Tuesday, August 17, 2010

What Methods of Digital Signatures Do Clients Use?

This is a response I gave to this question when it was posted on one of the LiveCycle groups:

I have had many clients that still want to use wet signatures in their new process. Many times it's a matter of what they know will be an easy process to get through their legal department. There are many situations where someone is signing a document, and the recipient has no method of verifying who actually signed it, and has no process to repudiate the signature if a conflict arises. In many cases, although the signature is legally binding, there isn't really any method to validate unless you compare against an old document.

In financial institutions they store a signature card, or an electronic image of your signature to validate against.

Digital signatures validate that the computer of the certificate holder was used to sign the document.

I have had some clients that use username/password as well, and others just use the current logged in (LDAP) user. Some will then use a signature from the user's computer or a database, and retrieving the timestamp from the server - avoid using a client timestamp.

Some of the signature pad technologies (e.g. CIC) have biometric capabilities where it can actually monitor the speed in which you used the pen, where you accelerated, how much pressure you used at different points, where you lifted the pen, etc. So even if the signatures "look" identical it can easily determine that the signer is different. Signatures are easier to forge when done backwards, so this would easily defend against this. Unfortunately, most institutions that use these technologies don't actually use the biometric features.