Decent Digital Signatures
Digital signatures, also known as e-signatures, have been with us for some time now. For instance, a European Union directive 1999 conferred legal status to electronic signatures. By 2003 it had been followed by national legislation in the member states.
There are many implementations of this new technology. A surprising number of them choose to deviate from what I would call decent practices for using digital signatures.
As a side note, the term e-signatures (e for electronic) is still used in legal text. Of course signatures are not about being electronic, but being digital. For instance, a DVD disc is not electronic, neither is bar code printed on paper, but they certainly are digital. Both may be used to store digital signatures.
Signing a document with ink on paper is a well-known procedure to most people. If signing uses sophisticated digital technology, the sophistication must not make the procedure incomprehensible to the average signer.
I propose the following basic tenets for decent digital signature practice.
Tenet 1: The signed document is a specific visual impression. All of it is considered signed, nothing else is considered signed.
Sometimes the opinion is heard that a signature “really” applies to the semantic contents of the document. This is a purely theoretical idea. Any normal person refuses to admit that they signed a document unless they see the text (or other contents) laid out exactly as they once saw it. Is it really possible to say that formatting and layout does not contribute to the semantics?
Tenet 2: Signing means that at least two parties are involved. After signing the parties obtain identical copies of the signed document, including the signatures of all parties. They are free to manage their copies in any way they see fit.
If there really is a single-sided commitment, we use authentication in the digital world.
The two tenets proposed above are a matter of course in the world of paper documents. They have been standard practice for ages.
I find it disturbing that few digital signing environments support those simple principles. I have still to see an implementation that lets users access even their own signatures. Major Swedish public sector agencies display data to users and then have them sign something else. This is done on a large scale.
The technology itself, signing cryptographically by means of a certificate, has been accepted as legally binding. This is not to say that all implementations using the technology are free from legal objections.