So I've been directly involved in e-sign for more than 12 years now. There is one major conclusion or learning I've made so far about E-sign, and I would like to share it with you. It would be that there's only one valid reason to use e-sign. No others other exists, no other reasons, good enough reasons to use e-sign exist. And this reason is legal reason because e-sign, it's all about collecting and preserving evidence to ensure sufficient legal protection. So that's it. Otherwise you just can save some money and skip it if you don't address this one.
And let me give you short, like I assume some of you might know it very well, but still some intro about what is signing generally is how it works a little bit deeper than just as a regular consumer would know. Normally, there are two important moments in time throughout the lifecycle of every e-signature. The first one is when this guy on the left is adding the signature to the document and he wants to preserve the evidence of his identity and the content being signed within that document.
And then there's another moment which is validation of the signature where this lady on the right would like to verify that it was really that guy before and the content he has signed was exactly this. And those two moments can be very much distant from each other in space and time. So it can be, it varies.
And luckily in Europe we have something which is called e iida.
We, and, and my personal like opinion that the most essential part of e iida in terms of empowering a signature to provide trust in evidence is Article 26 where there are four requirements towards electronic signature. Number one requirement tells that this electronic signature should be pointing, certainly pointing to one person only. That's important. So we should know that it was only one person on earth who, who could have done this second requirement tells us that electronic signature should be capable of identifying that person.
So we should be able to figure out the name or, or certain or, or some alias of that person. But still it's this person should be identifiable. We and here trusted authorities usually come into play. They do this initial verification of real life identity and then they assure it to the rest of the world, whoever is interested in this identity later on.
Requirement number three is something also very important that when this guy wants to sign something, we must ensure that the secret for signing is kept in his soul control throughout the lifecycle of that secret.
So there's no any second moment millisecond where this key is in somebody else's control. So that's important. That's achieved by, usually by the means of PK. I like private and public key. Private used for signing public key used for verifying the signature.
So, and this key is uniquely linked to that guy. And requirement number four is also critically important. I would say that every signature should be like connected to the content being signed so that it means that it doesn't work and it doesn't work that way, that there is a stock of your signatures. You just take, take next one and attach it, stick it to any document you want.
It doesn't work that way. It should be a mix or blend of both every time you sign.
So in fact it is the encryption algorithm used, applied towards the content and where your secret is, is used as a parameter for the encryption. So, and signature essentially is the result of encryption. That's the encrypted material. That's how the documents are being signed.
Okay, technically it's, it's not the document itself, it's the hash of the document is being signed, but it's not important this time. So that's the important fourth requirement. So now when we have signed the document for the usability purposes and just for great user experience, we usually package it also with, with original content and with the information about the claimed signatory identity.
So, and there are a variety of different formats, more universal, more local for the signed documents, but the most widely used probably is the PDF file.
I'll stick to that in my demo, just not, not demo, but in my story just to make it simple and universal.
So, and this package is then the PDF file, which is shipped or stored for verification, for validation later on at some point when this time comes to validate the signature, the lady takes the claimed identity from the package and she goes to the trusted authority to get the public key for that identity because that's the claim identity. She doesn't trust it yet. She takes the, she gets the public key and what she does next, she does the reverse operation to encryption.
So, so she decrypts the signature, she takes it from the package and tries to decrypt the signature. Now she's got two versions of document. One is the decrypted one and another one originally supplied, which pretends to be the original content. And she can now compare those two documents, match each other like bit by bit.
It means that both keys were matching, so private and public key. So it means the person was authentic, we can trust the identity now. And the document also is authentic because they match. So the encrypt encrypted one was the same.
So, and she can trust this document. Obviously she doesn't do this math every time with a calculator or, or, or or Excel or the software does. And if we take like add a breeder, it normally is capable of doing these calculations, verifications at least the majority of them. And then you get, if you open the sign signed file, you get the signature panel on top, you click that button and you see as a metadata the name of the signatory.
And if it's it, it, it's usually if it's fine with the signature then it shows you green bubble or green check mark and the statement that the document has not been modified since the signature was applied.
So that's essentially the same. So verification of identity and integrity of the content. And then we have, I don't go deeply here now to check all the four requirements, but these match here, these are satisfied as a rule of thumb just because I get very often get the question, is this signature good or not? How can I check? Rule of thumb would be for the regular user, just open it.
If you see everything is green must be hinting that document is was probably okay. And the second important thing is it's the real name of the signatory. So like the name of the natural person, that's important if you are looking for the signature of the natural person there. If those two are okay, most probably the document is good. So if you need really strong, strong verification, okay, you need to do more.
Okay, something went wrong, it doesn't switch for me, could it please help me? Oh yeah, it works now.
No, yes, this one please.
Something's going on here for me, but I will try to yeah, to scroll it quickly further.
So, but if anything goes wrong, documents will not match. Either the keys were not matching or the content has changed.
