Ten Tips for Selecting the Best Digital Signature Solution

Ten Tips for Selecting theBest Digital Signature Solution

Avoid the pitfalls whentransitioning from paper-based to electronic signatures

Author: John Marchioni-Sept 2007

Introduction

As the traditional“paper-based” world gives way to digital documentation and transactions,enterprises are demanding innovative solutions for digitally signing andauthenticating such documents, files, and forms with iron-clad protectionagainst forgery. Solutions must guarantee non-repudiation and promise the samelevel of security and trust that exists with conventional documentation. At thesame time, such a solution should be simple to use, easy to deploy and offer arapid Return on Investment (ROI).

In addition, with globaldigital business now the norm, transactions and documents may need to be signedby many people in different parts of the world. Users should be able to sign documentsdirectly from their desktop or via a zero technology footprint using any webbrowser.

The need for verificationby recipients outside an organization, the ability of employees to signdocuments while traveling, and cross-platform capabilities – enabling the useof numerous applications, such as Microsoft Word®, Adobe Acrobat®, and TIFFimages – all mean that, when it comes to selecting a digital signaturesolution, an enterprise needs to be aware of several important criteria.

This White Paper outlinesthe 10 most critical scenarios to take into consideration when making thisdecision:

1. SealsDocuments

The best digital signaturesolution seals the document using standard technology.

Your company has chosen anelectronic signature solution that ads an image of your graphical signatures todocuments; you can now attach a graphic representation of your signature to anydocument created in Microsoft Word. This is all well and good, until youdiscover that even though you have apparently signed the document, it can beeasily changed by any recipient – while the electronic signature remainsintact, just as you appended it. The door to fraud and forgery has been openedwide!

The solution used hassimply placed a digitized “picture” of the signature on the document: itdoesn’t seal the document, it doesn’t verify the authenticity of the personsigning it, nor does it guarantee that the transaction cannot be altered.

In the traditional paperworld, transactions are validated by signing them either on an accepted form,such as a check, or in front of a trusted third party, a notary or lawyer, whothe “stamps” the signatures so that they could not be changed.

In the virtual paperlessworld, digital signatures must perform the same function, i.e. guarantee that thesigner is legitimate (that signatories are who they claim to be) and thatneither the signature nor anything written in the document can be changedwithout authorization.

A digital signature mustbe able to seal any electronic document and guarantee that it is tamperproof.It is a one-time “fingerprint”, unique to both the signer and the document andensures that the signer is indeed the originator or owner of the document. This“fingerprint” cannot be reused or reassigned and proves that the message hasnot been altered in any way. Should the document be changed or altered, thedigital signature is automatically invalidated, providing total protectionagainst forgery.

2. MultipleApplication Support

       The best digital signature solution supports multiple applications.

You are operating anelectronic signature solution that enables the signing of documents createdwith the most commonly used applications – Microsoft Word and Adobe Acrobat. Butthere are some documents produced by your ERP system that also need to besigned and your electronic signature solution does not support this applicationbecause the ERP application is not supported by the chosen electronic signaturesolution.

       Traditionally,when signing paper documents, it didn't matter what type of document it was; aform, an invoice or a typed contract. Now you need the same flexibility in apaperless world.

       A numberof different applications and document management systems are available. It isimportant to select a digital signature solution that not only supportsdifferent applications, such as Word, Excel, Outlook, PDF, TIFF, Auto CAD, InfoPathand other third party applications, you should be able to add an electronicsignature to any document type. One way to guarantee support for any file formatis provided by solutions that convert any documents from any system into a“signed” PDF file.

3. GraphicalSignatures

The best digital signaturesolution offers the possibility of "seeing" the signature.

Traditionally, once adocument has been signed (with a “wet” signature), the signatures are visible.It is possible to identify who signed the document and the capacity in which itwas signed; when renting an apartment, for example, the parties sign a lease. Thecontract clearly displays the signatures and identifies who is the landlord andwho is the tenant. Anyone looking at the document can easily identify thesignatories and their roles.

