What are digital signatures?

A digital signature is one form of electronic signature that is like an electronic “fingerprint.” It offers additional verification of the identities of individuals signing documents by providing an encrypted stamp of authentication and digital ID to confirm information originated from them. A digital signature securely associates a signer with a document in a recorded transaction using a standard, accepted format, called Public Key Infrastructure (PKI), providing the highest levels of security and universal acceptance. PKI is used to create a unique, tamper-evident “digital certificate” that associates a signer with a document and guarantees that the electronic document is authentic. A signer's digital certificate is used to create the signature and then attach it to the signed document.

 

What’s the difference between a digital signature and an electronic signature?

The broad category of electronic signatures (eSignatures) encompasses different types of electronic signatures. The category includes a digital signature. Digital signatures offer a heightened level of identity assurance through digital certificates. Both digital signatures and other eSignature solutions allow you to sign documents and authenticate the signer. However, there are differences in purpose, technical implementation, geographical use, legal and cultural acceptance of digital signatures versus other types of eSignatures. There are different types of digital signature, including (SES) simple electronic signatures, (AES) advanced electronic signatures, and (QES) qualified electronic signatures.

The use of digital signature technology for eSignatures varies significantly between countries that follow open, technology-neutral eSignature laws, such as the United States, United Kingdom, Canada, and Australia, and those that follow tiered eSignature models. Tiered eSignature models prefer locally defined standards based on digital signature technology; this includes many countries in the European Union, South America, and Asia. In addition, some industries also support specific standards based on digital signature technology.

 

Want to sign online but don’t need a digital signature?

Learn more about electronic signatures

 

How do digital signatures work?

Digital signatures, like handwritten signatures, are unique to each signer. Digital signature solution providers, such as DocuSign, follow a specific protocol called PKI. PKI requires the provider to use a mathematical algorithm to generate two long numbers, called keys. One key is public, and one key is private.

When a signer electronically signs a document, the signature is created using the signer’s private key, which is always securely kept by the signer. The mathematical algorithm acts as a cypher, creating data matching the signed document, called a hash, and encrypting that data. The resulting encrypted data is the digital signature. The signature is also marked with the time that the document was signed. If the document changes after signing, the digital signature is invalidated.

As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane’s public key. If the public key can’t decrypt the signature (via the cypher from which the keys were created), it means the signature isn’t Jane’s or has been changed since it was signed. The signature is then considered invalid.

To protect the integrity of the signature, PKI requires that the keys be created, conducted, and saved in a secure manner and often requires the services of a reliable Certificate Authority (CA). Digital signature providers, like DocuSign, meet PKI requirements for safe digital signing.

 

Get Started

Want to know more about our Standards-Based Signatures?

Digital Signatures

Need to talk to someone or have more than 10 users?

Contact Sales

Want to try DocuSign for free? Get your free 30-day trial.

Free trial

 

 

Digital signature FAQs

How do I create a digital signature?

It’s easy to create digital signatures using an eSignature provider such as DocuSign. DocuSign provides an interface for sending and signing documents online and works with appropriate Certificate Authorities to provide trusted digital certificates. When you receive a document for signing via email, you must authenticate as per the Certificate Authority’s requirements and then “sign” the document by filling out a form online. If you are asked to sign from DocuSign eSignature, you should see ‘Start’ or ‘Sign’ instructions. Follow the instructions to add your electronic signature where required, and then you will verify you identify and follow the instructions to adopt your electronic signature.

Depending upon the Certificate Authority you are using, you may be required to supply specific information. There also may be restrictions and limitations on whom you send documents to for signing and the order in which you send them. DocuSign’s interface walks you through the process and ensures that you meet all of these requirements.

What is Public Key Infrastructure (PKI)?

Public Key Infrastructure (PKI) is a set of conditions that allow (among other things) the creation of digital signatures managing digital certificates and public and private keys. Through PKI, each digital signature transaction includes a pair of keys: a private key and a public key. As the name implies, the private key is not shared and is used only by the signer to sign documents electronically. The public key is openly available and used by those who need to validate the signer’s electronic signature. PKI enforces additional requirements, such as the Certificate Authority (CA), a digital certificate, end-user enrollment software, and tools for managing, renewing, and revoking keys and certificates.

What is a Certificate Authority (CA)?

Digital signatures rely on public and private keys. Those keys have to be protected to ensure safety and avoid forgery or malicious use. When you send or sign a document, you need assurance that the documents and the keys are created securely and that they are using valid keys. A certificate authority is a type of Trust Service Provider, a third-party organisation that has been widely accepted as reliable for ensuring key security that can provide the necessary digital certificates. Both the entity sending the document and the recipient signing it must agree to use a given CA.

DocuSign is a CA when signers sign using the DocuSign Express Digital Signature. That means you can send a document with a digital signature by using DocuSign as the Certificate Authority. Alternatively, you can securely establish your own CA using the DocuSign Signature Appliance and still access the rich features of DocuSign cloud services for transaction management. Some organisations or regions rely on other prominent CAs, and the DocuSign platform also supports them.

These include OpenTrust, which is widely used in European Union countries, and SAFE-BioPharma, an identity credential that life science organisations may elect to use.

See the full list of Certificate Authorities we support.

Why would I use a digital signature?

Electronic signatures have many benefits, and digital signatures are a type of electronic signature. Digital signatures are more secure as they encrypt signatures and verify the identity of the person signing. Using PKI methodology, digital signatures utilise an international, well-understood, standards-based technology that also helps prevent forgery or changes to the document after signing.

Many industries and geographical regions have established eSignature standards that are based on digital signature technology, as well as specific certified CAs, for business documents. Following these local standards based on PKI technology and working with a trusted certificate authority can ensure the enforceability and acceptance of an e-signature solution.

What digital signature solutions does DocuSign offer?

DocuSign Standards-Based Signatures enable you to automate and manage entire digital workflows using DocuSign’s powerful business capabilities while staying compliant with local and industry eSignature standards, including CFR Part 11 and the EU eIDAS regulation. In the EU, DocuSign delivers all of the signature types defined under eIDAS, including EU Advanced Electronic Signatures (AES) and EU Qualified Electronic Signatures (QES).

Are eSignatures, based on digital signature technology, legally enforceable?

Yes. The EU passed the EU Directive for Electronic Signatures in 1999, and the United States passed the Electronic Signatures in Global and National Commerce Act (ESIGN) in 2000. Both acts made electronically signed contracts and documents legally binding, like paper-based contracts. Since then, the legality of electronic signatures has been upheld many times.

By now, most countries have adopted legislation and regulations modelled after the United States or the European Union, with a preference in many regions for the E.U. model of locally managed, digital signature technology-based eSignatures. In addition, many companies have improved compliance with the regulations established by their industries (e.g., FDA 21 CFR Part 11 in the Life Sciences industry), which has been achieved by using digital signature technology. These country and industry-specific regulations are continuously evolving. In the UK, the impact of electronic signature law post-Brexit remains the same as the UK has passed the European Union (Withdrawal) Act 2018 to provide legal certainty and continuity of EU laws under UK laws, including eIDAS, which governs electronic transactions in the European Single Market and electronic signatures.

What is a digital certificate?

A digital certificate is an electronic document issued by a Certificate Authority (CA). It contains the public key for a digital signature and specifies the identity associated with the key, such as the name of an organisation. The certificate is used to confirm that the public key belongs to the specific organisation. The CA acts as the guarantor. Digital certificates must be issued by a trusted authority and are only valid for a specified time. They are required in order to create a digital signature.