Electronic signatures: Everything you need to know

What is an electronic signature?

Basically, the electronic signature is a digital version of a signature, and is used to confirm the authenticity and integrity of a document. With the help of electronic signatures, digital documents, such as contracts or permits, can be signed in a legally binding manner.

Unless this is excluded from the outset by law, the electronic signature can replace a signature on paper: An electronic signature unequivocally links the signatory and the signatory with a defined and inalterably stored document or a string of characters. Electronic information is usually electronic documents, but any sequence of characters can be signed electronically.

Distinction from digital signatures

In general, the terms”digital signature“and”electronic signature“used synonymously. In particular, however, digital signature is a class of cryptographic methods that is also used in the encryption of network connections, while electronic signature is a primarily legal term coined by the EU Commission. In addition, by choosing the term, they wanted to broadly define the technical possibilities in order not only to allow signature procedures based on existing digital signatures or other cryptographic methods.

What types of electronic signatures are there?

There are basically three types of digital signatures:

1. Simple electronic signature (EES) In the most common case, this is an e-mail that is signed with the sender's name. There are no special requirements for a simple electronic signature. It is not necessary to use a digital key to identify the sender. Simple electronic signatures can be used for informal agreements in accordance with Section 127 of the German Civil Code.
2. Advanced Electronic Signatures (FES) must be clearly linked to the signatories so that they can be identified beyond doubt. It must also be ensured that changes to the documents linked to the signature can be identified retrospectively. An example of this is top.legal signature, which can be used, among other things, to identify signatories through the use of multi-factor authorization via an SMS security code.
3. In accordance with the European Directive, a Qualified electronic signature (QES) is advanced electronic signature , which is based on a qualified certificate valid at the time of its creation and was created using a secure signature creation unit (SSEE).

Legal effect of electronic signatures

According to the Official Journal of the European Union dated 28.8.2014 (Art. 25 para. 1 eIDAS regulation), an electronic signature may not be denied legal effect and admissibility as evidence in court proceedings simply because it is available in electronic form or because it does not meet the requirements for qualified electronic signatures.

A qualified electronic signature also has the same legal effect as a handwritten signature. A qualified electronic signature based on a qualified certificate issued in one Member State is recognized as a qualified electronic signature in all other Member States. Documents that are “only” signed with an advanced electronic signature in accordance with Article 3 No. 11 of the eIDAS Regulation can also be submitted to court by visual evidence in court.

What is the difference between signatures in practice?

Electronic signatures differ from one another in terms of the degree of protection against forgery. At the bottom of the scale is the simple electronic signature, which does little to ensure the authenticity of the signature.

At the top end of the scale — and thus with the highest standards of protection against counterfeiting — is the qualified electronic signature, which uses encryption certificates from a trust authority (trust service) to confirm that the signing party is actually who it claims to be. This usually requires extensive authentication with the Trust Authority using a video identification process. This method is less suitable for use in a business environment, as it presents the signer with hurdles that cannot be easily overcome in a short time.

The golden medium is the advanced electronic signature. According to Art. 26, an advanced electronic signature should meet all of the following requirements:

1. It is clearly assigned to the signatory.
2. It allows the signatory to be identified.
3. It is created using electronic signature creation data, which the signer can use with a high level of trust under his sole control.
4. It is connected to the data signed in this way in such a way that a subsequent change in the data can be recognized.

In practice, this means that it must be ensured that a signed document is encrypted with a key that is under the sole control of the signee. This is the only way the recipient can be sure that the document or message comes from the person it claims to be and that the data was not manipulated during transmission.

An additional way to ensure this requirement is two-factor authentication (2FA), for example via a mobile phone.

Advanced signature compared to simple electronic signature

Signing documents using an advanced electronic signature usually requires specialized software. Simple electronic signatures can be created without software. To do this, it is usually sufficient to send a simple e-mail with your name, to provide documents with a scanned signature, or to scan signed documents and send them by e-mail.

The advanced electronic signature uses encryption technology so that the public key used can be used to determine who signed and whether the signature is valid. With a simple electronic signature, the authenticity of the signature or the unchanged quality of the document cannot be guaranteed.

Advanced signature compared to qualified signature

The advanced signature ranks first in terms of security within the EU and offers similar legal validity as a handwritten signed document, unless the law explicitly states that a conventional handwritten signature is used. As with advanced electronic signatures, qualified electronic signatures also require the use of specialized software. In addition, physical encryption tokens in the form of a USB stick or a chip card, for example, must be used to increase the level of security.

What are the benefits of electronic signatures?

The main advantage of a digital signature is that a signer can sign documents quickly and easily without having to resort to the cumbersome and time-consuming routine of printing, signing and scanning. This process saves time and money.

Our data shows that contract processing on an electronic basis is up to 9 times faster than a paper-based contract system. We also see in contracting higher rates, as the probability of bouncing is reduced due to the simplicity of the system.

Are electronic signatures secure?

In principle, any signature, whether electronic or on paper, can be forged. However, the electronic signature has clear advantages in terms of manipulation options. In contrast to verifying a signature or ID card, every layperson is given all the tools to determine beyond doubt whether the signed document has been manipulated and whether the signature provided actually comes from the person in question.

Using the latest technical options, it is currently easier to fake a signature than to manipulate the encryption mechanism using a standard IT infrastructure.

In addition, metadata as well as the time of signature and IP address of the input device are stored as part of the provision of the electronic signature. This burden of proof can no longer be reproduced with a physical signature, particularly one year after the signature has been made.

Technical implementation of the electronic signature

So that the integrity of a document can be established beyond doubt, a hash code is calculated from the electronic document using a hash function.

A hash function is an algorithm that efficiently returns a string of any length (input value) to a fixed-length string (hash value). This means that the document is translated into a column of random characters. The algorithm of the hash function is public in order to be able to verify the integrity of the process.

Every user of the publicly available hash function, inevitably when using the same document, receives an identical hash value. If you change any section in the document, the characters in the hash also change. By comparing generated hash values, it is therefore technically easy to establish the integrity of a document beyond doubt.

Electronic signature process (on top.legal) in practice

This is how electronic signatures are implemented within our CLM software:

1. The parties are invited to sign
2. The contract to be signed is transferred to signature mode
3. The software calculates the hash value (checksum) including the metadata of the signing parties
4. The hash value is saved in an audit-proof manner and stored in the pdf.
5. The hash value is usually encrypted with the signer's private key
6. The encrypted value can also be stored directly in the pdf together with the further information (encryption algorithm used, public key, etc.).
7. The signatories receive access to the signed contract via email or via a secure link
8. The recipient can use a check algorithm to check the validity of the signature and determine whether the present document is also the one that is surrounded by the signature. Many manufacturers offer free test editions of their signature software for this purpose, and some also offer online verification via the Internet.