In the virtual paperlessworld, digital signature solutions offer trust and security but they do notoffer easy identification. Visual graphical signatures do not add any securityto the document, but they are important from a user’s acceptance point of view,as they provide a natural user indication that the document is indeed signed.

       It istherefore important to include both the Digital Signatures, which preserve theData Integrity of the document and the digital signer’s authenticity and thegraphical image of the signer’s handwritten signature, which is a familiar formof identifying the signer.

4. MultipleSignatures

       The best digital signature solution enables documentsto be signed by more than one person in more than one place.

       There aresome electronic signature solutions that only allow one signature and when thedocument has been signed and sealed, it is impossible to add more signatures.

       Traditionaldocument-intensive organizations, such as insurance companies or financialinstitutions, have large volumes of many different types of documents that mustbe processed every day. Many of these documents must be reviewed, approved andsigned by more than one person. In some cases, one part must be approved by onesignatory while another section needs approval by a different person. With atraditional "wet" signature, it is a simple matter of signing orinitialing any place in the document.

       In thevirtual world, an effective digital signature solution should enable"sectional signing", which allows signatories to edit and sign theirportion of  the document. For example, inMicrosoft Excel, the digital signature solution should be flexible enough toallow multiple users to sign an entire workbook, different users to sign singleworksheets or even support different digital signatures for different ranges ofcells in the spreadsheet.

5. Zero ITManagement

The best digital signaturesolution is easily installed, intuitive to use and does not require dedicatedsupport staff - it will work from the moment it is installed.

In the traditional worldof paper documents all that is needed to sign and manage documents is efficiencyand ink.

In the virtual world,installing a new software system can generally be lengthy andresource-intensive. Some solutions require extensive – and expensive –customization to integrate with current or legacy software; often taking morethan a year to get it working, additional support staff and even a separatehelp desk to support the signature application.

Users want to be able touse the solution intuitively without the need to go through a long and lengthylearning cycle or to be forced to employ a wizard process every time they wantto sign a document. If the system is bulky and difficult to use, people willfind a way to avoid it.

6.Compliance

The best digital signaturesolution complies with all legal requirements.

To be considered legally binding,documents and transactions - paper-based or electronic - must meet many basicrequirements and strict standards. A digital signature solution must meet thesame criteria as a “wet” signature. These include the following basicrequirements:

       1). Authenticity– the signature can be authorized by a secure process

       2).Integrity – any tampering during transmission can be detected

       3). Privacy – the signaturecannot be accessed by unauthorized sources

       4).Enforceability – the signatures must be verifiable by all parties

       5).Non-refutability – the signature cannot be denied or disavowed

The first two requirementsprove that the recipient and the sender are authentic and authorized to performthis transaction. The next two, provide methods to prove that the messagecontent is authentic and that the recipient can be certain that the data hasnot been altered or lost in transit. The last and most important is that themessage must be able to “stand up in court”.

       Referredto as “non-repudiation”, this means that the digital signature must ensure thatthe parties involved in the transaction cannot deny sending the message or itscontents.

       Inaddition to the above general requirements, some industries, such as finance orpharmaceutical, have specific requirements. For many organizations, it iscritical to protect their data at all times with standard-based PKI methodsthat meet the toughest regulations rather than a proprietary solution.

       To avoidreturns and force the organization to prove that the solution is good enough, adigital signature solution must meet the most stringent internationallyrecognized regulations, for example:

        1). FDA's 21 CFR Part 11

        2). Health Insurance Portability andAccountability (HIPAA)

        3). Financial Services Modernization Act of1999 (Gramm-Leach-Bliley);

        4). Sarbanes Oxley

        5). FAA's CFR Title 14

              andlegislation, including:

        6). Uniform Electronic Transactions Act(UETA);

        7). E-sign (Electronic Signature in Global andnational Commerce Act)

        8). EU VAT Directive

        9). EU Directive for Electronic Signatures

Only PKI based digitalsignatures meet all these requirements. Other solutions may meet some but notall requirements.

