Electronic signature (or e-signature) and digital signature are very similar terms, resulting in some confusion between them. Both indicate that a kind of legally-recognized signing operation has taken place with an electronic document. However, the accepted definition of “electronic signature” is much broader than that of “digital signature,” and there are important differences between them.
We’ll discuss these distinctions below, but the TL;DR takeaway is that certificate-based digital signatures (such as those made with SSL.com’s Business Identity certificates) offer guarantees of authenticity, integrity, and non-repudiation that are not offered by simple electronic signatures.
What is an Electronic Signature?
The U.S. Electronic Signatures in Global and National Commerce (ESIGN) Act (2000) defines an “electronic signature” as
an electronic sound, symbol, or process, attached to, or logically associated with a contract or other record generated, sent, communicated, received, or stored by electronic means.
In practice, an electronic signature is often simply an image of a handwritten signature (most commonly made with your finger or stylus on a touchpad or screen). Electronic signing solutions may also include single- or multi-factor electronic authentication methods (e.g. PIN, password, email authentication, etc.).
Without more specific information about the processes and technologies used, the term “electronic signature” does not imply any guarantee of third-party validation of a document’s signatory, or of the integrity of a document’s content since it was signed. This can lead to some bad practices – for example, the owner of a company I used to work for just had a scan of their signature that could be pasted into contracts. That’s technically an “electronic signature” according to U.S. law, but we can easily do better than that!
What is a Digital Signature?
Unlike a simple electronic signature, a digital signature uses a PKI-based digital certificate issued by a certificate authority (CA) that binds an identity (such as a person or company) to a cryptographic key pair. When a document is digitally signed with the signatory’s private key, the document’s exact content and the identity of the signatory are bound together to form a unique digital fingerprint, ensuring:
- Authentication. The identity of a document’s signatory has been validated by a publicly-trusted CA.
- Integrity. The content of a document has not been altered since it was signed.
- Non-repudiation. A signatory cannot plausibly deny that they signed a document.
U.S. Federal law, as defined in the ESIGN act, is broadly permissive regarding the enforceability of both electronic and digital signatures. However, simple electronic signatures do not provide the guarantees of authenticity, integrity, and non-repudiation offered by certificate-based digital signatures. Furthermore, the laws of many countries (including, as noted below, the member states of the EU as well as China, India, and South Korea) distinguish between certificate-based digital signatures and simple electronic signatures.
The European Union’s Electronic Identification and Trust Services (eIDAS) Regulation (effective in 2016) recognizes three distinct types of electronic signatures, as well as electronic seals intended for use by legal entities such as corporations and other organizations:
- Electronic Signatures. eIDAS defines an “electronic signature” as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” Like ESIGN, eIDAS also states that a signature cannot be denied legal admissibility solely because it is in electronic form.
- Advanced Electronic Signatures must be uniquely linked to and identifying of the signatory, must be created using signature data that the signatory can use under their sole control, and any signed data must be tamper-evident. These conditions may be satisfied with a CA-issued digital certificate, such as SSL.com’s Business Identity certificates.
- Qualified Electronic Signatures have the same legal standing as handwritten signatures. A qualified electronic signature requires a certificate-based digital ID issued by a qualified EU Trust Service Provider (TSP) and must be made with a “qualified electronic signature creation device” such as a USB token.
- Electronic Seals are similar to electronic signatures, but are typically associated with legal entities rather than natural persons. eIDAS distinguishes between electronic, advanced, and qualified seals according to the same criteria used for signatures.
As defined by eIDAS, qualified electronic signatures and certificate-based advanced electronic signatures would both also be considered types of digital signatures, as that term is usually used in the US.