When discussing anything legal, it is important to remember that every jurisdiction has slightly different rules and regulations regarding digital and electronic signatures. Learn about what a digital signature is, the purpose of it, and the legal requirements associated with it in the United States and European Union.
What Constitutes a Digital Signature?
Digital signatures are a special class of secure electronic signatures. They take advantage of public key infrastructure (PKI) to authenticate and identify the author of various things such as documents, applications, programs, or other types of electronic files.
A digital signature certificate is a PKI-based certificate that authenticates the identity of the signer and ensures that electronically transmitted documents and digital messages have not been forged or tampered with. The use of public-key cryptography is applied to properly authenticate a record. Digital signatures are simply code embedded into the files, which can be visualized if the use case requires it.
They are similar to physical signatures on paper documents in the sense that both are unique to the signer except that in the case of digitally signed documents, the signature actually offers far more security and the assurance of the document’s origin, identity, and integrity. Based on the highest standards of security, they are legally binding in the United States and many other countries.
With their secure cryptographic methods, digital signatures comply with the strictest regulations, including the United States Electronic Signatures in Global and National Commerce Act (ESIGN Act), the Uniform Electronic Transactions Act (UETA), and other international laws.
The Difference Between a Digital Signature and an Electronic Signature
Although many people often use the terms interchangeably, electronic signatures and digital signatures are not, in fact, the same. The distinction is incredibly important from a legal perspective.
Electronic signatures are the broadest set of solutions that use an electronic process for affixing a document or transaction with a signature. The use of this type of signature has grown incredibly over time as documents and communication increasingly move into the digital realm, and businesses and consumers worldwide embrace the solution's speed and convenience. But there are many different types of electronic signatures, each allowing users to sign documents digitally and offering some degree of identity authentication.
Digital signatures are one type of electronic signature, and they are the most secure. Digital certificates leverage digital PKI certificates issued by a trusted certificate authority (CA) like Sectigo, which properly authenticates the identity of the requestor. This type of authentication is necessary to ensure the integrity of electronic documents, and linking the identity of the signer to the document directly is the best way to ensure it is legitimate.
Other types of electronic signatures use different, less secure types of electronic authentication. These can include email addresses, phone numbers, or other types of contact information.
To be considered a legitimate digital signing, there are a few requirements. The most basic requirement is that the signer's identity is bound to a certificate or other type of identifying credential that can be encrypted and authenticated. A PKI-based digital certificate serves this purpose. With this option, a public / private key pair is generated via an algorithm to authenticate the identity of the signer and maintain validation of the certificate. When this is done, the signature is considered non-repudiable and is tied to the signer's identity.
The digital signature process is much more complicated than more simple electronic signatures and will largely depend on the use case.
What is the Purpose of a Digital Signature?
A digital signature uses a secure digital key that certifies the identity of the author of a digital message, electronic form, or document. This gives customers confidence that the signed documents originate from the recognized source and that their electronic records have not been forged or tampered with.
Several different service providers offer digital signatures to address a variety of situations. DocuSign is a popular one, as is Adobe. Adobe Document Signing Certificates offered by Sectigo enable organizations to secure Adobe Acrobat documents with digital signatures. Certification originates from the Adobe Certified Document Services (CDS) or the Certificate Authorities that are members of the Adobe Approved Trust List (AATL). Certification attests that the signer has been verified by Adobe for compliance with its requirements and that the certificate resides on protected hardware.
These signatures, and by extension, their certificates, were developed to help solve the problem of identity and trust. They are a modernization of the long-trusted notarized signature on physical documents. A trusted third party that has itself been vetted by a governing body validates and verifies the identity of a signer. In the case of digital signatures, the trusted third party, which could be a Certificate Authority (CA) like Sectigo, holds this responsibility.
Digital signatures are used in many ways across the internet. These use cases can largely be sorted into three broad categories:
If the signature is attached to a file, message, or document, it can be legally trusted that the owner of the signature was involved. There is no doubt or risk of repudiation, and there will also be record retention that leaves an audit trail.
Using a signature means that the identity of the signer has been validated by a third-party CA, such as Sectigo. This level of validation and authentication supports the signature's attribution.
