Electronic Signatures – A Crash Course

What is the difference between an electronic signature and a digital signature?

The two terms are closely related and are often used interchangeably. The term electronic signature is a legal term and can replace a hand signature, for example, to sign a contract. Unlike a hand signature, an electronic signature has no visual appearance. It consists of a set of electronic data that enables other data, such as a PDF, to be verifiable and capable of being authenticated.

A digital signature, on the other hand, refers to a cryptographic process of creating an electronic signature using a secret signature key. By using the associated public key, the recipient of the signed document can perform a signature verification.

Please note that there are country-specific differences in the translation and interpretation of these terms.

What types of signatures are used in practice?

For a simple electronic signature (SES), a secret key created in any way is sufficient. For example, a self-signed certificate can be used for this purpose. Self-signed means that the issuer, verifier of legitimacy and owner are the same person.

The advanced electronic signature (AES) authenticates the signer and ensures the integrity of a document. It is not equivalent to a handwritten signature and is particularly suitable for signing digital documents where legal regulations do not require a qualified electronic signature (QES). Examples include automated mass signatures of receipts, bank statements, or other business documents.

An AES is usually created using an advanced certificate issued to a natural or legal person. Advanced means that it has been issued by a legally recognized certification authority (CA), with which the signer must authenticate himself once. Access to the certificate and thus to the creation of the signature is protected by password or PIN.

The qualified electronic signature (QES) must comply with additional formal requirements compared to the AES because it is equivalent to the hand signature in many countries and is therefore legally binding, e.g. in Switzerland, the EU, the USA. The "holder" is always a natural person. The signature certificate of a QES must also be issued by a state-recognized CA.

Qualified certificates must generally be delivered physically (SmartCard, USB stick, HSM). Unlike the AES, the password or PIN of the QES must be entered for each individual signature. This ensures that a signature really comes from its owner. With a qualified signature, a time stamp can be used to check whether the certificate was valid or not revoked at the time it was created – with an AES, this is optional.

What is not mandatory, but recommended, is to also include a time stamp with QES. This increases the value, or the evidential value of the signature.

What is an electronic signature used for?

To replace a handwritten signature. The electronic signature can satisfy the requirement for a handwritten signature in the same way as the handwritten signature itself, provided that the legal requirements are met (see question 2).

The use of a digital signature helps saving time and resources. For one thing, it does not require the physical presence of the signatory. For another, the document does not have to be printed out specifically for signing.

Processes in which many documents need to be signed or the signers are in different locations can take up a lot of time and postage costs. Digital signatures make this much faster and less expensive.

Why are documents signed electronically?

Electronic signatures have a "sealing effect" for digital documents. They offer the possibility of verifying the authenticity of the signer and the integrity of the document, as well as the time of signing, if necessary. Authenticity means that a signature can be clearly assigned to a person. A document is said to have integrity if it has not been subsequently changed. The electronic signature can therefore be used to trace who created a document, last edited it or submitted it to the archive, and that it has not been changed since then.

How do you verify a digital signature?

Basically, this task is performed by a signature verification software, e.g. 3-Heights® PDF Security. The integrity of the document is ensured if the signature is not broken. For this purpose, a public key and a cryptographic procedure are used, similar to the one used to create the signature. To check the authenticity, the validity of the certificate and a trust chain check are performed. The software also checks whether the certificate was valid at the time of signature.

How does the signature "notice" that the document has been subsequently changed?

As with signing, a hash value is calculated from the content of the document during verification. The hash value is a kind of "sum of the digits" of the document, but it is not possible to deduce the content from it. Every change to the document significantly alters the hash value. The hash value of the document is stored in the signature. If the document is changed, the hash values no longer match. This breaks the signature.