I'm Brendan Hyland. I help regulated facilities transform their software, spreadsheets, workflows and documents from time-consuming, deviation-invoking, regulatory burdens, to the competitive advantage they were meant to be. Join me every weekday as we take a few minutes to explore, design, test and improve the critical systems we use in our facilities.
There are signatures, and then there are signatures.
|
There are several levels of 'signatures' that you can apply to an electronic document. The first and most basic is just an image of your written signature. One common option for this is to print the document, sign and scan it back in again. A more convenient version is to have an image of your signature saved that you can paste into documents. This is what many free versions of pdf software and word processors offer as a basic document signing option - a 'stamp' of your saved signature image. Here's John Smith's signature: So what's the problem? Let's start by asking what is a signature for? Because ink signatures are supposedly difficult to forge, they are often used to uniquely identify you as the person who applied it. So they are historically used everywhere to approve documents, bind agreements, prove that you were present or show that you completed some step. When we go digital all of this changes - sure, if you're lucky your software will ask you to type in a password before being able to use the image. But as the 'stamping' option in your pdf software proves, once it's digital anyone can cut and paste a signature image around! So it's completely lost any traceability - and with it any meaning. Even though you probably drew the signature the first time it was uploaded into a computer, that particular image could have been applied by anyone, to any document, at anytime. What we need are teeth. And a key. Actually a pair of keys.Ok. So if we want our signature to have any teeth, there are three things that we're looking for: a) we need to know who applied it; b) we need to know when it was applied; and c) we need to know that it was applied to the specific version of the document or data that was signed. You might also want to be able to encode some other information into the signature - like the reason for signing. We need to package all of this information into a small block of cryptographically secured data that can be easily locked and embedded into documents (using a private key no-one else can see), decoded when necessary by anyone (using a publicly available key), and then allows some way of verifying who signed it (e.g. by checking the validity of an attached "certificate"). This is what's called a digital signature. Note the difference here - an electronic signature is basically a legal concept for signing a document electronically by any given method (including by cutting and pasting an image), while a digital signature is a cryptographic mechanism that can be used to implement electronic signatures, but also can be used for many other purposes. Ok, great, we've got technology that's going to help us lock up the signing information with the document and identify who the signer was. So that's it, right? Isn't this solved now? And more importantly, do we really need to know any of this? Until next time, thanks for reading! – Brendan p.s. Enjoy this message? Read more at the Hyland Quality Systems website. |
The Daily HaiQu
A newsletter about improving the systems we use in the GxPs
I'm Brendan Hyland. I help regulated facilities transform their software, spreadsheets, workflows and documents from time-consuming, deviation-invoking, regulatory burdens, to the competitive advantage they were meant to be. Join me every weekday as we take a few minutes to explore, design, test and improve the critical systems we use in our facilities.
Last time we left off with a cliff-hanger of a question: How do you prove you're you when signing a document? There are several ways I've seen that the 3rd party providers prove that it's you who's signed the document: You clicked a link from an email. You paid for the service with a credit card. You provided some government issued photo ID. Someone, such as a notorized public or your HR department, has verified it's you in person. Obviously these are very different levels of assurance. Then...
Last time we learned about the difference between an electronic signature - basically any way of signing a document electronically - and a digital signature, which is a cryptographic mechanism that can be used to implement electronic signatures, among other things. Modern digital signatures most often use the Public Key Infrastructure, or PKI, to generate and verify keys. So for you to properly e-sign your document (and I'm really simplifying things for illustration here) you need three...
Ever since COVID, document and signing workflows have been incorporated into everything. Dropbox has it. Microsoft Teams has it. Google Workspaces has it. If you need e-signatures, you probably have access to Docusign, Adobe, Hellosign, and so on. But what exactly are we talking about when we say "document and signing workflow"? Let's step back. Most document workflows are about moving some work through review, commentary, revision and approval. The old way to do this was to send a document...