What is a digital signature and how do I create one?
This is one of the most common questions we are asked. There is a clear difference between electronic signatures and digital signatures though, and confusingly digital signatures can be referred to as electronic signatures which does not help matters.
So what is the difference?
Digital signatures must provide a way to authenticate the signer’s identity.
This is done through the use of a unique PKI signing key for each user (PKI stands for Public Key Infrastructure, a technical framework of encryption and cybersecurity) and an associated digital certificate which acts as a digital identity embedded into every signature.
Every time you create a new digital signature, these technologies get to work to securely bind your identity to the document. The signing key is private and remains under the sole control of the owner, only accessible after appropriate authentication and authorisation checks.
One of the most commonly used digital signatures are Qualified Signatures.
Under the EU’s eIDAS regulation (shorthand for electronic identification and trust services), Qualified Digital Signatures must be:
- Uniquely linked to the signatory;
- Capable of identifying the signatory;
- Created using means that the signatory can maintain under their sole control;
- Linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;
- Require the use of a Qualified Signature Creation Device (QSCD) and a qualified digital certificate issued by a trusted Qualified Certificate Authority (CA).
These requirements sound complicated, but essentially they are a series of requirements that make Qualified Digital Signatures one of the most secure ways to digitally sign a document in the EU – it is why they are used so extensively in high-trust industries such as banking and government.
How do I digitally sign a document?
Firstly, to digitally sign a document you need to have a private signing key – this has to remain under your sole control and be able to prove your identity.
The most common way of creating a digital signature is to use Public Key Cryptography (PKC). The systems used to deliver PKC are, as mentioned before, Public Key Infrastructures (PKI).
At a basic level, digital signature solutions require each user to have a public and private key pair which are mathematically linked. The private key remains under the owner’s sole control and is used to sign. When digitally signing a document, a cryptographic code is created, which is embedded into the document.
In the process of verifying the document, the signer’s public key is used to unwrap the digital signature code and compare it with the document to ensure a match.
The public key is created by a Certificate Authority (CA) – these independent organisations provide independent authorisation of digital signatures.
The short layman’s version: when you digitally sign a document your digital identity (your private key) and a unique code are embedded into a document and a public key compares these codes to verify that you are who you say you are.
Once it can verify this, your digital signature is created and embedded into the document and any further changes will be recognised in the code.
How do I digitally sign a PDF document?
PDF is still the most common output format for digitally signed documents as it is one of the most accessible document formats out there and PDFs can display verification details of digital signatures – an audit trail, basically.
That means PDF documents display who signed the document, when it was signed and if the document has been altered since – all vital information to ensure the validity of your digital signature.
For archiving and the long-term validation of electronic documents, PDF/A is specifically required. This ensures all the information that is required to display the document is contained within the actual PDF, ensuring the document can be viewed in the same format long into the future (years and years) even if things like fonts or other formatting changes happen or if they are no longer available.
In order to be compliant with eIDAS, it is recommended that ETSI PAdES (PDF Advanced Electronic Signatures) are used to ensure that PDF documents are legally binding and are able to be validated long in to the future (Long-Term Archive or LTA) – this can be anywhere from a few years to decades and LTV can be renewed to make documents valid for hundreds of years.
What digital signature solution does SigningHub offer?
SigningHub offers eIDAS compliant Advanced and Qualified Signatures and works with Qualified Trust Service Providers (QTSPs) and Certificate Authorities (CAs) across the globe to issue certificates and signing keys for users.
SigningHub also supports remote signing through the use of the Ascertia ADSS SAM Appliance – the first qualified signature creation device (QSCD) to become Common Criteria EN 419 241-2 certified.
SigningHub uses a range of standard digital signatures – ISO 32000, ISO 18500, ETSI PAdES, XAdES and CAdES.
Want to learn more about digital signatures? We delve into more detail on our digital signature page and you can also find out more about electronic signatures.
How do I create a digital signature in Word?
In order to sign documents in Word without having to convert the files to PDF, your files should be in an OpenXML format.
The SigningHub for Word app lets you create verifiable, long-term digital signatures (in XAdES-X-Long-format) which are fully compatible in Microsoft Word 2013 and 2016.
Depending on which version of Word you are using, the SigningHub for Word app either appears on Home or under My Apps – this then opens a SigningHub for Word window within the document so you can insert signature fields for signers or insert a digital signature into a signing field.