How to Digitally "Sign" a document

Question

I don't like paper documents. I like everything stored on a server. I'd like to avoid printing, signing, and scanning, if possible.

How do I get signatures from people to sign-off on forms and still keep it digital?

The purpose of signing is to prove that certain departments have OK'd the document. Most of these people are non-technical.

The ideal is that each person would open the document and type in their name and close the document. The problem is that how do I know that Fred didn't sign for Ralph.

Answer 1

There are myriad approaches discussed in Schneier's Applied Cryptography.

Much of what you're looking for comes down to a Digital Signature Algorithm (DSA) - of which NIST has one, asymetric encryption algorithms can provide, etc.

The simple route would be to collect delivery and read receipts on email, but that's not fool-proof.

Answer 2

There's two ways to take this question:

• What technical means can I use to obtain digital signatures?
• Which means of obtaining digital signatures can I use that will hold up against (insert internal review process here)?

If they're just for your own records, then the second question isn't important. Otherwise your organization's auditing department is going to have a say.

Answer 3

The term "signature" is used a little loosely in this context. It doesn't mean someone using handwriting to sign their name - it means having a person leave some sort of digital data that proves they approved the document.

Adobe Acrobat has the ability to do digital signatures.

Answer 4

Do you have control over the people you're interacting with such that you could make them create GPG keys and use them to sign documents? If so, problem solved.

Answer 5

The question you need to ask is "what purpose does a physical signature serve?" A "digital signature" serves different purposes than a physical one. And a physical signature looses pretty much all its value on a scanned document.

What you probably want is just a way for people to say "yes, I am OK with this". In that case, you just need a web site they can log into and check a box.

Answer 6

Each person who might sign a digital document needs a public/private key pair assigned to them, that cannot be forged.

Then you've got to find a way to keep each person's private key secure - how can that person use it, but nobody else? There is a lot of creative work going on in this area right now. Some of it requires each person to carry a hardware key (card, thumb drive, whatever) which must be used to sign each document. Sometimes the private keys are stored in a database and the signer must provide a password to sign a document.

A key pair is applied to a document by creating a hash of the document and then encrypting the hash using the private key. The encrypted hash is the 'digital signature' and is attached to the document. Since nobody other than the signer can use the private key (supposedly) you know that the signature is authentic.

You can verify the signature by decrypting the hash using the public key, which is available to everyone. If the decrypted hash does not match, then either the document was modified after it was signed, or it was signed by someone else.

Answer 7

one thing we've been looking into is using the little touch pad on laptops for getting customer signatures. When you think about it, it's not much different than the little thing you use to sign for UPS deliveries. We've found a few APIs floating around with little effort so far.

Answer 8

There is software for adding a digital security component to a handwritten signature. The signature is captured using some sort of touchpad device, and stored in the document. Then the software digitally signs the entire document including the signature graphic, to prove that the document was not changed since the signature was applied.

Answer 9

Now that you've clarified what you need, I think the best solution is to:

1. Make a web site
2. Give people unique log-ins with passwords
3. Allow them to view the documents
4. Have a form where they check a box that says "I agree to such-and-such"

You'll probably also want to include the idea of "groups" so you can expose certain documents to just "The Acme Co. Shipping Dept." and allow any member of that group to sign-off on those documents.

Answer 10

There are legal regulations defining what qualifies as a digital signature (electronic signature, or "eSignature"). In the USA, there is an act called "Uniform Electronic Transactions Act" (UETA), describing how a digital signature is defined and used in legal context.

Basically, the following components may be involved:

• An electronic document, representing the form with legal obligations when signature is applied.
• A digital signal (picture, sound, etc.) applied additionally to the above document, serving as a signature, i.e. legally accepted proof of approving the document. (The most straight-forward example is applying a transparent picture of a person's hand-written signature onto a PDF document.)
• A digital certificate key pair (with validation from approved Certificate Authorities) to "tamper seal" the document. Using the private key to "sign" the document, legal authorities can use the public key to verify the integrity of the document.
• A "vault" system to store the tamper-sealed document for later legal inquiries.

One may argue that not all of the steps are necessary; however, in certain industries, step 3 and 4 are required by legal regulations, as these are designated to prevent forgery or spoofing. As a result, step 3 is most likely perform by / with a Notary, and sometimes performed together with step 2.

For step 2 and 3, APIs and examples are available on the internet. Adobe PDF's API can deal with both steps, and some open-source components can deal with individual steps. One such example of using an open-source component, iTextSharp, is in CodeProject: E-signing PDF documents with iTextSharp. For more information about eSignature in general, please look at the Wikipedia page Electronic Signature.

Answer 11

Having been searching for a system to this, I've just found docshaker.com on killerstartups. It pretty much allow you to do as you've just described Neall.