Ten Tips for Selecting the Best Digital Signature Solution

Ten Tips for Selecting the Best Digital Signature Solution

Avoid the pitfalls when transitioning from paper-based to electronic signatures

Author: John Marchioni -Sept 2007

Introduction

As the traditional “paper-based” world gives way to digital documentation and transactions, enterprises are demanding innovative solutions for digitally signing and authenticating such documents, files, and forms with iron-clad protection against forgery. Solutions must guarantee non-repudiation and promise the same level of security and trust that exists with conventional documentation. At the same time, such a solution should be simple to use, easy to deploy and offer a rapid Return on Investment (ROI).

In addition, with global digital business now the norm, transactions and documents may need to be signed by many people in different parts of the world. Users should be able to sign documents directly from their desktop or via a zero technology footprint using any web browser.

The need for verification by recipients outside an organization, the ability of employees to sign documents while traveling, and cross-platform capabilities – enabling the use of numerous applications, such as Microsoft Word®, Adobe Acrobat®, and TIFF images – all mean that, when it comes to selecting a digital signature solution, an enterprise needs to be aware of several important criteria.

This White Paper outlines the 10 most critical scenarios to take into consideration when making this decision:

1. Seals Documents

The best digital signature solution seals the document using standard technology.

Your company has chosen an electronic signature solution that ads an image of your graphical signatures to documents; you can now attach a graphic representation of your signature to any document created in Microsoft Word. This is all well and good, until you discover that even though you have apparently signed the document, it can be easily changed by any recipient – while the electronic signature remains intact, just as you appended it. The door to fraud and forgery has been opened wide!

The solution used has simply placed a digitized “picture” of the signature on the document: it doesn’t seal the document, it doesn’t verify the authenticity of the person signing it, nor does it guarantee that the transaction cannot be altered.

In the traditional paper world, transactions are validated by signing them either on an accepted form, such as a check, or in front of a trusted third party, a notary or lawyer, who the “stamps” the signatures so that they could not be changed.

In the virtual paperless world, digital signatures must perform the same function, i.e. guarantee that the signer is legitimate (that signatories are who they claim to be) and that neither the signature nor anything written in the document can be changed without authorization.

A digital signature must be able to seal any electronic document and guarantee that it is tamperproof. It is a one-time “fingerprint”, unique to both the signer and the document and ensures that the signer is indeed the originator or owner of the document. This “fingerprint” cannot be reused or reassigned and proves that the message has not been altered in any way. Should the document be changed or altered, the digital signature is automatically invalidated, providing total protection against forgery.

2. Multiple Application Support

       The best digital signature solution supports multiple applications.

You are operating an electronic signature solution that enables the signing of documents created with the most commonly used applications – Microsoft Word and Adobe Acrobat. But there are some documents produced by your ERP system that also need to be signed and your electronic signature solution does not support this application because the ERP application is not supported by the chosen electronic signature solution.

       Traditionally, when signing paper documents, it didn't matter what type of document it was; a form, an invoice or a typed contract. Now you need the same flexibility in a paperless world.

       A number of different applications and document management systems are available. It is important to select a digital signature solution that not only supports different applications, such as Word, Excel, Outlook, PDF, TIFF, Auto CAD, InfoPath and other third party applications, you should be able to add an electronic signature to any document type. One way to guarantee support for any file format is provided by solutions that convert any documents from any system into a “signed” PDF file.

3. Graphical Signatures

The best digital signature solution offers the possibility of "seeing" the signature.

Traditionally, once a document has been signed (with a “wet” signature), the signatures are visible. It is possible to identify who signed the document and the capacity in which it was signed; when renting an apartment, for example, the parties sign a lease. The contract clearly displays the signatures and identifies who is the landlord and who is the tenant. Anyone looking at the document can easily identify the signatories and their roles.

In the virtual paperless world, digital signature solutions offer trust and security but they do not offer easy identification. Visual graphical signatures do not add any security to the document, but they are important from a user’s acceptance point of view, as they provide a natural user indication that the document is indeed signed.

       It is therefore important to include both the Digital Signatures, which preserve the Data Integrity of the document and the digital signer’s authenticity and the graphical image of the signer’s handwritten signature, which is a familiar form of identifying the signer.

4. Multiple Signatures

       The best digital signature solution enables documents to be signed by more than one person in more than one place.

       There are some electronic signature solutions that only allow one signature and when the document has been signed and sealed, it is impossible to add more signatures.

       Traditional document-intensive organizations, such as insurance companies or financial institutions, have large volumes of many different types of documents that must be processed every day. Many of these documents must be reviewed, approved and signed by more than one person. In some cases, one part must be approved by one signatory while another section needs approval by a different person. With a traditional "wet" signature, it is a simple matter of signing or initialing any place in the document.

       In the virtual world, an effective digital signature solution should enable "sectional signing", which allows signatories to edit and sign their portion of   the document. For example, in Microsoft Excel, the digital signature solution should be flexible enough to allow multiple users to sign an entire workbook, different users to sign single worksheets or even support different digital signatures for different ranges of cells in the spreadsheet.

5. Zero IT Management

The best digital signature solution is easily installed, intuitive to use and does not require dedicated support staff - it will work from the moment it is installed.

In the traditional world of paper documents all that is needed to sign and manage documents is efficiency and ink.

In the virtual world, installing a new software system can generally be lengthy and resource-intensive. Some solutions require extensive – and expensive – customization to integrate with current or legacy software; often taking more than a year to get it working, additional support staff and even a separate help desk to support the signature application.

