DIGITAL SIGNATURE VS ELECTRONIC SIGNATURES.pdf
- 1. DIGITAL SIGNATURE VS ELECTRONIC SIGNATURES Background There has been a lot published on this subject, and almost every firm or body that offers a sign-related service or solution has a section on their website dedicated to it. Nonetheless, there is a misunderstanding in the market about the legality of the words digital signatures and electronic signatures. You will not be any wiser after reading the material offered on the websites of different companies. Depending on which vendor's website you visit, the picture displayed may be somewhat different. One reason for this is that electronic signatures are implemented differently by different suppliers. Another factor is that different nations' regulations differ in terms of what constitutes a legal signature and what types of papers or transactions are permitted to utilise such signatures. Without diving into technical intricacies of signature techniques, this article clarifies the differences and addresses the questions of their legitimacy in the context of Indian law. It closes by demonstrating that typical electronic signatures, at least in the form used by most electronic signature providers, are not legally acceptable in India.
- 2. Electronic Signatures The term "electronic signature" refers to any sort of "signature" on a document that does not include the use of a pen and paper at its most basic level (also known as a "wet" signature). These signatures are written on paper that has been converted into an electronic format. The term can be defined in a number of ways. In the year 2000, the United States passed the ESIGN Act, which provided electronic signatures the same legal status as paper-based "wet" signatures. "An electronic sound, symbol, or process that is attached to or conceptually related with a record and executed or adopted by a person with the purpose to sign the record," according to the definition. This allowed any type of signature to be created electronically, including typing one's name or initials in a specific location, drawing a signature with a mouse or a stylus, or even uploading a previously scanned image of a handwritten signature, and all of them would be legally legitimate It should be noted that this type of signature does not guarantee that the signature was actually made by the intended signatory on the intended document. It is simple to falsify a document or a signature. Furthermore, a genuine signed document can be tampered with with no way of knowing. "Data in electronic form that is attached to or conceptually associated with other data in electronic form and that is used
- 3. by the signatory to sign," according to the European Union's eIDAS. This roughly corresponds to the term's definition in the United States. "Electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the standards of the qualified electronic signature," it states, a little ambiguously. India passed the Information Technology Act of 2000, which was later updated in 2008, defining electronic signature as a method of authenticating an electronic record that meets the following dependability criteria: Within the environment in which they are utilised, the signature creation data or authentication data are tied to the signatory or, as the case may be, the authenticator, and no other individual. Any alteration to the electronic signature made after affixing such signature is traceable because the signature generation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and no other person. Any change to the information after it has been authenticated by an electronic signature can be detected. Advanced Electronic Signature is a type of electronic signature defined by the EU's eIDAS (AES in short). AES stands for "Advanced Encryption Standard," which refers to electronic signatures that match specified conditions. These are the criteria:
- 4. It contains unique identifying information that connects it to the person who signed it. The data used to form the electronic signature is within the sole control of the signatory. It must be able to tell if the data attached to the message has been tampered with after it has been signed. The signature is marked invalid if the signed data has changed. There is an electronic signature certificate, or electronic evidence, that verifies the signatory's identity and links the electronic signature validation data to that individual. Qualified Electronic Signature is a more limited kind of signature defined by EU eIDAS, although it is outside the scope of this article. In purposes of legality, the broad definition given to a mere electronic signature is more clearly specified for AES, as follows: The legal impact of a qualified electronic signature must be the same as that of a handwritten signature. A qualified electronic signature based on a qualified certificate issued in one Member State is recognised in all other Member States as a qualified electronic signature. The term "digital signature" is defined in the Indian IT Act 2000 (as revised later in 2008) as a method of validating an electronic record such that:
- 5. The usage of an asymmetric crypto system and hash function to wrap and change the initial electronic record into another electronic record will be used to authenticate the electronic record. The electronic record can be verified by anybody using the subscriber's public key. The private key and public key are both unique to the subscriber and form a working key pair. This definition of the word digital signature is even more limited than the EU's AES, as it only refers to signatures that use public-private key cryptography. Other sections and rules stipulate that signatures must be in the PKCS#7 (CMS Standard) format, and they go even further by indicating the use of public/private key technology and necessitating the usage of a verified signature creation device. The Act also establishes the function of a Controller of Certifying Authority and a hierarchical structure of authorities that will be permitted to certify subscribers' identities and link them to their public keys. Electronic Signatures are loosely defined in general, whereas Digital Signatures are defined in a way that is close to the technology (public/private key) involved. In addition, when dealing with digital signatures, the ambiguous terminology used to characterise the legality of electronic signatures becomes more precise.
- 6. In terms of how they are generated, technology employed, security supplied, and legality, it is acceptable to claim that all digital signatures are electronic signatures, but not all electronic signatures are digital signatures. Comparison One disadvantage of electronic signatures is that, unlike digital signatures, they are not controlled. Each signing service performs them in a unique way. When they say their signatures are secure, you have to accept their word for it. To authenticate a signer's identity and "intent" to sign a document, the service often collects a string of virtual "fingerprints," such as hash markers and IP IDs. By storing the association on the service backend, these fingerprints are digitally linked to the document being signed. This leads to the second issue with electronic signature- based signing services: they require you to check back with them if you want to know if the document has been tampered with. As a result, a vendor lock-in exists. You can't just hand over your signed documents to another vendor or keep them on your premises. You'd have the signed document but no guarantee that the signatories were genuine.