Electronic Signature Guide

eSignAnyWhere supports different kind of signatures and these will not only affect how the signer signs the document, it also affects the legal aspect of the signature. We recommend that you verify with your legal consultant, which would be the best signature for your specific use case. Within the European Union a clear regulation is available under the eIDAS 910/2014 regulation. Nevertheless, there are still some national limitation affecting the electronic signature and its possibilities, therefore a validation is recommended.

Within the European Union you can categorize the signatures into two categories, defined by the EU regulation 910/2014 eIDAS (electronic IDentification, Authentication and trust Services) regulation:

  • Advanced Electronic Signature (AES)
    • provides unique identifying information, that links to its signatory
    • signatory has sole control of the data used to create the electronic signature
    • must ensure that the signature is invalid after changes of the document (e.g. PAdES [PDF Advanced Electronic Signature] in PDF)
  • Qualified Electronic Signature (QES)
    • is a signature, created via a qualified electronic signature device (e.g. SmartCard or Remote Certificate of a TSP)
    • equivalent to written legal form
    • no reputable by signatory
    • requires an identification of the signer, which can be executed by a LRA (Local Registration Authority) or its sales partners

It also defines the terminology for natural persons as “electronic signature” and for legal persons (e.g. companies) as electronic seal.

Signature Types in eSignAnyWhere

Signature Type AES QES Description
Click to Sign depending on a second factor or use case no Is a simple signature, where the signer has to click on the signature to sign the field. In combination with an additional element (under sole control of the signer) it is a AES. We recommend to use the authentication (e.g. SMS-OTP) to ensure it. Please verify the use case to ensure that the authentication methods is under sole control of the signer.
Draw to Sign depending on a second factor or use case no Is a simple signature, where the signer can record a signature (e.g. via mouse, finger) to sign the field in form of a picture (no biometric data). In combination with an additional element (under sole control of the signer) it is a AES. We recommend to use the authentication (e.g. SMS-OTP) to ensure it. Please verify the use case to ensure that the authentication methods is under sole control of the signer.
Type to Sign depending on a second factor or use case no Is a simple signature, where the signer can type his signature, which is used as picture for the signature. In combination with an additional element (under sole control of the signer) it is a AES. We recommend to use the authentication (e.g. SMS-OTP) to ensure it. Please verify the use case to ensure that the authentication methods is under sole control of the signer.
Biometric Signature Yes No The biometric signature records & (asymetrically) encrypts in real time the data points of the handwritten signature. The encrypted signature will be stored & bind to the PDF document to be validated. So the biometric data is the element under sole control of the signer, so no additonal authentication is required (except the use case requires it). Please note that the biometric signature is not recorded directly via Browser, it typically requires a specific hardware (Signature Pad, Tablet PC with Pen, Convertible with Pen) to ensure a high quality of the biometric signature, so it is mostly used for Point-Of-Sale use cases. Please contact your Namirial Sales Consultant for more information.
SMS-OTP Signature Yes No The SMS-OTP (One-Time-Password) signature is similar to the Click to Sign signature, where the signer clicks on the signature field and confirms via SMS OTP (a numeric number sent to the signers phone) to sign the field. The phone is under sole control of the signer.
Local Certificate Depending on Local Certificate Depending on Local Certificate This signature allows to access via the SIGNificant Device Driver (download is available via Signing Interface) local devices (e.g. Smart Cards, USB Token, Windows Cert Store). The signature level (AES, QES) depends on the used device.
Digital Remote Certificate Yes Depending on Certificate This signature allows to access remote certificates (stored in a CA/TC) to sign the document. The credentials are under control of the signer. Depending on the certificate it is either an AES or QES.
Disposable Certificate QES QES This signature uses a disposable certificate via the Namirial TSP. The disposable is a QES, which is only valid for a short time and allows a simpler usage for the signers (via confirming the T&C with Namirial TSP and confirm the QES via SMS OTP or Namirial OTP App).
Custom Signature Types ? ? On demand we can integrate for you custom signature types (customer TSP integrations, use case depending signature types).

