I'm increasingly convinced that this is the way forward. Having a key verifiably tied to you as an individual goes a long way to enabling a broad range of governmental services. Digital voting, for one thing, but also no more need to rely on shady credit check companies for address verification, as I've seen on some (Canadian) government forms.
Or social security numbers in the US, which are absolutely not fit for this purpose.
For those in the US who don't want a national ID: it wouldn't have to be one if the states issued their own. Yes, this would mean they'd all need the technical capability to operate a CA securely. Fund them enough to do that.
People opposing a national ID in the US have de facto caused social security numbers, completely inappropriate as a national ID, to be used as one by everyone.
The US desperately, desperately needs a proper solution where "thing you give tons of people" isn't also "exactly enough to steal your ID".
National IDs have a pretty bleak history - from being initially used to keep tabs on criminals to Jews under Nazi occupation. This is why they often are not mandatory.
As a curious factoid, in-between the world wars, it was popular for workers to have their ID number tatooed on their arm.
With software I'd be wary of making it the last line of defense, especially for very significant acts such as voting. A bug in the system would be totally fatal, not only for society but especially for the victim. Even more so if bugs aren't commonplace but only sporadic.
Using cryptography in addition to "classic" means of attestation sounds a lot better to me. You could also make it an "optional feature" of people's citizenships (like 2FA on an account) to ease adoption.
In Portugal we have this. Each citizen identification card (called Cartão do Cidadão) has a unique certificate and the official Software allows you to sign any documents with it.
Unfortunatly, I have never used this and never saw anyone using it. I never heard of any company accepting contracts signed with it. The technology is ready, but pen and paper are still the norm.
I've always seen the value of signatures as a ceremony first, not as a (serious) method of authentication. As an example, when have you last seen a merchant compare your signature to that on your credit card?
Conduct implying intent, together with a hand-written signature, can go a very long way in practice.
The value of these services to me accordingly seems to be in their accuracy of replicating the ceremony, not in trying to compete with cryptographic signatures.
I see it more like a legal talisman. A pseudo legal thing that people think is necessary to make a contract real. It can be helpful for proving that a contract existed, but there are alternatives.
> As an example, when have you last seen a merchant compare your signature to that on your credit card?
What would the merchant compare the signature on the card to? You don't sign a contract when buying groceries, you put in your card and type your PIN.
On the other hand, whenever I go to my bank and have to sign something, they do compare my signature with the one they have on file (formerly in a paper card, nowadays a virtual representation of that same card).
Credit card pins aren’t a thing in the US (debit cards require pins, however).
In theory, the merchant is supposed to look at the signature on the back of the card and compare it with the signature you write on the receipt. You can even write ID REQUIRED and then they’re supposed to check for ID.
In practice, I didn’t bother signing any of my cards for about 15 years. After two cashiers expressed annoyance at my blatant disregard for the rules (a few years apart) I started signing the cards.
In this day and age? Just send an email. Your service provider is almost certainly providing a DKIM signature and implicitly with it an attestation that you were authenticated. Desiring any more than that would require a witness able to confirm your identity, even in real life where I can always state that someone else walked in an signed the document.
In all fairness, going to an office in-person and getting something notarized implies 1.) You can actually go to an office in person and seem vaguely legit and 2.) Can present government photo ID. That said, given the issues with going into an office at the moment, I'm finding institutions are finding other ways to verify identity to their satisfaction.
Signatures generally have mostly become a total joke. I suppose there's some element, for many of us, that there's something vaguely scrawled that looks like other vague scrawls that indicate I may have glanced at a piece of paper. But, especially, at the current time having clean and dirty pen cups so we can sign a paper receipt or have to sign a digital pad with what's effectively just an X?
At least my financial institution was willing to work with a phone call, mobile phone number, and email for something rather than having to go in and do the notary thing.
The point of a physical signature is not that anyone else can prove you signed something. It's that if you go to court, and the court asks if you have signed the document, you're committing perjury if you say "no" (assuming you did sign it). It's the act that's important, rather than the resulting scribble.
I'm sorry, I don't understand. Well, I agree that it would be perjury. But then there would be no proof of perjury, and the perjurer would get away. That can't offer much assurance to the person accepting a signature.
Besides, the argument applies to other signs of consent, like verbal consent. Suppose you give a verbal consent to an agreement and then renege. The other party drags you to court. The judge says, "Did you verbally consent to this contract?" Saying "no" likewise would be perjury.
