Secure your documents with Digital Signatures – Part 1
With the webPDF-portal you have the possibility to provide PDF documents with digital suignatures. The Digital Signature service, which is based on the “Signature” webservice, enables documents to be digitally signed and certified. Internal and external communication processes can thus be optimally handled electronically.
What is a digital signature?
Many documents are now sent digitally. This also includes: application documents, payment orders, applications to authorities, invoices, tax returns or contracts. A qualified digital signature replaces the handwritten signature for such documents and it should then be technically possible to check the trustworthiness, origin and integrity of the document.
What forms of digital signatures are there?
- Digital signature: A digital signature is a message or document that is secured or “signed” by a type of “encryption” (combination of a checksum with a key). This form of signature acts like a signature on a message or document. This form of “signature” guarantees the authenticity of the document and the originator. Whether the signature is beyond doubt trustworthy can be checked electronically. In addition, the signature should be provided with a trustworthy timestamp, because a system clock on the computer can be easily manipulated at any time.
- A handwritten signature is something completely different from a digital signature. It is usually an image/scan of the signature or a company seal or stamp. Important: This digital signature can theoretically be changed afterwards. Therefore, a signature on a document attached by scan or photo is not considered to be sufficiently secure. A document that must be clearly legally secure should be provided with a qualified electronic signature in digital form.
How does the encryption technology of the digital signature work?
Digital signatures are based on the principle of cryptography or the asymmetric crypto process (the term has recently gained recognition through the use of the term crypto currency, here best known as Bitcoin). Cryptography is the science of encrypting information.
If a document is to be protected with a digital signature, a key pair is formed. This consists of a private key and a public key. Both keys only work together. To do this, the public key must be uniquely assigned to a person by means of an electronic certificate (or digital certificate). A public directory of a certification provider is used, whereby the identity of the signature manufacturer can be verified beyond doubt. Such digital certificates, which are required for this key technology, must therefore be issued by trustworthy organizations (Certificate authority).
Note: In the upcoming articles Part 2 and Part 3 on digital signatures, the functionality is described in more detail: How does the encryption technique work exactly and how can a digital signature be applied with the webPDF portal?
Is a document with a digital signature legally binding?
According to the German Digital Signature Act, there are three types of signature with different security requirements: simple, advanced and qualified digital signatures. Since 01.07.2016, the eIDAS regulation (electronic IDentification, Authentication and trust Services) has been in force. In general, all three forms are permitted before EU courts. Electronically signed documents may not generally be denied their effectiveness.
BUT: Only a qualified electronic signature automatically has the same legal validity as a handwritten signature. According to the eIDAS Regulation, a QES (qualified electronic signature) is the most secure form of signature, but it is also the one that involves the most effort in its implementation. It is therefore always necessary to check and weigh up the relevance of the document to be signed on a case-by-case basis. The user-friendliness should also play a role in the consideration.
The insertion of qualified electronic signatures is only possible if the requirements can be met. As a rule, a signature card, a card reader (also called chip card or chip card reader) and suitable software are required. Important: Since the eIDAS regulation, German companies can now also use completely cloud-based solutions.
simple | advanced | qualified |
The simplest form of (electronic) signature: an image/scan of the signature or a company seal or stamp. | An advanced digital signature is one in which a message or document is secured by an encryption technique. Whether the signature is beyond doubt trustworthy can be checked electronically. It is important that the signer has sole control over the generation of the signature. | A qualified signature is an advanced signature based on a qualified certificate valid at the time of its creation and created with a secure signature creation device (SSCD). In contrast to advanced digital signatures, a certificate, signature card and card reader are mandatory (if no cloud-based technology is used). |
Areas of application: Online applications, internal documents, all transactions with no legal risk | Areas of application could be open-ended contracts, B2B trade contracts or similar. | Areas of application: Registrations by notaries with the commercial register, tax portal Elster (in Germany), some public procurement procedures, civil registry offices, draft contracts and transmission of documents by lawyers, generally the importance for entrepreneurs and authorities increases |
Theoretically, this digital signature can be changed afterwards and is therefore not considered to be sufficiently secure. | Although this digital signature is considered sufficiently secure, it is not suitable for documents that must be absolutely legally binding. | Only the digital signature is absolutely legally binding and corresponds to the handwritten signature. |
In contrast to the advanced and qualified form, there are no special requirements. | Manipulation of the data must be recognizable. The signature must be linked to a person.
A digital certificate does not necessarily have to be part of it. |
The signature must meet strict requirements and be certificate-based. |
Legal requirements:
- Data protection standards of the European Telecommunications Standards Institute (ETSI)
- PAdES standard (PDF Advanced Electronic Signature)
- CAdES format (CMS Advanced Electronic Signatures)
- German Signature Act (SigG) or eIDAS (electronic IDentification, Authentication and trust Services) – All information about the eIDAS regulation and electronic trust services can be obtained from the Federal Network Agency (Bundesnetzagentur).