So anyway, we can't tell the signature we'll tell will not tell you what exactly went wrong. So which piece of of content was damaged or, or, or or corrupted or altered. But you shouldn't trust the document anyway, the signature anyway. And software will also tell you this. So it red cross red bubble like or alert. So you'll get it.
That's the way, at least in our company, we expect it to work and I personally expect it to work.
The reality check tells us things happen differently and I believe it's a problem and problem because many people use it in other way or, or, or use alternatives which do not ensure this legal protection, sufficient legal protection, at least at the level they expect it to be. So, and I would say that it's my personal like judgment, but that service providers who do, who do it differently, they kind of exploit the lack of understanding and knowledge of these fundamental principles. How electronic signatures sufficiently trusted electronic signatures should work.
And let me explain you the details. Now my my point, so instead of using your individual secret for signing to service providers, they often use their own private key to sign the document, their own certificate.
So it's still, it's form, it can be called a seal, electronic seal, but it is not explained well enough for customer to customers.
So, and then in that case you get all the strange like names in instead of names of the real persons like in human body, human human beings, you get the names of the companies here. That's the reason why you see the names of the company here. And natural question of the ladies, where is this guy who pretends to be the signatory in the document? And so those providers, they of course expect this question and their answer, at least in region we operate usually is they like do a trick here at the signing.
They present the document to be signed to the signatory and at the next step they ask them to please authenticate to sign this document.
They use the some very well established like known identity providers in that region. Like bank Id like mid id, whatever, many IDs no matter. But this is something normally trusted by people to authenticate to different services and they like, oh well, so it must be secure. And based on the authentication results, the service, the service provider creates like what I call identity phantom page, like where they make statement.
We've seen that guy, his name was, we authenticated him with bank ID and his name was that and authentication transaction number was that. So, and they, they attached or append this page to the original document and sometimes they had like nice logos of bank Id like, it's like borrowing credibility from bank id.
And sometimes they also change filters, hats of the original document and on top of that they sign with their own key. So it looks nice to the customer, but let's do this check against EI dysregulation. So is this type of signature uniquely linked to the identity of the signatory?
Obviously not in the way we expect it because the real secret belongs to the company and they use it for many signatories. It's the same key for many failed. Does this type of signature identifies me in the crowd as a signatory? Well like identify on page pretends to be doing this, but it's a, I would say it's a hook because there's no verifiable evidence of this identity. It's just a statement. If you trust sufficiently, this service provider, if you believe everybody trust him, they, they it the service provider that could work.
But, but, but there is no like something which you can strongly verify or mathematically or cryptographically.
So does Designing Secret belong or controlled by me by the Satory?
No, not at all. It's controlled by the company. And is this signature linked to the document, to the original document? Obviously not because the original document is being deliberately changed immediately after I authenticate like a pending like reshaping it. So it's not the same document anymore. What I get is output.
So, and when I once tried to challenge one of those identity providers about the, one of the signatures there, just to find out if there is anything more which can be used as evidence, then I can get from the document itself. I asked the question, so according to adas there's some, there should be some piece of data which represents the electronic signature of the person of the claim signatory, which is this piece of data in the document. Please tell me.
And we ated about eight times starting with Service Desk, they escalated it higher and still they ended up answering me that, that that my next button doesn't work again. Okay, yes, that this piece of visual part of the document, like the graphical part of the document where I can see the name imprinted and the, and the name ID in this case transaction authentication transaction number was a signature of Adam.
Well if it's that signature, if it's something which is really used as a signature, I took it as a picture and supplied as a graphical representation of the signature to another document and signed it without being authenticated in this case. But still I got a nice document, which looks perfectly from that sense that you, I have the same picture, the same signature and it, the document content seems to be like appropriate, not altered looks nice. And the only problem with this document was that Adam has never seen this document.
So, and the original one looked differently. It looked like this, like there even, it looked even worse because there were some problems with their certificates.
So, and my point is that yeah, it's, it's does it really provide you sufficient legal evidence, which you are looking for when you sign that way? It might be that it works for you for some use cases it's fine, but I want to, that we all understand what we are doing and what we are getting as output when we use that type of solutions because, and, and, and the reason, because it makes us feel good really because we oh, that I have site and then yeah, use bank id it must be secure, but it doesn't always work like that.
It just fills out, it just makes us feel good but maybe we don't get legal protection. We are really looking for that way.
And the reason I believe it's happening because equipping user equipping one user with private key securely and safely is less, less, less hundreds times less expensive than equipping everybody who wants to sign.
So, and it can be really profitable thing, but, and, but, but at the same time it can, can be very useless thing for the customers. I want us to be open and honest with each other when we do signing.
And yeah, I want us to make informed decision about how we sign. And this is not for money. I often get many questions about this signing. I have to repeat myself many times over and over again. I sometimes just create videos and, and link people or reference these videos. This is not professionally made videos, but, but please, if you are interested, check it out. Thank you very much. Thank you.