It only comes up if there's a dispute over whether the document was signed. Because the signature itself is so easily forged, the entire legal process relies on people not perjuring themselves if asked if they signed a document or not.
I don't necessarily disagree with the idea of services like this, but in order for the Certisfy Partner's certificate issuance to mean something, it can't just be J. Random Noob who works out of the café down the road selling attested signatures for five bucks. The whole point of PKI is that I'm trusting a third party to perform verifications on my behalf--it rather defeats the purpose if the third party in question is no more trustworthy than the person requesting their attestation.
That said, I find it interesting that a couple people on their partners list are Notaries Public--adding digital signature to the list of functions a Notary can perform would make the migration to digital signatures easier. It would probably require making the Notary's signature part of a public chain maintained and issued by the local government as part of their licensure, though, so I don't see where Certisfy comes into that picture at all.
>I find it interesting that a couple people on their partners list are Notaries Public--adding digital signature to the list of functions a Notary can perform would make the migration to digital signatures easier.
That's the main idea here, to delegate trust generation to appropriate entities...this would scale to meet the need of the internet. Today, unless you have hundreds of billions in the bank like facebook, information verification is not practical.
I've been looking into this whole area recently for a project.
The problem isn't (only) the technical issues. As TFA points out, this is easy, and even the most naive and simplistic implementation beats physical signatures hands-down.
There's two main problems:
1. Legality. Getting a court to recognise a digital signature probably isn't that hard. It's a bit like scanned images - if you can prove that this is the best evidence, then it'll probably be accepted.
However, getting lawyers to accept digital signatures is difficult. One of those awkward situations where there's no consequences for them if they insist on a physical signature but lots of potential downside should they accept a digital signature.
2. File formats, or "the standards problem". To include a digitial signature in a document, we need a file format that includes digital signatures. Every document file format has a different version of this, and every digital signature service provides a different "wrapper" format with a different signature.
This needs to be solved top-down. The SCOTUS, or the EU Court, or some organisation of similar standing, needs to say "this wrapper format is the only type of signature legally accepted, and if a document is wrapped in this format, it is legally signed". Both problems vanish and we can have nice things again.
Very recently, just before Pandemic hit India, we had to run around because one of the key Japanese counterpart was in USA and unable to send money (small amount) to complete a stock purchase.
My response was, "Please login to your bank's website and do the transfer."
That was the time I learnt that some (or maybe more) Japanese Banks still need the individual's personal Stamp/Seal to send money from their Banks.
Last week I have seen a newsshow about a company digitizing those (quite pretty) seals. They also mentioned how Japanese are very fond of fax machines.
Checks are negotiable instruments, they can be treated as a substitute for cash, but they are not cash. That said, in the U.S. at least, businesses can refuse any form of payment they want, even cash.
No banking relationships yet, we're just putting it out there for now to prove the concept.
Ultimately the goal is to create a service that can serve as a generic and scalable solution for internet information trust. Everything from dating/social-media profiles to academic credentials can be authenticated with a service like this, all while preserving user privacy.
I think this article misunderstands the purpose of signatures.
The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.
Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.
If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.
Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.
In a digital equivalent of “no trespassing” or “cameras in use” signs a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
I think this article misunderstands the purpose of signatures.
The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.
Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.
If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.
Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.
In a digital equivalent of “no trespassing” or “cameras in use signs” a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
The purpose of the signature is to create an artifact that demonstrates the signatory’s acceptance. In a legal proceeding, the artifact can be produced as evidence. That is the purpose of all contract signatures.
If you have a contract that obliges something from me, and it’s not my signature, you may be attempting fraud on me. See bankers and robo-signing. That is why I need to see, on your copy, my signature and any other personalizing marks that my original document contains.
A dispute as to whether or not a person signed a contract will be difficult to resolve regardless of whether the document was signed on paper or glass.
I don't think this is the problem that these services solve.
Their purpose is to replicate the ritual of signing a document, to draw on the meaning of that tradition, so that that reasonable parties to an agreement understand there is a clear threshold that signifies the transition from negotiation to agreement, and all parties have a common version of the details of that agreement.
Agreed that the purpose of the services is to replicate the ritual, with higher speed and lower cost. That’s separate from the specific aspect of what a signature is to convey.
