feature which is available in Microsoft Office 2007 or in Adobe Acrobat 9 ("Apply Ink Signature"). These features put a handwriting-like signature on a file that could be printed out or emailed, much in the same way a fax signature might work. These signatures can be manipulated, duplicated or deleted. There exists no protection against document tampering hence these kind of signature can be repudiated easily.
It is important to keep in mind that a signature which was captured using digital ink is not securely bound to a document.
A simple click on an "I accept" button which triggers a signing process (often defined as "websigning") is not appropriate to replace a paper-based process where the signature is documenting a proof of intent of a particular signer and not just a click of a user (which could be theoretically anybody).
Signature data is captured using one of many supported signature capture devices such as a signature pad, pen pad, an interactive pen display or a Tablet PC.
>> [ Overview about Signature Capturing Devices ]
The authenticity of the signature can be verified at any point in time either manually, or using SOFTPRO's unique automatic combo-verification to provide a high level of trustworthiness. This process can be executed on demand or pre-embedded.
The integrity of the signature and the document are secured using state-of-the art technologies for encryption and integrity protection.
SOFTPRO’s technology secures non-repudiation of electronic processes to ensure that your documents are legally binding.
Signatures are part of the handwriting process. The signature of each individual is assumed to be unique because of the complex nature of the writing process, the relatively large number of elements and the variability over writers in the forms of these elements.
A dynamic signature captured and embedded with SignDoc® looks identical in all respects to a person’s original wet ink signature.
Better than Ink Signatures
It is much more than just an electronic image: The signature contains biometric information about how the signature was signed such as speed and pressure of pen strokes. These characteristics represent a biometric profile which is unique to every individual and can not be reproduced by a forger.
The biometric information of handwritten signature captured on appropriate devices includes signals of location (x,y coordinates), time (t) and pressure levels (z ).
Widely accepted and intuitive to use
Unlike other biometric technologies such as fingerprints, facial scan, or iris scan, a dynamic signature is more accessible and accepted because it is non-intrusive and does not convey a sense of criminality. For this reason, people are less hesitant to use dynamic signatures for completing business transactions than other biometric technologies since signing has already been an accepted form of authentication and authorization for hundreds of years.
Best Biometrics to proof an intent
In addition to advantages such as the cultural acceptance of signatures, dynamic signatures also offer some of the best biometrics with respect to uniqueness and repeatability thus sealing your transactions in a secure manner and removing any question as to the identity of the signer.
In order to understand what is necessary to trust a signature it is important to keep in mind that forensic experts rely on the holistic analysis of signatures, i.e. they look at and take into account the paper features, type of stylus, the ink flow and “visible” pressure. Most forensic experts exposed to the analysis of dynamic signatures tend to forget to apply the same principles. The equivalent holistic approach for dynamic signatures must take into account which device was used for signature capture, the device features and maybe even the signing environment and the co-relations to the signing process.
Comparison of static characteristics and dynamic signals of a handwritten signature using Softpros forensic analyzing tool "SignAlzye".
Signatures may be digitized during the signing process instead of scanning them from paper using a wide range of instruments. Please check our special page for details.
>> [ Signature Capturing Devices ]
A lot of e-signing solutions on the market have weak links when it comes to the signature itself:
Some solutions are primarily designed to seal a document in reliable manner, but use the signature more or less as a decoration, to quote one vendor: "the signature is a graphical representation of the signature".
Most of the solutions on the market lack a clear strategy on a "minimum quality for trustworthy signature capturing". What might be an advantage in the first stage - as a solution may also run on a Pocket PC and/or devices that do not support the differentiation into pressure levels as well as sufficient time signals - might result in disappointment whenever a signature is in doubt and needs to be verified.
So, while it might be enough for quick and dirty "capture a signature and pin it somehow to a document" the process is neither fully secured nor does it have the same level of trustworthiness.
Best Practice Aspects for reliable Dynamic Signatures Data
A proper comparison of static signature characteristics and dynamic signature signals requires a digitizing instrument that is taking a sufficient amount of time signals. It also has to be able to differentiate between various pressure levels and to provide an appropriate resolution rate. These requirements are also reflected in the standard for the interchange of biometric signature data (ISO/IEC FDIS 19794-7). This standard was co-defined by SOFTPRO's scientists who play an active role now for years in the International Standardization Organization (ISO). SOFTPRO also collaborates with Forensic Institutes to secure best practice in signature verification.
Forensic experts require precise information on the relation of force applied and pressure levels. Manufactures of signature capturing devices must make available this sort of “pressure curve chart” to vendors of signature verification software and to the forensic experts.
A reliable capturing device has to record the same pressure levels in all segments of the capturing area with the same precision when the same force is being applied.
When capturing signatures on different tablets of the same type from the same manufacturer signal data must not exceed a certain tolerance level, otherwise an analysis or verification would have to be adjusted to each device.
The ergonomics of the writing tablet must reflect the typical signing situation and ideally provide for a "paper-like" surface (which imitates the writing feeling on paper as close as possible).