7.Transportability

An effective digitalsignature solution should ensure transportability.

Your company hasimplemented its digital signature solution and has sent signed documents to aclient. But because the client has not installed the same digital signaturesolution, he is unable to verify the document.

       In thetraditional paper world, signed documents sent to third parties can be read andunderstood without a problem.In the virtual paperless world, however, documentsmust be recognized by the software application. To be truly versatile, a sendermust know that a digital signature will arrive unaltered anywhere in the worldand that it can be easily verified without the need for complicated,proprietary third party applications.

       Forexample, if a document had been electronically signed in PDF, then therecipient should be able to validate the document using the free Adobe AcrobatReader without any further software installations. Another example is when aMicrosoft Word® or Excel® document is signed, then it should be possible toverify it on the receiving end without the need to install any special softwareor plug-in for verification process.

8. SeamlessUser Sign-Up

The best digital signaturesolution offers simple-to-use, transparent sign-up.

       In thetraditional paper world, people who need to sign documents are identified inone of several ways: a signature card signed in person at the bank, a photo IDor personal recognition.

       In thevirtual paperless world, signatories register electronically and obtain adigital certificate, which provides electronic identification similar to abirth certificate or a passport. Digital certificates contain information aboutthe user, such as the certificate holder's name, e-mail address and otherspecific identifying information. Digital certificates verify that the user iswho he or she claims to be. Certificates are generated by a CertificateAuthorities (CA) immediately after the identity of the user is validated thusmaking the certificate a virtual equivalent of a Passport or a Birthcertificate.

       Once adigital signature solution has been deployed, it should be both simple to useand as transparent as possible. Neither the users, nor the IT person, should beaware of how a certificate is generated or maintained.

       Moreover,users should not need to use a wizard or call the Help Desk to be able to signdocuments. It should also be easy for the IT manager to make changes in theusers’ profile and these changes should be automatically reflected in theusers’ certificates.

       Inaddition, some systems require employees to re-enroll every year to verify thatthey are still authorized by the company. Users will find this cumbersome aswill the IT and HR departments who need to deal with these registrations.

9.Simple-to-Use

The best digital signaturesolution is technologically simple to use.

       In thetraditional paper world, signing a document is simple, intuitive and quick.

       In thevirtual paperless world, signing a document should be just as easy. It shouldtake no more than 10 seconds or 1-2 mouse clicks – to ensure that the documentis signed, sealed and legally compliant.

       But ifyour digital signature solution requires the user to go through a tediouswizard-type process to sign a document and each step of the process requires auser interaction making the process complicated and difficult, the inadequaciesof the selected solution will soon become apparent. Users should not berequired to learn new technologies or require assistance from a Help Desk.

10. TotalCost of Ownership

The best digital signaturesolution has no hidden operation and management costs.

Traditional paper signingleaves mountains of paperwork needing physical storage in archives that oftenmushroom to warehouse proportions. To reduce costs and improve efficiency,companies should move into the world of electronic processes.

       Standards-baseddigital signature solutions enable companies to become totally paperless. However,when considering a digital signature solution, it is important to look into thepotential hidden costs.

       Manytraditional digital signature solutions are based on complex PKI technology andare difficult to deploy. They involve complicated software requiring a heavyinvestment in IT support and development. Sometimes, a Help Desk needs to becreated or additional staff employed to support the solution. Other costs thatneed to be checked include registration and renewal fees for digitalcertificates, cost for smart cards, etc.

Conclusion

To ensure a smoothtransition from paper-based to paperless offices with a digital signaturesystem that:

1).guaranteesnon-repudiation

2).offers a high level ofsecurity

3).effectively sealsdocuments

4).allows multiple signersto sign on a single document without difficulty

5).iscompatible with multiple applications

6).issimple to use

7).offersa rapid return on investment

8).hasno hidden costs

9).istransportable without having to install proprietary software