BlogLegalitynebulaSIGN

Is a digital signature binding with just a valid certificate?

By 15 May, 2020 No Comments
Digital signature certificate

Relaxation of the Covid-19 lockdown has begun, and we are slowly returning to normality. The Coronavirus crisis has demonstrated the need for businesses to move to remote working and digitisation in their processes in order to keep running. And business processes span everything from providing/producing services to internal administration. Digital technology has been indispensable during the pandemic to enable businesses to survive. Of all the tools available, legally effective document signature without unnecessary face-to-face meetings has enabled many businesses to keep operating during the weeks of lockdown.

Digital signature is a technology that allows any kind of document to be signed remotely, in real-time and with full legal effect, thanks to the certificate of evidence generated by each transaction. Electronic signatures are legally binding and cannot be repudiated.  That means that a person cannot deny that they entered into a given transaction. This is ensured by the combination of authentication and integrity.

But … Is a certificate enough on its own to make a digital signature legally binding? Let’s look at some of the detail:

  • Confirmation of legal capacity: for a digital signature to be accepted by a judge or court it also has to be shown that the signatory was well enough (i.e., that they were fully in possession of their mental faculties) to sign. Since that is hard to confirm digitally, the law provides that certain important legal documents still have to be signed in person, in the presence of a sworn person (such as a notary or civil servant in Spain). As techniques for assessing a person’s behaviour improve (for example, comparing their current computer behaviour against their normal behaviour), this may also become something that can be done remotely with full legal effect.
  • Confirmation of “integrity”: there are a number of aspects to this, such as ensuring that the signatory has read the document, the signature technology itself and storage of the signature as evidence for the future. In greater detail:
    1. Belgian notaries are required to read aloud the key points in a notarial deed to make sure that the signatory has heard at least the important parts. Nevertheless, the most common thing (and something that we see every day on websites) is a box for us to tick to confirm that we have read and understood the content before we can carry on.
  • Written signature: A digital written signature is intended to be digital proof that a person has signed a document. Here, too, there are many different ways of proceeding with different levels of security:
    1. A box that the signatory ticks to confirm the transaction. The only evidence then is the audit log that shows that the signatory did tick the box. From a legal point of view, that evidence is fairly weak.
    2. Scan of a physical signature
    3. An electronic signature that is independent of the actual content. Although this method provides authentication (the signatory can be authenticated and the signature is uniquely associated with the signatory), integrity can only be confirmed by a code check.
    4. Key features of the transaction (for example, a unique document reference number, the quantity …). When the document is signed, the signature’s hash will include those features. Any later change to any of them will invalidate the signature.
  • Storing a signature: Another important issue in “integrity” is the way in which an electronic signature created during the signature process is stored. That includes whether only the code for the signature is stored or the whole signature and how information relating to the signature is stored. If signature information is stored in a standard database, it may still be possible to tamper with the signature after the transaction has been entered into.
    1. A common technique to avoid this kind of fraud is storing signature data in a non-repudiation database (i.e. a database that does not allow any change to stored data). Or trust third-party replication of data associated with a person’s signature by way of confirmation.

In summary, there’s more to think about with digital signatures than just the associated certificate and it’s clear that digital transformation is picking up speed in the current situation. There are many things to consider when you move to using digital signatures, such as usability, cost, the level of security and the risk of repudiation. Whilst there will always be different levels of usability to choose from, we can expect the other factors to converge on the highest level of security and lowest risk of repudiation as today’s more sophisticated technologies become tomorrow’s (much cheaper) entry-level features. Given all of that, we need to consider multiple variables to introduce a model of digital signature that provides complete confidence.

Does your business need to use digital signatures to streamline its processes?

If you would like to know more about the advantages of digital authentication and integrity, request a demonstration and see for yourself, or contact us. We are here to help you and answer all your questions.

Leave a Reply