That all parties have a common version is exactly the point of the signature aspect. The idea of signing with ink is to have a personalized mark. Of course, with these services, the generic “signature” lacks the personalization.
The fact that many an agreement is pushed on the signer to be signed without reading it indicates that the mark is the important thing.
If pen-like inputs were more common, it would be easier to use one’s own mark. Of course, signatures are easier to fake in the all-digital realm too if you have a specimen you can copy-paste from.
> The purpose of the signature is to create an artifact that demonstrates the signatory’s acceptance.
This sentence is correct but subtly conflates two elements, essentially contained in the respective words "signatory’s" and "acceptance":
* It proves the signatory's identity i.e. it was this person that agreed to the contract rather than some other person.
* It proves actual agreement i.e. this wasn't just a draft contract that we were still in the process of negotiating, but the final contract we had settled on.
If it came to court and the first one, identity, was in dispute then a signature is fairly unlikely to resolve that, at least on its own. But if the second point was in dispute "yeah I know I said that but it was conditional on blah blah other thing" then a signature on a contract makes that much harder to argue. The second one is very similar to what the parent comment said: the fact the signatory went through the ritual shows that they understood they were actually agreeing to precisely those conditions.
Agreed on the role in a good-faith process: “this is the thing we all signed off on”.
Our loop is around whether or not we can establish who the “we” was. The original commenter was making a statement about the purpose of a signature and I was stating a disagreement with that purpose. At very best, we need to recognize multiple purposes. But since contracts all come down to what is supported by a court of law, it needs to be the right signature. If you’re saying the presence of a signature is all that is necessary, it’s perfectly fine for you to create a contract in which I pay you money and assign some mark that says I agreed to it. But you better be a decent forger then. Some of the ritual elements are in place to protect against bad faith.
I own a small payment processor. One of the biggest problems we have is on-boarding new customers. The issue is the banks and service providers we work with require physically signed documents, or we have to use their online signature solution. Their solution is often a worse experience than signing with paper, scanning and emailing. The provided solutions also are about as secure as emailing without encryption, too. Interestingly enough, most of these solutions just overlay a png image of the signature (sometimes collected from the user, sometimes picked from a list) on a PDF and then sign the document with the provider's cert. The final, signed document is delivered via email (hey, post to a webhook, it's 2020?). It would be nice to be able to have our own, better experience that worked with our vendor.
For serious identity variation in paper legal land we don't use signature matching, we use notaries: show id to a trusted 3rd party who can be later dragged into court, sometimes even with an additional witness to vouch for identity.
(In closely related news, just try buying a house during a pandemic, I dare you. There are amusing pictures floating around online of my wife and I shoving documents back and forth through barely-cracked car windows for notarization ...)
> (In closely related news, just try buying a house during a pandemic, I dare you. There are amusing pictures floating around online of my wife and I shoving documents back and forth through barely-cracked car windows for notarization ...)
I closed on a house a month ago. Notarization was done online by smartphone. Worst part was working with a local bank that had little to no online services.
Oh man, lack of bank services is a whole 'nother issue. The number of panicked calls I made to my bank to make sure there would be a person who could process the wire for the down payment amidst covid chaos...
just try buying a house during a pandemic, I dare you
Did that. (Offer made and accepted in August; moved in on October 1st.) All of the legal paperwork was done online on the basis of "here's a scan of two pieces of ID and clickclickclick I agree" -- the only "shoving through a window" moment was with a bank draft, and even that could have been done digitally if I had been comfortable with transferring such a large amount of money based on instructions received via email.
Rules vary from state to state; in BC they were changed early in the pandemic to remove the need for in-person transactions.
We just refinance and the notary came into our house and we did all the paperwork at our table. Masks all around and sanitizer of course. I think the notary fee was higher than normal because of it.
Did it. Sat outside m, 6 ft apart w masks. Not too hard. Worked fine. But you're right, notarization is the way we do this for real transactions, at least in the p2p world.
These signature services make no sense. My UK estate agent is trying to get me to use an American signature service to renew my lease.
- What I get is an email from a third party (the signature service) with whom I have no business relationship. Why would I trust anything they say?
- How do I know the agent has signed the lease?
- What can I do if the American service claims I signed a contract when I didn't? If I sign even a single contract with them I'm effectively giving them power of attorney to accept any contract on my behalf.