Users want to be able to use the solution intuitively without the need to go through a long and lengthy learning cycle or to be forced to employ a wizard process every time they want to sign a document. If the system is bulky and difficult to use, people will find a way to avoid it.

6. Compliance

The best digital signature solution complies with all legal requirements.

To be considered legally binding, documents and transactions - paper-based or electronic - must meet many basic requirements and strict standards. A digital signature solution must meet the same criteria as a “wet” signature. These include the following basic requirements:

       1). Authenticity – the signature can be authorized by a secure process

       2). Integrity – any tampering during transmission can be detected

       3). Privacy – the signature cannot be accessed by unauthorized sources

       4). Enforceability – the signatures must be verifiable by all parties

       5). Non-refutability – the signature cannot be denied or disavowed

The first two requirements prove that the recipient and the sender are authentic and authorized to perform this transaction. The next two, provide methods to prove that the message content is authentic and that the recipient can be certain that the data has not been altered or lost in transit. The last and most important is that the message must be able to “stand up in court”.

       Referred to as “non-repudiation”, this means that the digital signature must ensure that the parties involved in the transaction cannot deny sending the message or its contents.

       In addition to the above general requirements, some industries, such as finance or pharmaceutical, have specific requirements. For many organizations, it is critical to protect their data at all times with standard-based PKI methods that meet the toughest regulations rather than a proprietary solution.

       To avoid returns and force the organization to prove that the solution is good enough, a digital signature solution must meet the most stringent internationally recognized regulations, for example:

         1). FDA's 21 CFR Part 11

         2). Health Insurance Portability and Accountability (HIPAA)

         3). Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley);

         4). Sarbanes Oxley

         5). FAA's CFR Title 14

              and legislation, including:

         6). Uniform Electronic Transactions Act (UETA);

         7). E-sign (Electronic Signature in Global and national Commerce Act)

         8). EU VAT Directive

         9). EU Directive for Electronic Signatures

Only PKI based digital signatures meet all these requirements. Other solutions may meet some but not all requirements.

7. Transportability

An effective digital signature solution should ensure transportability.

Your company has implemented its digital signature solution and has sent signed documents to a client. But because the client has not installed the same digital signature solution, he is unable to verify the document.

       In the traditional paper world, signed documents sent to third parties can be read and understood without a problem.In the virtual paperless world, however, documents must be recognized by the software application. To be truly versatile, a sender must know that a digital signature will arrive unaltered anywhere in the world and that it can be easily verified without the need for complicated, proprietary third party applications.

       For example, if a document had been electronically signed in PDF, then the recipient should be able to validate the document using the free Adobe Acrobat Reader without any further software installations. Another example is when a Microsoft Word® or Excel® document is signed, then it should be possible to verify it on the receiving end without the need to install any special software or plug-in for verification process.

8. Seamless User Sign-Up

The best digital signature solution offers simple-to-use, transparent sign-up.

       In the traditional paper world, people who need to sign documents are identified in one of several ways: a signature card signed in person at the bank, a photo ID or personal recognition.

       In the virtual paperless world, signatories register electronically and obtain a digital certificate, which provides electronic identification similar to a birth certificate or a passport. Digital certificates contain information about the user, such as the certificate holder's name, e-mail address and other specific identifying information. Digital certificates verify that the user is who he or she claims to be. Certificates are generated by a Certificate Authorities (CA) immediately after the identity of the user is validated thus making the certificate a virtual equivalent of a Passport or a Birth certificate.

       Once a digital signature solution has been deployed, it should be both simple to use and as transparent as possible. Neither the users, nor the IT person, should be aware of how a certificate is generated or maintained.

       Moreover, users should not need to use a wizard or call the Help Desk to be able to sign documents. It should also be easy for the IT manager to make changes in the users’ profile and these changes should be automatically reflected in the users’ certificates.

       In addition, some systems require employees to re-enroll every year to verify that they are still authorized by the company. Users will find this cumbersome as will the IT and HR departments who need to deal with these registrations.

9. Simple-to-Use

The best digital signature solution is technologically simple to use.

       In the traditional paper world, signing a document is simple, intuitive and quick.

       In the virtual paperless world, signing a document should be just as easy. It should take no more than 10 seconds or 1-2 mouse clicks – to ensure that the document is signed, sealed and legally compliant.

       But if your digital signature solution requires the user to go through a tedious wizard-type process to sign a document and each step of the process requires a user interaction making the process complicated and difficult, the inadequacies of the selected solution will soon become apparent. Users should not be required to learn new technologies or require assistance from a Help Desk.

10. Total Cost of Ownership

The best digital signature solution has no hidden operation and management costs.

Traditional paper signing leaves mountains of paperwork needing physical storage in archives that often mushroom to warehouse proportions. To reduce costs and improve efficiency, companies should move into the world of electronic processes.

       Standards-based digital signature solutions enable companies to become totally paperless. However, when considering a digital signature solution, it is important to look into the potential hidden costs.

       Many traditional digital signature solutions are based on complex PKI technology and are difficult to deploy. They involve complicated software requiring a heavy investment in IT support and development. Sometimes, a Help Desk needs to be created or additional staff employed to support the solution. Other costs that need to be checked include registration and renewal fees for digital certificates, cost for smart cards, etc.

Conclusion

To ensure a smooth transition from paper-based to paperless offices with a digital signature system that:

1).guarantees non-repudiation

2).offers a high level of security

3).effectively seals documents

4).allows multiple signers to sign on a single document without difficulty

5).is compatible with multiple applications

6).is simple to use

7).offers a rapid return on investment

8).has no hidden costs

9).is transportable without having to install proprietary software