Electronic Signatures: Everything You Need to Know

What Is an Electronic Signature?

Basically, an electronic signature is a digital version of a signature, and is used to confirm the authenticity and integrity of a document. With the help of electronic signatures, digital documents such as contracts or permits can be signed in a legally binding manner.

The electronic signature can replace a signature on paper, unless it is excluded by law from the outset: An electronic signature unambiguously links the signatory or signatories to a defined and unalterably stored document or sequence of characters. As a rule, the electronic information is electronic documents, but any sequence of characters can be signed electronically.

Distinction From the Digital Signature

In general, the terms "digitalsignature" and "electronic signature" are used synonymously. In particular, however, the digital signature is a class of cryptographic procedures that is also used in the encryption of network connections, while the electronic signature is a primarily legal term that was coined by the EU Commission. In addition, the choice of the term was intended to cover a wide range of technical possibilities, so as to permit more than just signature procedures based on existing digital signatures or other cryptographic methods.  

What Types of Electronic Signatures Are There?

There are basically three types of digital signatures:

1. In the most common case, a simple electronic signature (EES) is an e-mail signed with the sender's name. There are no special requirements for a simple electronic signature. It does not require the use of a digital key to identify the sender. Simple electronic signatures can be used for form-free agreements in accordance with Section 127 of the German Civil Code.
2. Advanced electronic signatures (FES) must be uniquely linked to the signers so that they can be identified without doubt. In addition, it must be ensured that changes to the documents linked to the signature can be identified retrospectively. One example of this is the top.legal signature, which can be used to identify signers using multi-factor authorization via an SMS security code, among other things.
3. In accordance with the European Directive, a qualified electronic signature is an advanced electronic signature (QES) based on a qualified certificate valid at the time of its generation and created using a secure signature creation device (SSCD).

Legal Effect of Electronic Signatures

According to the Official Journal of the European Union of 28.8.2014 (Article 25 (1) eIDAS Regulation), an electronic signature may not be denied legal effect and admissibility as evidence in legal proceedings solely because it is in electronic form or because it does not meet the requirements for qualified electronic signatures. 

A qualified electronic signature also has the same legal effect as a handwritten signature. A qualified electronic signature based on a qualified certificate issued in one member state is recognized as a qualified electronic signature in all other member states. Documents that are "only" signed with an advanced electronic signature in accordance with Art. 3 No. 11 of the eIDAS Regulation can also be introduced in court as evidence by visual inspection.

What Is the Difference Between Signatures in Practice?

Electronic signatures differ from one another in terms of the degree of protection against forgery. At the lower end of the scale is the simple electronic signature, which does little to ensure the authenticity of the signature. 

At the upper end of the scale - and thus with the highest requirements for forgery protection - is the qualified electronic signature, which uses the encryption certificates of a trust authority (trust service) to confirm that the signing party is actually who he claims to be. This usually requires extensive authentication vis-à-vis the trust authority by means of a video ID procedure. This method is less suitable for use in a business environment because it presents the signer with hurdles that cannot be easily overcome in a hurry. 

The golden mean is the advanced electronic signature. According to Art. 26, an advanced electronic signature should meet all of the following requirements:

1. It is clearly assigned to the signatory.
2. It enables the identification of the signatory.
3. It is created using electronic signature creation data that the signer can use with a high degree of confidence under their sole control.
4. It is linked to the data signed in this way in such a way that any subsequent change to the data can be detected.

In practice, this means that it must be ensured that a signed document is encrypted with a key that is under the sole control of the signatory. Only in this way can the recipient be sure that the document or message originates from the person it claims to be and that the data has not been tampered with during transmission. 

An additional way to ensure this requirement is two-factor authentication (2FA), for example via a cell phone. 

Advanced signature compared to simple electronic signature

Signing documents using an advanced electronic signature usually requires special software. Simple electronic signatures can be created without software. To do this, it is usually enough to send a simple e-mail with your name, add a scanned signature to documents, or scan signed documents and send them by e-mail. 

The advanced electronic signature relies on encryption technology so that the public key used can be used to determine who signed the document and whether the signature is valid. With a simple electronic signature, it is not possible to ensure the authenticity of the signature or the unaltered quality of the document. 

Advanced signature compared to qualified signature

The advanced signature ranks highest in terms of security within the EU and provides similar legal validity to a handwritten document, unless the law explicitly indicates the use of a traditional handwritten signature. As with advanced electronic signatures, qualified electronic signatures require the use of special software. In addition, physical encryption tokens in the form of a USB stick or smart card, for example, must be used to increase the level of security.

What Are the Advantages of Electronic Signatures?

The advantage of a digital signature is primarily that a signer can sign documents quickly and easily without having to resort to the cumbersome and time-consuming routine of printing, signing and scanning. This process saves time and money. 

Our data shows that an electronic contract system is up to 9 times faster than a paper-based contract system. In addition, we see higher rates of contract completion, as the probability of bounce is reduced due to the simplicity of the system.

Are Electronic Signatures Secure?

In principle, any signature, whether electronic or on paper, can be forged. However, the electronic signature has clear advantages with regard to the possibilities of manipulation. Unlike the verification of a signature or an ID card, every layperson is given all the tools to determine beyond doubt whether the signed document has been manipulated and whether the signature actually originates from the person in question. 

Using the current technical possibilities, it is currently easier to fake a signature than to manipulate the encryption mechanism with a common IT infrastructure. 

In addition, metadata as well as the time of signature and IP address of the input device are stored as part of the provision of the electronic signature. This burden of proof can no longer be reproduced with a physical signature, especially one year after the signature has been executed.

Technical Implementation of the Electronic Signature

To ensure that the integrity of a document can be established beyond doubt, a hash code is calculated from the electronic document using a hash function. 

In this context, a hash function is an algorithm that efficiently maps a string of arbitrary length (input value) back to a string of fixed length (hash value). That is, the document is translated into a column of arbitrary characters. In this process, the algorithm of the hash function is public so that the integrity of the process can be verified. 

Every user of the publicly available hash function will, inevitably when using the same document, receive an identical hash value. If one changes any section in the document, then the characters of the hash also change. By matching generated hash values, it is thus technically easy to establish the integrity of a document beyond doubt.

Electronic signature process (on top.legal) in practice

This is how electronic signatures are implemented within our CLM software:

1. The parties are invited to sign
2. The contract to be signed is transferred to the signature mode
3. The software calculates the hash value (checksum) including the metadata of the signing parties
4. The hash value is saved in an audit-proof manner and stored in the pdf.
5. The hash value is usually encrypted with the respective private key of the signer
6. The encrypted value can also be stored directly in the pdf together with the other information (encryption algorithm used, public key, etc.). 
7. Signatories will receive access to the signed contract via email or via a secure link
8. The recipient can use a verification algorithm to check the validity of the signature and determine whether the document in question is also the one enclosed by the signature. Many manufacturers offer free verification editions of their signature software for this purpose, and some also offer online verification via the Internet.