- Anyone who gains access to my email can enter contracts on my behalf.
It's mad.
The point of signing a contract in each other's presence is that both parties understand they are agreeing to something, and both have no doubt that the other is also entering the agreement. Online signature services do not achieve this.
And finally, PKI is worse. I won't rehearse the arguments. Read Ross Anderson.
We refinanced during the pandemic with $MEGABANK, and they almost exclusively used third parties and email for the entire transaction. The last step was a total stranger (employed by another subcontractor we’d never heard of) stopping by our house and notarizing each signature in the closing paperwork.
There was a day or two where we’d directed the previous lender to transfer title, and had already wired $100K’s to an unknown escrow service half a state away.
I didn’t sleep all that well until the previous lender said they’d received a wire for the amount due on the loan.
It’s not surprising that, among the paperwork we signed, there were multiple FBI notices about avoiding wire fraud.
Note that PKI didn’t help much with this transaction. All “secure” communications were delegated to entities that I had no reason to trust (e.g., subdomain.docusign.com).
I did check some license numbers here and there, and called the phone numbers the license holders registered with the government. So, the SSL cert on the .gov site helped (though even that is hit or miss, since it relies on domain registers confirming all the sites they allow are actually government entities.)
I also called the office number I found at $MEGABANK’s website to make sure they’d heard of me.
Beyond that, I had no reason to think $TOTALLY_LEGIT_ESCROW.com was not a phishing front.
The use of PKI referred to in the article isn't about domain names. PKI can be used for trust projection and verification beyond domain names, that is what the article refers to.
My point is that banks are already abusing existing trust projection and verification mechanisms in consumer-hostile ways.
How would giving them even more expressive mechanisms for delegation of trust to third parties improve this situation?
Edit: I say that it is “consumer hostile” because they’ve used PKI and contract law to construct a complicated system of subcontractors that allows them to process mortgages without ever providing a single cryptographic proof that anyone involved in the transaction is a representative of the bank. (And the result is that many people have recently lost their homes to fraud.)
It’s hard for programmers to understand signatures and law in general, because it is somewhat similar to programming but with very different rules.
The signature is just evidence of an agreement between you and the other party. It is not the only thing that matters. For example, if someone forged your signature on some paper transfer documents, would they then be able to move into your house? No.
In your scenario, it sounds like you’re worried about the third party signature service colluding with the other party and putting some terms in the contract that you didn’t agree to, while displaying the original contract to you when you sign?
If this is a genuine worry, just screenshot the document as you sign it. If the other party then tries to enforce these fraudulent terms, you can use the screenshots as evidence of the fraud. There may then be a criminal investigation, and everyone involved in the fraud may go to jail.
I understand perfectly well that if it goes wrong I will, most likely, be able to unpick the damage. But I also understand that this can take years and lots of money. Especially if the signature service is in a different country. So-called identity theft is a real problem.
My particular concern is that I believe I'm entering into a tenancy but then discover, due to some bug in the software, that the landlord never actually entered the agreement. At this point the landlord can legally evict me if, say, he gets a better offer. What can I do about this?
Edit to explain a detail of English law: this is a lease renewal. It isn't necessary for my continued occupation, but without it I have no security of tenure.
Nobody is going to risk jail time to just get a slightly better rent on an apartment or something. There are much better ways to make money if you’re willing to go to jail for fraud. The problem you are concerned about is not a problem.
The court will take into account more than just the lack of the landlord's signature on an electronic document. They will look at the intention between you two, as well as any correspondence between you and the landlord's agents.
A contract does not have to be written to exist, although it certainly helps. An oral agreement that you'll continue in the lease and will treat the document as a formality would suffice.
There will be evidence you will be able to adduce in your favour beyond this signature service.
Furthermore, there are strict rules around eviction; the landlord can't immediately evict even when you're not on an AST.
This entire subject is so ridiculous. The US military has solved this problem almost as much as 15 years ago. No visible scribbles of any kind, just cryptographic signatures backed by certificate. The certificate is embedded on a photo ID hardware token that requires a PIN that locks after 3 failed attempts. The military uses digital signatures for everything.
Does anyone know id the docusign has more complex authentication behind the scenes? Like, if someone else has access to your email, how can you verify that they aren't "forging" your digital signature on docs? Maybe like, 2 factor auth would be enough for most cases.
