The primary objective of electronic signatures is no different to that of a wet ink signature, which we described in our first blog. It attests that the signatory understands the content and confirms their agreement. The signature then provides proof of that agreement to a third party, or as a legal obligation in the future. In other words, it is all about trust: trust in the identity of the signatory, the content, and the link between the two. In a digital world, we also aim to establish this trust. The legal value of an electronic signature will depend on its ability to prove who applied it and that the signed data has not changed after the signature was completed.
We explore below a simplified version of what happens behind the scenes in an e-Signing process.
Electronic signing can be as simple as drawing your name on an electronic document. As we will see in our next blog, while not all electronic signatures are equal and equivalent to a handwritten signature, European regulation (eIDAS) says that “a signature cannot be denied legal effect just because it is in electronic form”. However, a more trustworthy e-Signature is supported by an encryption mechanism based on public and private keys. A strong signature confirms that only the signatory can have signed the document (as the only person with access to the private key), and ensures the documents (or messages) have not been forged or tampered with, as can be verified by all with a public key. In other cases it can also ensure the confidentiality of the document, or provide proof of sending and receiving. To manage, issue, and revoke these keys, a Public Key Infrastructure (PKI) is needed.
PKI is the technical enabler behind an e-Signature. It solves the problem of “trust at scale”. For example, if you organise a birthday party and invite trusted friends to your home, you do not expect them to damage your house or steal your belongings. However, if one of your friends wants to bring another friend to your home, you rely on her or his assessment of that person. In other words, you trust the unknown person because you trust your friend. Trust works similarly in digital communication. We simply cannot vet and trust everyone ourselves. Instead, we choose to rely on a trusted third party to issue ‘certificates’ that verify the person is the owner of a public key. This party is known as the PKI’s Certificate Authority (CA). In the digital world, if we trust a particular CA we automatically trust the certificates issued by it. In other words, we trust the identities they bring to the party. We can now verify that the signatures placed by this person are valid. This issuer can be within the same organisation, or it can be a public company or government.
Signing is not the same as verifying an identity or a signature. After all, only the intended person should be able to sign, whilst other individuals (or organisations) should be able to verify the signature. This is made possible by the use of “asymmetric cryptographic algorithms”, whereby PKIs utilise a set of keys (private and public) to verify the identity of the signing party through algorithms. The private key is only known to the user placing the signature and needs to be kept safe and secure. If it is compromised, others could sign in the user’s name. The certificate with the public key is usually embedded with the digital signature, allowing everyone to validate the signature and therefore the integrity of the document. How it works is shown in the graphic below, in a simplified version.
In short, a unique hash of the document is generated and then encrypted by the user’s private key. The placed signing certificate includes the public key, allowing anyone to decrypt the provided hash and compare it with the actual hash. If the hash values match, the signature is valid, and the integrity of the document therefore proven.
This process can be difficult to understand for the typical end-user. Fortunately, signing solutions make the process as easy as possible.
We have outlined why e-Signing is not simply about an electronic signature or documentation storage. It is about making a trustworthy link with the person signing, understanding what this signature represents, verifying that signatures are valid, and finally verifying the integrity of the document between the time of signature and the time of validation. We therefore recommend approaching e-Signing from a comprehensive perspective, based on five key building blocks to help build a solution that fits the organisation and its use cases. This approach ensures that the organisation addresses the essential questions to understand what capabilities are needed.
In this blog, we established the key technical mechanisms behind e-Signing and presented the building blocks approach recommended to understand the capability requirements. If you would like to know more about our e-Signing capability framework and how Deloitte can help you navigate it, please reach out to our key contacts below.