Attaching a signature to a file, especially to a message or email, informs the recipient (whether human or system) that the data has not been altered or tampered with during transport. It is important to note that the signature itself does not have any protective measures, but rather it indicates to the recipient whether any interference was detected. This allows the recipient and sender to make an informed decision on how to respond while better understanding possible attack vectors.
Is a Digital Signature Legally Binding?
Different jurisdictions will often have slightly different rules and regulations regarding this type of signature. Many laws interpret digital signatures as qualified electronic signatures (QES) or secure electronic certificates. For this reason, in most use cases where simple electronic signatures are accepted for use, so are digital signatures. A digitally signed PDF is legal in most jurisdictions. However, there are situations where a digital signature, and the process associated with it, can be seen as overkill.
Before making any decisions about the type of signature that is best for you or your organization to use, please refer to your local regulation and industry best practices. In this section, we will take a high-level look at legality in the United States (U.S.) and the European Union (EU).
Digital signatures, and electronic signatures in general, are legally binding in the United States. This is largely due to two pieces of regulation, the UETA (Uniform Electronic Transactions Act) drafted in 1999 and the ESIGN Act (Electronic Signatures in Global and National Commerce Act) passed in 2000.
When the Uniform Laws commission created the UETA, they intended to create a legal framework that could be used by states to enact similar laws concerning electronic signatures at all levels. It gave a foundation of minimum standards for everything from how records can be created, transferred, and finally retained along with the audit trails required along the way.
Before these federal laws were enacted, there were only patchwork state laws and frameworks concerning digital and electronic signature legality. This complicated any type of national standardization effort for organizations in the U.S.
To date, UETA has been enacted by 48 of the 50 U.S. states. New York and Illinois have not enacted the framework directly but have their own laws that address signature requirements in analogous ways.
As UETA attempted to standardize the minimum requirements for state laws concerning e-signatures, the ESIGN Act attempted to ease the adoption and acceptance of them. This act ensured that qualified electronic signatures can be used in nearly any situation that an ink signature can be used. This includes situations as important as evidence in civil or criminal court cases. This act essentially codified the validity of e-signatures and established them as enforceable statements of identity.
The legality of electronic and digital signatures in the U.S. revolves around four major pillars:
- Intent - This is no different than with a handwritten signature. It must be clear that the signatory intends to actually affix their name/identity to the electronic document. In this case, you cannot force someone to opt out and consider it to be a legal signature.
- Consent - When an electronic document or contract is signed, every party signing it must specifically consent to allow an electronic signature. Without this, the use of electronic signatures cannot be considered valid unless the signer opted in at a previous date and never withdrew their consent.
- Accuracy - The specific method used for affixing the electronic signature must not only keep a record but also must be a demonstrably accurate record. This record should also fully explain the method that was used to create and affix the electronic signature.
- Retention - The record of an electronic signature must be accurately reproduced and available for the files of any party entitled to such data. This leaves an audit trail and allows access to any necessary records.
The European Union (EU) enacted the electronic IDentification, Authentication, and Trust Services (eIDAS) regulation in 2014 to regulate electronic signatures, the various processes involved, and the regulatory bodies that handle enforcement. eIDAS has created minimum standards for the use of several areas, including digital signatures, named as qualified signature certifications within the legislation.
Digital signatures under eIDAS provide a higher degree of assurance, and some hold the same legal effect as a wet ink signature. Conforming to eIDAS requirements requires a qualified certificate stored in one of several qualified signature solutions that must be issued and managed by a qualified trust service provider (QTSP) like Sectigo.
Qualified certificates from Sectigo enable individuals and organizations to sign or seal documents and meet eIDAS requirements.
eIDAS digital signature requirements include:
- Identity - Signatory is identified and validated
- Intent - Record of signatory understanding of content and intent to sign
- Reliable - Is reliable and secure for the specific use case. This can mean:
- Tampering or changing the content or signature is detected and recorded
- The process or solution used to create the digital signature is solely handled by the signatory and linked to only their identity
Make sure you meet the legal requirements for digital signatures in your country - learn about Sectigo’s different signing certificate offerings, including: S/MIME email encryption, code signing, and document signing. Also explore our eIDAS certificates.