A bit of a shell game


Last time we learned about the difference between an electronic signature - basically any way of signing a document electronically - and a digital signature, which is a cryptographic mechanism that can be used to implement electronic signatures, among other things. Modern digital signatures most often use the Public Key Infrastructure, or PKI, to generate and verify keys.

So for you to properly e-sign your document (and I'm really simplifying things for illustration here) you need three things: a private key that locks things up, a public key that can only be used to read things locked by your private key, and a certificate that somehow verifies that the public key belongs to you and only you.

Wait, let's back up for a moment. You've generated your PKI key pair, right? Registered the public key with a certificate authority? No? So how did you e-sign all those documents?

Right.

Well, as it turns out it's just too difficult to have everyone manage their own keys and certificates and webs of trust.

Instead, we have 3rd party providers like Docusign and Adobe that provide the keys and the digital certificates, and they sign the data on your behalf. Kinda like this, borrowed from DocuSign's website:

Great. Now they can prove that the signature is valid, the data hasn't been tampered with, and that they are who they said they are.

Wait, what was that last bit? Surely there's something missing here? I mean, isn't the whole point of this exercise so that you can prove that you signed the document?

Until next time, thanks for reading!

– Brendan

p.s. Enjoy this message? Read more at the Hyland Quality Systems website.

The Daily HaiQu

I'm Brendan Hyland. I help regulated facilities transform their software, spreadsheets, workflows and documents from time-consuming, deviation-invoking, regulatory burdens, to the competitive advantage they were meant to be. Join me every weekday as we take a few minutes to explore, design, test and improve the critical systems we use in our facilities.

Read more from The Daily HaiQu

Last time we left off with a cliff-hanger of a question: How do you prove you're you when signing a document? There are several ways I've seen that the 3rd party providers prove that it's you who's signed the document: You clicked a link from an email. You paid for the service with a credit card. You provided some government issued photo ID. Someone, such as a notorized public or your HR department, has verified it's you in person. Obviously these are very different levels of assurance. Then...

There are several levels of 'signatures' that you can apply to an electronic document. The first and most basic is just an image of your written signature. One common option for this is to print the document, sign and scan it back in again. A more convenient version is to have an image of your signature saved that you can paste into documents. This is what many free versions of pdf software and word processors offer as a basic document signing option - a 'stamp' of your saved signature image....

Ever since COVID, document and signing workflows have been incorporated into everything. Dropbox has it. Microsoft Teams has it. Google Workspaces has it. If you need e-signatures, you probably have access to Docusign, Adobe, Hellosign, and so on. But what exactly are we talking about when we say "document and signing workflow"? Let's step back. Most document workflows are about moving some work through review, commentary, revision and approval. The old way to do this was to send a document...