Cryptographic signatures are a really new thing (1970's). Only a very low percentage of people actually know how they work, much less believe in them. They will eventually change a lot of things and count as a significant discovery. We still have a lot of work to do. Education is the first step.
I was interested at first because I built a signature product a few years ago. I find it a bit confusing and had to reread to catch the point.
There are 3 levels defined by the EU. I use these levels everywhere because it's not really a legal thing but increasing levels of technical requirement. The US has many conflicting laws on what signatures are valid.
The lowest level is what you first started out with. The marketing term for this is "E-signature". It's a subtle marketing speak to mean putting an image into a document. Theses are generally accepted for most things. California though has not allowed this in the past. A provider offers signatures at this level (with some nuance).
The second level is a "digital signature" backed up by other details. People think this means like an actual signature. In document contexts it's very confusing. But what they really mean is signing (encrypting with your private key so the public can decrypt it). This can be a verified email, phone, the more the better. What's important is at this level the signer is not actually the person, it's the service. The service has a trusted cert created from the Adobe trust chain and does additional measures to verify the person. The visible signature at this point is just a mock to make people comfortable using it. The signature is really cryptographic. This level is pretty much always court admissible.
The last level is signing the doc with your own trusted cert. You can get these tokens from many providers to do yourself. It's required for typically government things like stamping a document by an actual engineer (ie a PE). To get these certs you need to go to a notary to get verified. This is as legit as it gets. It's almost bulletproof.
Product wise, I am pretty familiar with PKI but am still confused as to what it really does or why I should use it. If this is to get wide adoption, the person using it needs to know nothing about certs and PKI. Additionally, I'm confused if this is using PKI or a web of trust. I'd think it would have to be web of trust to be practical but it seems like the examples allude more to PKI? Best of luck, I look forward to see where it goes.
> What's important is at this level the signer is not actually the person, it's the service.
Interesting. Does this mean that if a scammer uses docsign to phish me into a mortgage transaction, and I lose my house, then docusign is on the hook financially?
Put another way: Are they legally required to sign on behalf of both (purported) parties of the contract in the case of a dispute? What if 99% of signatures are through them, and the last step is a fraudulent notary?
Send me an email (in my profile), I am interested in your perspective. PKI/Web of trust are just terminology around the usage of asymmetric key cryptography to solve certain problems.
The service relies on third parties to perform verification and issue certificates, just as the domain name certificate authorities do. The difference is that the information on the certificate can be anything, not just domain names.
Users use the Certisfy app to make use of those certificates, by making various claims against their certificates (think: location, age, name, even height:)..etc)
Think of the app as a kind of trust projection and information verification toolkit/client made for ordinary consumers.
This is a very misinformed article. The point of a signature is to make it obvious to both parties that they are making a binding agreement and to bring all the terms of the agreement together in one contract.
A signature also makes it so that someone must commit a felony to misrepresent what you agreed to by forging your signature, no matter how easy it might be to forge. It also creates evidence of their crime.
The article’s complaint seems to be that it might be easy to forge a signature, electronically or physically. Forged signatures are almost never an issue in contract disputes, and when they are, it’s almost always petty small time crime like check fraud.
Solving something that is not actually a problem, using an extremely complicated tool like cryptographic signatures, which require a huge amount of tooling around the storage of private keys and the identification public keys, is backwards.
69 comments
[ 3.0 ms ] story [ 86.8 ms ] threadFor those in the US who don't want a national ID: it wouldn't have to be one if the states issued their own. Yes, this would mean they'd all need the technical capability to operate a CA securely. Fund them enough to do that.
The US desperately, desperately needs a proper solution where "thing you give tons of people" isn't also "exactly enough to steal your ID".
As a curious factoid, in-between the world wars, it was popular for workers to have their ID number tatooed on their arm.
Using cryptography in addition to "classic" means of attestation sounds a lot better to me. You could also make it an "optional feature" of people's citizenships (like 2FA on an account) to ease adoption.
I'm sure some service would figure out a way.
The user just needs to learns how to perform some simple operations with the app, they never have to know about private/public keys.
Conduct implying intent, together with a hand-written signature, can go a very long way in practice.
The value of these services to me accordingly seems to be in their accuracy of replicating the ceremony, not in trying to compete with cryptographic signatures.
