30

I've never been happy with the explanation DocuSign gives for themselves in their own marketing material (e.g. https://www.docusign.com/how-it-works/electronic-signature/digital-signature/digital-signature-faq, https://www.docusign.com/products/electronic-signature and https://www.docusign.com/how-it-works/security). I have a number of questions:

  1. For me, if I want a document to be signed, I need to encrypt the hash of the document with my private key, and any recipients can verify the signature by decrypting my signature's hash and comparing it with their own recompute of the hash. On DocuSign I cannot see where or how I can provide my own private key (which would be a huge security issue in itself) nor will it let me keep my private key private (i.e. on my premises, not uploaded to their server). There is also no mention of any public key - in fact there's no way for me to verify the integrity and authorship of any document as DocuSign simply doesn't give that type of metadata to me, I just have to take their word for it that the document hasn't been tampered with.

  2. How does DocuSign verify identity in a meaningful way? So far all I can tell is that they can verify email address ownership (or at least mailbox access), I don't remember ever being required to verify my identity by driving license or passport scan uploads - so how is that legally considered proof-of-identity? How is it a signature in any way if it cannot provably be linked with my real-life identity? Anyone could claim one of my expired Hotmail addresses and create a DocuSign account for me and sign things with it.

  3. I have a problem with DocuSign being simultaneously 1) the verifier of identity, 2) the holder of the documents, and 3) the generator of the signatures - the fact it's a single legal entity means they have the legal, and certainly the technical, means of altering any document, its signature, and claims about that signature; considering recent news events where certain first-world nations governments try to coerce companies to decrypt their data this means I'm not likely to consider DocuSign trustworthy enough to "sign" anything significant. There is also the fact that DocuSign's codebase is proprietary and not accessible - I have to take their word (on their homepage, no less) that they have been independently audited and that the audit means something.

  4. I also don't like how they generate a fake handwritten "signature" image - I thought it has been established that simply having a photo of anyone's handwriting next to some text does not constitute a signature. I'm concerned of the effect this may have on users: a kind of "CSI effect" where the crypto-layperson will think that a picture of their signature is enough and then apply this learned "fact" to other platforms, thus worsening the public's awareness of PKI (after all the progress we've made educating users about SSL).

Given the problems I think found in DocuSign above - if I were involved in a legal case, such as a contractual dispute, and the version on DocuSign is brought as evidence - can either party in the suit legitimately claim that the DocuSign document is bona-fide, conversely how easily could the other party show the "signature" cannot be trusted?

i.e. can anyone sum-up DocuSign's service and categorically say if it's cryptographically, or at least legally, sound?

Dai
  • 1,686
  • 1
  • 13
  • 20

6 Answers6

22

A signature is, ultimately, a legal concept. When you sign a document, you are really producing a legal gun aimed at your own head (so you usually want other people to sign things, not sign them yourself). The value of a signature comes from its legal power, i.e. how much it will allow to apply responsibility and blame on the signer. The cryptographic elements (RSA and so on) are only tools that can help build the technical side of things, but that cannot suffice. Ultimately, there must be some kind of legal framework that defines signatures.

Of course, this will depend on jurisdiction. Nevertheless, countries/states that are currently defining laws for electronic signatures tend to go along the same lines:

  • A signature is binding as long as it was really signed by the alleged signer. This looks tautological, but it is an important definition: it really says that the signature legal value is not intrinsic to any specific technology. Writing your name at the end of an email is a signature.

  • What matters is the burden of proof. Legal frameworks will normally segregate systems into two categories: those for which signatures are reputed good, and it is the party who denies having signed who must make all the proofing work; and those for which signatures are reputed worthless unless a positive proof of attribution to the alleged signer is shown. "Name at the end of an email" belongs to the latter category; a positive proof may be simply a witness who saw the signer type the email.

  • The reference for signatures is handwritten signatures, which are, technically speaking, absolutely terrible. They are hard to validate, and can be faked. Handwritten signatures are still used thanks to a legal framework that severely punishes anybody who denies his own signature. Since handwritten signatures occur in the physical world, the very act of signing (with a pen) leaves a lot of traces (witnesses and so on) so many people ultimately find that repudiating their own signatures is too risky.

  • A further complication is that legal systems of the "Common Law" tradition tend to rely on jurisprudence to iron out the fine details, so countries like USA and UK will likely have legal frameworks for signatures that boil down to "wait and see" ("see you in court", I mean).

In France (which has a very "Latin" law system that really likes pre-established rigorous definitions, Descartes-style), the legal framework defines systems which are qualifiés, by which they mean that they went through independent audits and an administrative process that has all the simplicity that can be expected from French bureaucracy, to the effect that for this systems, the burden of proof lies on whoever claims that the signature is not binding. The list of the systèmes qualifiés is published and I see no DocuSign there [edit - as of July 21, 2017, DocuSign France is now listed].

