SigningHub by Ascertia makes getting documents signed as simple as possible. It provides powerful functionality to help organisations manage documents and organise signers and fits seamlessly into existing business processes.
SigningHub supports all electronic and digital signatures that are allowed under relevant legislation. This enables organisations to deploy the ideal signature at the right time, per their particular legal and compliance requirements.
There’s no unified global legal law or regulation controlling the use of electronic signatures. Most countries that have e-signature laws accept that:
An electronic signature – where the signer’s identity and intent to sign is linked to an agreement via their email address or a phone number – is a legally valid way of concluding an agreement.
Many countries, or even an entire region in the case of the European Union (EU), give additional legal weight to another type of e-signature, a digital signature.
Digital signatures are a unique kind of e-signature where information about the signer’s identity and proof of their intent to sign is cryptographically bound to a signed document in a way that cannot be altered. Depending on how they are made, digital signatures can provide much more legal weight than regular e-signatures and convey the trustworthiness of the signature long-term.
Simply put, digital signatures provide a way for two or more parties to trust each other. If you trust that the signature binds a specific signer to the contents of a specific agreement, and that it can be enforced and legally upheld if contested, you can rely on that agreement as a basis for any decisions.
Not all digital signatures are created equally. There are several ingredients that go into making a digital signature. Together, theydetermine to what extent the signature can be legally relied upon. Consider the following:
Digital certificate typesThe identity verification process and security controls applied in issuing and using certificates directly impact the legal weight of a digital certificate. Certificates could be from any of the following four categories:
These can be issued by anyone to themself, for instance in Microsoft Word or Adobe Acrobat, without any external identity vetting. They’re the digital equivalent of someone issuing a passport to themselves – and should be treated with similar caution.
This is aprivate certificate where an organization validates an employee’s identity in line with their internal standards. Then they add them to a corporate directory and issue them with a corporate certificate linked to the corporation’sPKI infrastructure.
Technical requirements define the level of identity proofing required, the information that must be included in the certificate, and the way in which the certificate must be issued. AATL certificates must be generated using a trustworthy system that protects the private key of the authorized holder. Members are audited against European Telecommunications Standards Institute (ETSI), WebTrust, and International Organization for Standardization (ISO) audit schemes to ensure they comply with their policies and procedures. This type of certificate can be validated in Adobe Acrobat or Reader.
QTSPs must comply with standards defined by ETSI and must be audited by an accredited conformity assessment body. Users must have their identity verified to a high level of assurance before a Qualified Certificate can be issued. Only specially certified Qualified Signature Creation Devices (QSCD), validated by Certification Labs, can be used to generate certificates.
Signature formatsThe industry has settled on the PDF format as the most secure container for preserving the presentation and layout of the document, as well as all the cryptographic information associated with the signature. International Standards organisations have developed four different levels of PDF Advanced Electronic Signature (PadES) formats to reflect the different information that can be captured. These formats determine the trustworthiness of a document long-term:
Digital certificates are often issued through multiple layers of trusted entities. At the top level there is always a trusted Root Certification Authority (CA). It is often managed by a national government authority, or a commercial trust service provider. Root CAs establish the rules for certificate issuance and certify the operations of approved subordinate Issuing CAs.
These CAs link their certificates to the Root CA, and add information about:
This full “chain of trust”, linking the Root and any issuing CA certificates is needed for any business application to decide whether to trust the certificate or the signature created by the certificate.
Thankfully, SigningHub by Ascertia has unique features to help organisations manage all this complexity. Ascertia designed Signinghub to help easily deploy digital signatures with confidence, using both public and private sources of trust.
It enables users to choose the appropriate level of assurance for each use case and ensures guardrails to help signers sign in the correct manner.