What would the merchant compare the signature on the card to? You don't sign a contract when buying groceries, you put in your card and type your PIN.
On the other hand, whenever I go to my bank and have to sign something, they do compare my signature with the one they have on file (formerly in a paper card, nowadays a virtual representation of that same card).
In theory, the merchant is supposed to look at the signature on the back of the card and compare it with the signature you write on the receipt. You can even write ID REQUIRED and then they’re supposed to check for ID.
In practice, I didn’t bother signing any of my cards for about 15 years. After two cashiers expressed annoyance at my blatant disregard for the rules (a few years apart) I started signing the cards.
They are not by the card schemes' rules, and I think they haven't been in quite a while.
> You can even write ID REQUIRED and then they’re supposed to check for ID.
Yes, but they are also supposed to make you sign on the spot after checking your ID. No signature on the card, no purchase – at least officially.
Vice versa, "ID REQUIRED" has no consequences (by scheme rules at least).
At least my financial institution was willing to work with a phone call, mobile phone number, and email for something rather than having to go in and do the notary thing.
Besides, the argument applies to other signs of consent, like verbal consent. Suppose you give a verbal consent to an agreement and then renege. The other party drags you to court. The judge says, "Did you verbally consent to this contract?" Saying "no" likewise would be perjury.
It only comes up if there's a dispute over whether the document was signed. Because the signature itself is so easily forged, the entire legal process relies on people not perjuring themselves if asked if they signed a document or not.
That said, I find it interesting that a couple people on their partners list are Notaries Public--adding digital signature to the list of functions a Notary can perform would make the migration to digital signatures easier. It would probably require making the Notary's signature part of a public chain maintained and issued by the local government as part of their licensure, though, so I don't see where Certisfy comes into that picture at all.
>I find it interesting that a couple people on their partners list are Notaries Public--adding digital signature to the list of functions a Notary can perform would make the migration to digital signatures easier.
That's the main idea here, to delegate trust generation to appropriate entities...this would scale to meet the need of the internet. Today, unless you have hundreds of billions in the bank like facebook, information verification is not practical.
The problem isn't (only) the technical issues. As TFA points out, this is easy, and even the most naive and simplistic implementation beats physical signatures hands-down.
There's two main problems:
1. Legality. Getting a court to recognise a digital signature probably isn't that hard. It's a bit like scanned images - if you can prove that this is the best evidence, then it'll probably be accepted. However, getting lawyers to accept digital signatures is difficult. One of those awkward situations where there's no consequences for them if they insist on a physical signature but lots of potential downside should they accept a digital signature.
2. File formats, or "the standards problem". To include a digitial signature in a document, we need a file format that includes digital signatures. Every document file format has a different version of this, and every digital signature service provides a different "wrapper" format with a different signature.
This needs to be solved top-down. The SCOTUS, or the EU Court, or some organisation of similar standing, needs to say "this wrapper format is the only type of signature legally accepted, and if a document is wrapped in this format, it is legally signed". Both problems vanish and we can have nice things again.
My response was, "Please login to your bank's website and do the transfer."
That was the time I learnt that some (or maybe more) Japanese Banks still need the individual's personal Stamp/Seal to send money from their Banks.
I learnt an interesting thing.
I run a B2B micro-ISV, and the number of times I've been mailed checks, despite slapping "NO CHECKS ACCEPTED" on everything, is ridiculous.
Also send me an email (in profile), I can issue you a short lived trustworthy certificate to try out the service :)
Ultimately the goal is to create a service that can serve as a generic and scalable solution for internet information trust. Everything from dating/social-media profiles to academic credentials can be authenticated with a service like this, all while preserving user privacy.
The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.
Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.
If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.
Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.
In a digital equivalent of “no trespassing” or “cameras in use” signs a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
The purpose of a signature is to inform the signer that they are entering a binding contract. It is simply the modern equivalent to a handshake.
Sadly, precedent around Eula’s mean that signatures are no longer necessary to execute contracts.
If anything, society would be better served by making it more difficult to enter into binding agreements than to make it less difficult.
Imagine if, by law, for a EULA to be binding, the end user had to scroll through the entire document, and initial each separate section. Eula’s would be much shorter, and much less common.
In a digital equivalent of “no trespassing” or “cameras in use signs” a few standard clauses could be made enforceable by displaying them prominently on each page. For instance, there could be a clauses such as “you are purchasing a transferrable non-exclusive license to this software”, or “your subscription to this service is at-will with a fixed rate of $N/time-unit.”