All envelopes write a detailed audit trail (except if disabled), which is documenting the signing process and its actions and events (such as the authentication of the signer). The audit trail gets signed digitally by eSignAnyWhere.

Recommendation

eSignAnyWhere supports different kind of signatures, most of them are designed for a specific use case to ensure a good user experience and acceptance.

In general you can define a

  • Remote scenario, where the signer is using his own devices (e.g. Smartphone or PC)
  • Point-of-Sale (PoS) scenario, where the signer can use the device avaiable at the PoS
Remote Scenario

Remote scenario is using the signer’s device for the signature, typically at home or at the office. Therefore, a recommended signature type is “Click to Sign“, because it show a good user experience and acceptance. In combination with a SMS-OTP (one time password) for the authentication, it is considered as an AES. Other authentication methods (PIN, OAuth2 or SAML) might also have a good user experience.

As alternative you might use the SMS-OTP Signature, but it requires for every signature field a SMS-OTP, which could lead to a frustration of the signer if there are more than one signature-field. (Note: SMS-OTP is an optional and not default feature of eSignAnyWhere).

For a QES the best option is a disposable certificate, because the signer has to accept the Namirial TSP terms and condions for the disposable certificate (personal certificate for the signer). The signing is performend via clicking on the signature field and confirming with SMS-OTP or Namirial OTP App.

Point-of-Sale (PoS)

The PoS scenario is typically used in combination with API integrations and extended use cases. At the point of sale there is typically a hardware for signing, such as a Signature Pad, Tablet (e.g. iPad) or a PC with touch screen and pen. In that case for AES a biometric signature is a natural way of signing. You also can use the signers devices by transforming it to a “remote” scenario and the signer uses his own device at the point of sale.

QES is supported via Disposable Certificate e.g. with the SIGNificant Kiosk in combination with a Signature Pad (e.g. the Namirial NT10011).

Evidence and Validation of Signed PDF/A Documents

The PDF document is a powerful document standard (ISO 32000) and PAdES (PDF Advanced Electronic Signature) ensures secure documents and signatures. The evidence is stored on the one hand directly in the PDF document and in a corresponding process documentation (audit trail).

Evidence: PDF & Audit Trail

If you open a signed PDF document with a PDF Reader (e.g. Adobe Reader), you can verify embedded data, such as:

  • Digital certificates show the signatory or the document issuer
  • protects document integrity and make changes visibile
  • display signing graph and document history
  • trusted time-stamps (optional)
  • geo-location (optional)
  • information on the validity of the signature certificate on signing time (OCSP / CRL)
  • EUTL – European Trust List for EIdAS for Trust Service Providers
  • encrypted biometric signature data embedded in the document
  • Adobe Reader – Adobe Approved Trusted List (AATL)

In additon to the evidence in the signed document a corresponding seald process documentation (audit trail) is written:

  • envelope with hashed of document
  • send notifications and recipient addresses
  • authentication (PIN, SMS-OTP, etc.)
  • reader’s IP addresses
  • reader’s location
  • date & time of actions
  • actions on the document/envelope: page open & view, confirmations, form field edits, signatures and many more

Glossary

AATL Adobe Approved Trust-List
Biometric Signature A recording of x/y coordinates, pressure and time of a handwritten signature.
CA Certificate Authority
CRL Certificate Revoke List
Digital Signature A electronic signature based on asymmetric cryptographic algorithms.
Electronic Signature A electronic signature can be from a simple level (SES) to an very high level of signature (QES).
EUTL European Union Trust-List
PDF Portable Document Format
PKCS Public Key Cryptography Standards, e.g. PKCS#7 a high level signature format.
PKI Public Key Infrastructure
OCSP Online Certificate Status Protocol
QES Qualified Electronic Signature
OTP One Time Password
TSP Trust Service Provider
QTSP Qualified Trust Service Provider

The information provided on this page is continually revised and adapted to changes in legislation or case law, technology. Hints for clarification, updating and supplementing are always welcome via e-mail. The information on this page does not constitute legal advice. In particular, they can not replace any individual legal advice that takes into account the specifics of the individual case.