The capturing technology must exclude the capturing of unwanted "overspill" information such as signals from a thumb ball that touched the capturing surface while signing.
In addition, for non-repudiation, security and auditing purposes, the capturing device must provide a unique serial number, a device id number* and trustworthy of the communication between device (firmware) and device driver (operating system).
SignDoc is based on the SignWare® Software Development Kit which includes SOFTPRO's unique signature combo-verification. It compares both the static image characteristics and dynamic signals to a known reference signature. The verification automatically takes into account the natural variations in the signer's signature characteristics so that the capture and verification is effective in any situation. If the character set is not within a certain tolerance level, the signature has highly likely been forged.
In the absence of dynamic signature parameters, static features may be used for comparison. Static technology has been successfully user for more than a decade in financial institutions worldwide.
This allows smooth transition from the paper to the electronic world.
Signalyze is an optional add-on to Softpro's Software Development Kit SignWare®. This video is an educational "hands-on" education on the sophisticated toolbox which visualizes the various aspects of dynamic (biometric) signature characteristics. It explains some of the security features provided in SignWare and SignDoc. SignAlyze is not targeting the newbie but rather the expert working for fraud departments, in forensic analysis and everyone interested into the "science of signing".
In most cases signature verification is a task executed on demand, if the authenticity of a signature is in doubt.
SignDoc also supports processes where documents are only processed and archived if their signers were authenticated
For this task SignDoc works seamlessly together with SignArchive - SOFTPRO's lightweight, easy to install and easy to use signature storage and administration solution.
A typical usage scenario appears in procurement processes:
In order to obtain some goods an increasing number of enterprises use electronic forms - SignDoc Web provides a comprehensive toolbox for such solutions.
SignDoc now can be configured to verify signatures before they are accepted as signatures of persons that are authorized to participate in a procurement process.
This procedure is also called "pre-embedded verification" and completes the whole process scenario under security aspects: Signatories' signatures are verified through SignArchive, which validates the signers' authenticity and subsequently the signed documents' integrity is protected through SignDoc.
>> [ SignArchive Product Information ]
Checking Integrity: "Has the document been manipulated after signing?"?
Standard PDF-viewers can display signatures of a PDF-document which has been signed with SignDoc. Most of them, notably the popular free Adobe Reader®, are also able to check the document's integrity.
Checking Plausibilty: "Who was signing what when (why)"?
According to our experience electronic documents are modified several times within a "typical" document workflow. Hence there may be different versions of documents which will be signed. It is important to know what has actually been signed by which signer.
SignDoc displays the signature fields in a tree-view that also can be used to display the version of the document that has been signed with a particular signature.
Thus it is easy to compare different versions of a document that occurred throughout a documents potentially complex history of modifications and signing ceremonies.
Legal experts have confirmed that an electronic document signed with SignDoc offers at least the same level of security as a traditionally signed paper document.
Laws and regulations for electronic signatures vary around the globe. It is important to understand that laws on electronic transactions typically include laws and/or regulations on Electronic Signatures. Only in some cases there exist separate bills/acts for e-signatures.
There is confusion between the terms electronic signature and digital signature. Most, especially those with an information theory or cryptography background, use "digital signature" to refer to a digital signature protocol using cryptographic techniques, as is sometimes applied to an 'electronic document'. Many, however, use the terms interchangeably. This leads to considerable amount of confusion as cryptographic signature techniques are very different, whatever the term used, than other electronic signatures and have extremely different security properties. Since it is the security properties which are of interest in signatures of all kinds, this is a very significant distinction.
Terminology Electronic vs. Digital Signature
Electronic Signature
An "electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."*
This definition includes such basic procedures like typed names, or a click-through on in software dialog with some ID, digitized images of handwritten signatures (without biometric features of course).
* Definition under US Uniform Electronic Transactions Act (UETA) §2[8] and US Electronic Signature in Global and National Commerce Act (E-SIGN ACT) §106
Food and Drug Administration 21 CFR Sec. 11.3 definitions: (7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.
All these forms of electronic signatures are considered "legal electronic signatures" in the US or EU for example, however their power to proof a particular transaction may be weak.
Digital Signature
A "digital signature" is properly a subset of an electronic signature. One of the best known forms of digital signatures are the well-known complex authentication systems based on Public Key Infrastructures.
Food and Drug Administration 21 CFR Sec. 11.3 definitions: (5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
At the time when the first versions of laws on electronic signatures were created (e.g. 1997: Germany, Malaysia; 1998: Singapore) there was no such option as a “trustworthy capturing and verification of handwritten signatures – including static images and dynamic (biometric) characteristics” that allowed to create a reliable e-signature on basis of a digitized handwritten signature ("biometric signatures"). As a consequence laws usually primarily or only reflect on "digital signatures" (e-signatures created in a public key infrastructure, PKI).
SignDoc combines dynamic signatures with digital signatures
SignDoc combines the biometric handwritten signature (which is digitized throughout the writing process) with features of a typical digital signature.