If you have a contract that obliges something from me, and it’s not my signature, you may be attempting fraud on me. See bankers and robo-signing. That is why I need to see, on your copy, my signature and any other personalizing marks that my original document contains.
I don't think this is the problem that these services solve.
Their purpose is to replicate the ritual of signing a document, to draw on the meaning of that tradition, so that that reasonable parties to an agreement understand there is a clear threshold that signifies the transition from negotiation to agreement, and all parties have a common version of the details of that agreement.
That all parties have a common version is exactly the point of the signature aspect. The idea of signing with ink is to have a personalized mark. Of course, with these services, the generic “signature” lacks the personalization.
The fact that many an agreement is pushed on the signer to be signed without reading it indicates that the mark is the important thing.
If pen-like inputs were more common, it would be easier to use one’s own mark. Of course, signatures are easier to fake in the all-digital realm too if you have a specimen you can copy-paste from.
Always keep a paper copy in case of disputes.
This sentence is correct but subtly conflates two elements, essentially contained in the respective words "signatory’s" and "acceptance":
* It proves the signatory's identity i.e. it was this person that agreed to the contract rather than some other person.
* It proves actual agreement i.e. this wasn't just a draft contract that we were still in the process of negotiating, but the final contract we had settled on.
If it came to court and the first one, identity, was in dispute then a signature is fairly unlikely to resolve that, at least on its own. But if the second point was in dispute "yeah I know I said that but it was conditional on blah blah other thing" then a signature on a contract makes that much harder to argue. The second one is very similar to what the parent comment said: the fact the signatory went through the ritual shows that they understood they were actually agreeing to precisely those conditions.
Our loop is around whether or not we can establish who the “we” was. The original commenter was making a statement about the purpose of a signature and I was stating a disagreement with that purpose. At very best, we need to recognize multiple purposes. But since contracts all come down to what is supported by a court of law, it needs to be the right signature. If you’re saying the presence of a signature is all that is necessary, it’s perfectly fine for you to create a contract in which I pay you money and assign some mark that says I agreed to it. But you better be a decent forger then. Some of the ritual elements are in place to protect against bad faith.
(In closely related news, just try buying a house during a pandemic, I dare you. There are amusing pictures floating around online of my wife and I shoving documents back and forth through barely-cracked car windows for notarization ...)
I closed on a house a month ago. Notarization was done online by smartphone. Worst part was working with a local bank that had little to no online services.
Did that. (Offer made and accepted in August; moved in on October 1st.) All of the legal paperwork was done online on the basis of "here's a scan of two pieces of ID and click click click I agree" -- the only "shoving through a window" moment was with a bank draft, and even that could have been done digitally if I had been comfortable with transferring such a large amount of money based on instructions received via email.
Rules vary from state to state; in BC they were changed early in the pandemic to remove the need for in-person transactions.
- What I get is an email from a third party (the signature service) with whom I have no business relationship. Why would I trust anything they say?
- How do I know the agent has signed the lease?
- What can I do if the American service claims I signed a contract when I didn't? If I sign even a single contract with them I'm effectively giving them power of attorney to accept any contract on my behalf.
- Anyone who gains access to my email can enter contracts on my behalf.
It's mad.
The point of signing a contract in each other's presence is that both parties understand they are agreeing to something, and both have no doubt that the other is also entering the agreement. Online signature services do not achieve this.
And finally, PKI is worse. I won't rehearse the arguments. Read Ross Anderson.
There was a day or two where we’d directed the previous lender to transfer title, and had already wired $100K’s to an unknown escrow service half a state away.
I didn’t sleep all that well until the previous lender said they’d received a wire for the amount due on the loan.
It’s not surprising that, among the paperwork we signed, there were multiple FBI notices about avoiding wire fraud.
Note that PKI didn’t help much with this transaction. All “secure” communications were delegated to entities that I had no reason to trust (e.g., subdomain.docusign.com).
I did check some license numbers here and there, and called the phone numbers the license holders registered with the government. So, the SSL cert on the .gov site helped (though even that is hit or miss, since it relies on domain registers confirming all the sites they allow are actually government entities.)
I also called the office number I found at $MEGABANK’s website to make sure they’d heard of me.
