Electronic signature (or e-signature) and digital signature are very similar terms, resulting in some confusion between them. Both indicate that a kind of legally-recognized signing operation has taken place with an electronic document. However, the accepted definition of “electronic signature” is much broader than that of “digital signature,” and there are important differences between them.
We’ll discuss these distinctions below, but the TL;DR takeaway is that certificate-based digital signatures (such as those made with SSL.com’s Business Identity certificates) offer guarantees of authenticity, integrity, and non-repudiation that are not offered by simple electronic signatures.
The U.S. Electronic Signatures in Global and National Commerce (ESIGN) Act (2000) defines an “electronic signature” as “an electronic sound, symbol, or process, attached to, or logically associated with a contract or other record generated, sent, communicated, received, or stored by electronic means.”
In practice, an electronic signature is often simply an image of a handwritten signature (most commonly made with your finger or stylus on a touchpad or screen). Electronic signing solutions may also include single- or multi-factor electronic authentication methods (e.g. PIN, password, email authentication, etc.)
Without more specific information about the processes and technologies used, the term “electronic signature” does not imply any guarantee of third-party validation of a document’s signatory, or of the integrity of a document’s content since it was signed. This can lead to some bad practices – for example, the owner of a company I used to work for just had a scan of their signature that could be pasted into contracts. That’s technically an “electronic signature” according to U.S. law, but we can easily do better than that!
Unlike a simple electronic signature, a digital signature uses a PKI-based digital certificate issued by a certificate authority (CA) that binds an identity (such as a person or company) to a cryptographic key pair. When a document is digitally signed with the signatory’s private key, the document’s exact content and the identity of the signatory are bound together to form a unique digital fingerprint, ensuring:
• Authentication. The identity of a document’s signatory has been validated by a publicly-trusted CA.
• Integrity. The content of a document has not been altered since it was signed.
• Non-repudiation. A signatory cannot plausibly deny that they signed a document.
Note that in Adobe Acrobat, a special type of digital signature known as a certification signature may optionally allow limited modifications to a signed document, such as the addition of approval signatures from other parties.
A document signing certificate is a type of X.509 certificate, a digital file that binds the identity of a person or organization to a cryptographic key pair consisting of a public and private key. Typically, an applicant generates a key pair and then submits the public key, along with verifiable information about their identity, to a publicly trusted certificate authority (CA) such as SSL.com. Depending on the intended application, the key pair may be generated on the applicant’s computer or within a secure token or hardware security module (HSM). The CA checks the information and, if valid, issues a signed certificate to the applicant. The certificate can then be used to create digital signatures.
Many types of common electronic documents can be digitally signed, including Microsoft Office (Word documents, Excel Spreadsheets, and PowerPoint presentations) and Adobe PDF. However, not all document signing certificates are created equal. Microsoft’s trust store is not the same as Adobe’s, and Adobe’s requirements for document signing certificates are more stringent. When you buy a document signing certificate from a CA, it’s important to make sure that it can be used to create trusted signatures for the types of documents you need to sign.
No. An electronic signature (or e-signature) is very broadly defined by by the U.S. Electronic Signatures in Global and National Commerce (ESIGN) act as “an electronic sound, symbol, or process, attached to, or logically associated with a contract or other record generated, sent, communicated, received, or stored by electronic means.” In contrast, a digital signature requires a CA-issued digital certificate and provides assurance of the identity of the signatory and the integrity of the signed document.
Yes. In the United States, the Electronic Signatures in Global and National Commerce (ESIGN) act gives electronic signatures (including digital signatures) the same legal status as handwritten signatures. The European Union’s Electronic Identification and Trust Services Regulation (eIDAS) recognizes all electronic signatures, but gives greater weight to PKI-based digital signatures. Many other nations also recognize the legality of digital signatures
Adobe’s technical requirements for digital signatures mandate that private document signing keys be generated and stored on a secure device with two-factor authentication, such as a USB token or hardware security module (HSM). For this reason, SSL.com ships its document signing certificates on YubiKey FIPS 140-2 validated security keys. These added layers of security keep your key safe and your digital identity secure.
If you already own a YubiKey FIPS, you can use an attestation process to order and install certificates on the device. For enterprise customers, SSL.com can host document signing keys on an HSM for volume signing operations. If requested, we can also ship document signing certificates on Gemalto tokens.
The Adobe Approved Trust List (AATL) is comprised of certificate authorities (CAs) that meet Adobe’s standards for issuing document signing certificates for use with Adobe Acrobat, Acrobat Reader, and other Adobe products. SSL.com is a member of the AATL program and is trusted by all Adobe products for digital signings.
Digital Signature Legality
Electronic and Digital Signatures in the US
U.S. Federal law, as defined in the ESIGN act, is broadly permissive regarding the enforceability of both electronic and digital signatures. However, simple electronic signatures do not provide the guarantees of authenticity, integrity, and non-repudiation offered by certificate-based digital signatures. Furthermore, the laws of many countries (including the member states of the EU as well as China, India, and South Korea) distinguish between certificate-based digital signatures and simple electronic signatures.
The European Union’s Electronic Identification and Trust Services (eIDAS) Regulation (effective in 2016) recognizes three distinct types of electronic signatures, as well as electronic seals intended for use by legal entities such as corporations and other organizations:
- Electronic Signatures. eIDAS defines an “electronic signature” as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” Like ESIGN, eIDAS also states that a signature cannot be denied legal admissibility solely because it is in electronic form.
- Advanced Electronic Signatures must be uniquely linked to and identifying of the signatory, must be created using signature data that the signatory can use under their sole control, and any signed data must be tamper-evident. These conditions may be satisfied with a CA-issued digital certificate, such as SSL.com’s Business Identity certificates.
- Qualified Electronic Signatures have the same legal standing as handwritten signatures. A qualified electronic signature requires a certificate-based digital ID issued by a qualified EU Trust Service Provider (TSP) and must be made with a “qualified electronic signature creation device” such as a USB token.
- Electronic Seals are similar to electronic signatures, but are typically associated with legal entities rather than natural persons. eIDAS distinguishes between electronic, advanced, and qualified seals according to the same criteria used for signatures.
As defined by eIDAS, qualified electronic signatures and certificate-based advanced electronic signatures would both also be considered types of digital signatures, as that term is usually used in the US.