The "European Parliament and Council Directive 1999/93/EG about a Framework for Electronic Signatures" supports a broad technological approach to electronic signatures. It became law in the European countries subsequently beginning in the year 2000. Law makers are gradually reflecting "biometric signatures" now. The European directive does not automatically specify a certain technology. It defines levels of electronic signatures which are considered as "simple", "advanced" or "qualified". There are several ways how dynamic signatures may be used to create electronic signatures:
The simple embedding of dynamic signature data into a document results in a "simple" electronic signature.
The definition of “advanced electronic signatures” reflects that the trustworthiness of electronic documents is closely linked to the power of proof for authenticity and integrity in the particular application and workflow. The idea of an advanced electronic signature is to provide a proof of intent of a signer and legally binding evidence of a transaction.
In addition to the option to verify the dynamic signature, this form of signature requires encryption and the option to check that a document has not been tampered with (integrity check, typically via a hash code comparison).
Article 2 of the directive has the following definitions:
1. "electronic signature" means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;
2. "advanced electronic signature" means an electronic signature which meets the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using means that the signatory can maintain under his sole control; and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;
Only "qualified electronic signatures" require the usage of digital certificates and trustworthy devices to carry those (usually a smart card but also possible on USB-tokens). Dynamic signatures may be used in this environment to replace PINs and enhance the usability of this kind of electronic signatures. The German law and regulation on electronic signatures has allowed this explicitly since mid-2001.
Hence similar requirements as outlined in the European directive for "advanced electronic signature" are defined with in a different wording in several countries. Some examples:
The Australian Electronic Transactions Act 1999 defines in §10 similar requirements for electronic signatures without using a specific signature classification.
Even within the European Union some laws in some countries are not equivalent to the EU-legislation: The Austrian law uses the equivalent of a “secure electronic signature” instead of the EU-terminology of a “qualified electronic signature” and so does the law in Poland.
Indonesia: Law No 11 of 2008 regarding Information and Electronic Transactions (Undang-undang Informasi dan Transaksi Elektronik / UU ITE – also called “ETI law”)
Singapore: §17 of the Electronic Transactions Act 1998 describes the requirements of a "secure electronic signature".
United Arab Emirates: §20 of the Electronic Transactions and Commerce Law No.2/2002 describes the requirements of a "Protected Electronic Signature".
SignDoc makes e-Signing easy to understand and secure
SignDoc and SignDoc Web use the same established standard format for digital signatures which ensures that document and signature integrity can be validated in standard PDF viewers.
Within the outer hull of a certificate based digital signature the biometric signature data is stored in encrypted format.
Through usage of a public / private key pair for the signature data SignDoc ensures that integration with signature databases (SignBase or SignArchive) is possible without compromising the overall security of the acquired dynamic signatures.
SignDoc facilitates the compliance of processes conforming to regulations and laws on electronic signatures such as the following ones:
Depending on the application, the vertical and the country in which the application is intended for use there are additional legislations and industry regulations and standards which may need to be considered.
>> [ United States: Uniform Electronic Transactions Act (UETA) ]
Model act and legal framework for electronic transactions giving electronic signatures and records the same validity and enforceability as manual signatures and paper-based transactions.
Note that besides the laws on electronic signatures there are laws such as a Civil Code that may also define the applicability of an electronic signature. For example in Germany the German Civil Code ("Bürgerliches Gesetzbuch, BGB") defines a written form requirement ("Schriftformerfordernis") for a very few documents such as a
>> [ Germany: Civil Code (in English) ]
Side Note: The German Civil Code served as a template for the regulations of several other civil law jurisdictions. Hence you will find similarities in the civil law of Portugal, mainland China, Japan, South Korea, Taiwan, Greece and the Ukraine.
>> [ United States: FDA E-RECORD Regulation Framework for Electronic Signatures. (21, CFR Part11) ]
The US Food & Drug Association (FDA) dominates world wide as authority, issuing approvals and surveying quality assurance processes. The FDA E-RECORD Regulation Framework for Electronic Signatures contains a pragmatic definition of requirements with high acceptance in industry and administration: Requirements for electronic documents should not be superior to those on paper based documents. Records must clearly indicate:
printed name of the signer
The date and time of signature execution
The intended meaning (review, approval, etc.) associated with the signature
The European Commission provides a basic overview and understanding of what became law and practice in the various EU countries. However this overview concentrates on government applications primarily and does not reflect requirements in specific industries.
>> [ European Commission: E-Signature in Goverment applications in the EU ]
If expert legal assistance is required, the services of a competent legal professional for the legal situation in the particular country / countries where the application is intended to be rolled-out and the particular vertical should be sought.
While every effort has been taken to ensure that all details are correct, SOFTPRO cannot accept any responsibility for the accuracy of information. nor for the consequences of any actions taken or not taken as a result of this information. Reasonable efforts have been made at the time of publishing to examine the accuracy of the content and publications linked to on this web site, but no responsibility is taken for the contents contained on such links.