Beyond that, I had no reason to think $TOTALLY_LEGIT_ESCROW.com was not a phishing front.
How would giving them even more expressive mechanisms for delegation of trust to third parties improve this situation?
Edit: I say that it is “consumer hostile” because they’ve used PKI and contract law to construct a complicated system of subcontractors that allows them to process mortgages without ever providing a single cryptographic proof that anyone involved in the transaction is a representative of the bank. (And the result is that many people have recently lost their homes to fraud.)
The signature is just evidence of an agreement between you and the other party. It is not the only thing that matters. For example, if someone forged your signature on some paper transfer documents, would they then be able to move into your house? No.
In your scenario, it sounds like you’re worried about the third party signature service colluding with the other party and putting some terms in the contract that you didn’t agree to, while displaying the original contract to you when you sign?
If this is a genuine worry, just screenshot the document as you sign it. If the other party then tries to enforce these fraudulent terms, you can use the screenshots as evidence of the fraud. There may then be a criminal investigation, and everyone involved in the fraud may go to jail.
My particular concern is that I believe I'm entering into a tenancy but then discover, due to some bug in the software, that the landlord never actually entered the agreement. At this point the landlord can legally evict me if, say, he gets a better offer. What can I do about this?
Edit to explain a detail of English law: this is a lease renewal. It isn't necessary for my continued occupation, but without it I have no security of tenure.
A contract does not have to be written to exist, although it certainly helps. An oral agreement that you'll continue in the lease and will treat the document as a formality would suffice.
There will be evidence you will be able to adduce in your favour beyond this signature service.
Furthermore, there are strict rules around eviction; the landlord can't immediately evict even when you're not on an AST.
There are 3 levels defined by the EU. I use these levels everywhere because it's not really a legal thing but increasing levels of technical requirement. The US has many conflicting laws on what signatures are valid.
The lowest level is what you first started out with. The marketing term for this is "E-signature". It's a subtle marketing speak to mean putting an image into a document. Theses are generally accepted for most things. California though has not allowed this in the past. A provider offers signatures at this level (with some nuance).
The second level is a "digital signature" backed up by other details. People think this means like an actual signature. In document contexts it's very confusing. But what they really mean is signing (encrypting with your private key so the public can decrypt it). This can be a verified email, phone, the more the better. What's important is at this level the signer is not actually the person, it's the service. The service has a trusted cert created from the Adobe trust chain and does additional measures to verify the person. The visible signature at this point is just a mock to make people comfortable using it. The signature is really cryptographic. This level is pretty much always court admissible.
The last level is signing the doc with your own trusted cert. You can get these tokens from many providers to do yourself. It's required for typically government things like stamping a document by an actual engineer (ie a PE). To get these certs you need to go to a notary to get verified. This is as legit as it gets. It's almost bulletproof.
Product wise, I am pretty familiar with PKI but am still confused as to what it really does or why I should use it. If this is to get wide adoption, the person using it needs to know nothing about certs and PKI. Additionally, I'm confused if this is using PKI or a web of trust. I'd think it would have to be web of trust to be practical but it seems like the examples allude more to PKI? Best of luck, I look forward to see where it goes.
Interesting. Does this mean that if a scammer uses docsign to phish me into a mortgage transaction, and I lose my house, then docusign is on the hook financially?
Put another way: Are they legally required to sign on behalf of both (purported) parties of the contract in the case of a dispute? What if 99% of signatures are through them, and the last step is a fraudulent notary?
The service relies on third parties to perform verification and issue certificates, just as the domain name certificate authorities do. The difference is that the information on the certificate can be anything, not just domain names.
Users use the Certisfy app to make use of those certificates, by making various claims against their certificates (think: location, age, name, even height:)..etc)
Think of the app as a kind of trust projection and information verification toolkit/client made for ordinary consumers.
A signature also makes it so that someone must commit a felony to misrepresent what you agreed to by forging your signature, no matter how easy it might be to forge. It also creates evidence of their crime.
The article’s complaint seems to be that it might be easy to forge a signature, electronically or physically. Forged signatures are almost never an issue in contract disputes, and when they are, it’s almost always petty small time crime like check fraud.
Solving something that is not actually a problem, using an extremely complicated tool like cryptographic signatures, which require a huge amount of tooling around the storage of private keys and the identification public keys, is backwards.