Bruno Lowagie's Online Gazette

I used the 'Sign' button in Adobe Reader. People who aren't tech-savvy could assume that they are indeed digitally signing a document this way.
That's not true. In order for the document to be digitally signed by one of the vendors that are mentioned, it needs to be uploaded to a server where different vendors use different techniques.

As I'm explaining in my whitepaper, many of these techniques are flawed because:
- there's no WYSIWYS. Sure, people can 'view' the document they're signing, but the actual bytes that are signed reside on the server. What You See Is A Copy Of What You Sign, instead of What You See Is What You Sign. Although this is acceptable by some states, many countries won't accept this as a legally binding signature. The document needs to be signed on the client side (which automatically excludes Cloud signing services).
- it's even worse: the digital signature that is applied uses a private keystore that isn't private! A key store contains a private key that has to be private to the signer. For instance: in Belgium, every citizen owns an identity card in the form of a smart card. We call it an eID. There are several key stores on the chip of the smart card. One of these key stores is meant for authentication. You could use it to sign a document if you want to preserve the document's integrity, but the signature isn't legally binding. Only documents that are signed using the key store with the non-repudiation key have the same legal value in court as a handwritten signature.

I realize that the situation is very different in the US where the concept of the eID is unknown. Many states accept eSignatures as legally binding because it's a pragmatic solution. If there's ever a dispute in court to contest the legal value of such a signature, you'll find several arguments in my white paper that will help you win a case proving that there's reasonable doubt that the person who is alleged to have signed the document isn't the actual signer.

Please read this article for more info about signing with an eID and the legal implications: http://www.cosic.esat.kuleuven.be/publications/article-1160.pdf

Hi Bruno. I’m DocuSign’s Chief of Security Officer, Joan Ross, and I’d like to help clarify a few things in your blog post on electronic signature and DocuSign.

In your review, it appears you used the Adobe Reader signing capability as the example and including DocuSign as a similar solution. Please note that the two are not similar. DocuSign is a completely different product and takes a very different approach to electronic signature, which avoids many of the issues you point out with Adobe’s product. The following are some of the security safeguards available with DocuSign:

1. DocuSign is a cloud service, not desktop software. All of our documents are secured in the user’s account in the cloud where they are encrypted and hashed to protect them from unauthorized changes.
2. DocuSign’s service does not distribute documents for signature, but rather invites signers to authenticate to the service in the cloud in order to review and sign documents. Signers do not have access to the document to make changes; they can only view and sign.
3. DocuSign allows the sender to configure several different authentication options that the signer must pass at the time of signing to ensure that the documents and access to them is controlled by the sender within DocuSign's secure SaaS platform.
4. DocuSign writes the results of the authentication, and many other elements about the transaction such as IP address, time stamps, email address, etc. into the signature data to ensure there is a great deal of evidence around the signing. This information creates a legally-binding audit trail.
5. The DocuSign signature is linked to the identity profile of the signer within the DocuSign service. Clicking the signature brings up that link to the signer so that sender can verify the identity of the signer.
6. If a document is exported from the DocuSign service, it is digitally sealed with a CDS Certificate, and any attempt at tampering after signing (such as changing $1,500 to $15,000 in your example) would be easily detected.

Finally, DocuSign delivers much more than just capturing signatures. Our customers use our service to route documents to signers in any order orworkflow they need. Customers use our forms capabilities to deliver and collect data from signers during the process, and they use our authentication services to make sure they know who is signing. Customers use our business intelligence and reporting capabilities to keep track of the status of transactions in real time. Our customers are transforming outmoded signature processes requiring printing, scanning, faxing, overnighting, and data rekeying with the DocuSign eSignature Transaction Platform - which is delivering 'Straight Through Processing' and keeping everything electronic.

I'd be happy to talk further with you about electronic signature generally and DocuSign specifically. Please let me know if you have time to connect over the phone, as it would be great to give you an overview briefing of DocuSign. Thanks.