DocuSign has a page dedicated to the legality side of things -- which is in fact a lot more important than the technology. In particular, they say this:

While DocuSign has a successful history of providing customers with all the evidence they need to defend their documents against repudiation, DocuSign is available to assist our customers with legal challenges by testifying in court to support the validity of DocuSigned documents.

which implicitly admits that their system tends to be of the "must prove validity" kind, i.e. not the one you would like -- but they claim to have had good results in some courts, and that they will help you. At that point, I'd say that if you want to use DocuSign for making your customers / business partners sign things, you'd better make sure that there are appropriate clauses in your contract that ensure a strong level of help from DocuSign, with insurance and so on. Your lawyer team should be involved.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 2
    Addition: Germany has a similar system as France, enforcing high burdens for a signature to be legally binding ("qualifiziert"). This includes, but is not limited to: certified applications, certified smartcard readers, certified smart cards, certified algorithms, certified CAs, certified time stamps and of course certified means of binding a card to a person. – SEJPM Mar 09 '16 at 21:30
  • 1
    Thanks! So if I understand you correctly, it's "DocuSign isn't perfect, but they're *good-enough* - by both serving as a witness and depending more on the loose legal definition of a signature rather than any rigorous mathematical system. In that case I wish they would simply and straightforwardly deny that they're providers of cryptographic signatures, because I can see this leading to customer confusion (not least my own!) – Dai Mar 09 '16 at 22:24
  • 2
    I specifically do not endorse DocuSign, so what I say is that they _may_ be good enough. My core point is that the problem is not ultimately technical -- it does not really depend on where the private key is or even whether there is a public/private key pair anywhere in the system. Of course, technical aspects matter for how easy/hard making proofs will be, but from the customer point of view, the question is more about contracts and insurance than cryptography. – Thomas Pornin Mar 09 '16 at 22:31
  • 1
    @ThomasPornin Sorry, yes - I meant to say they're "good enough" from a legal point of view. I'm not personally interested in using them either, and I'm concerned by the large number of documents I'm given to sign via the system, and why no-one seems interested in accepting my own PKI-signed documents. – Dai Mar 09 '16 at 22:35
4

See https://crypto.stackexchange.com/questions/29501/how-can-cryptographic-signatures-be-somehow-linked-to-a-physical-signature for an outstanding explanation of how DocuSign actually works - including their use or cryptography (or lack thereof). In short, DocuSign basically functions as a 'witness' to attest that someone with access to a particular user's account agreed to the terms of a particular document. Although DocuSign touts the use of cryptography in their marketing materials, cryptography actually does not play an integral role in the actual 'signing' process.

mti2935
  • 19,868
  • 2
  • 45
  • 64
3

1: You encrypt it with your public key, and you decrypt it with your private key. You sign with your private key which is verified with your public key. NOTE: Never send your private key anywhere!

I see no way to get DS's public key, which makes no sense. There's no reason to hide these.

2: It doesn't require verification of the signer's identity. DocuSign's page at https://www.docusign.com/how-it-works/security#enforceability sounds strong, but a knowledgeable attorney would destroy it in short order. Specifically, they claim "court-admissable" non-repudiation for: Signing parties’ names Digital signatures Email addresses Public IP addresses Signing location (if provided) Chain of custody (sent, viewed, signed, etc.) Timestamps The problem is, all of these can easily be spoofed with the exception of timestamps, which without the rest is worthless.

3:You are right. Notice they don't validate your identity, nor sign your key. They don't use your public key nor allow you to sign with your private key. It's all their's apparently, which isn't any good.

4: I don't like that either. I refuse to allow my written signature to attached to an insecure email.

You really are on top of this. It's a bit of a sham for people who don't know better. Is it legitimate? It's a legitimate business, performing what seems to be high-quality digital signature services. Granted, it's much better than those solutions that rely on a graphical signature only. It IS a step in the right direction. But there's a lot to be wary of, and I hope they fix it soon (unlikely).

Robert
  • 39
  • 2
3

I've been asked to 'sign' a DocuSign document and I too have been mystified by the process.

In Canada, digital signature are covered, as far as I can tell, by the PIPEDA (Personal Information Protection and Electronic Documents Act). From a copy current to October 26, 2016, the section on 'Secure Electronic Signature' states that:

The Governor in Council may prescribe a technology or process only if the Governor in Council is satisfied that it can be proved that

(a) the electronic signature resulting from the use by a person of the technology or process is unique to the person; (b) the use of the technology or process by a person to incorporate, attach or associate the person’s electronic signature to an electronic document is under the sole control of the person;

(c) the technology or process can be used to identify the person using the technology or process; and

(d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.

The key points, if I'm correct here and if you're in Canada, is: the process has to be under the complete/sole control of the person who is signing, the signature can be traced back to you, and that same signature must be able to show that the document hasn't been modified.

So, DocuSign is actually doing the digital signature, not you/me.

I don't understand how, for example, by not creating an account with Docusign, by not generating a self-signed PKI key-pair by yourself, DocuSign thinks this qualifies as "under the sole control of the person". All of the other objections raised here also troubled me. At least misery has company, eh.

1

The technical answer is covered by various of the answers above. The signing relies on a chain of trust linking the DocuSign PKI with confidence in their ability to assert your identity through the DocuSign authentication framework. To illustrate the point, the scenarios below use the same basic mechanism to provide increasing levels of confidence in the signature, and thus the degree to which their signature would stand up in court.

  1. DocuSign PKI signature based on validated email address. As per the original sender this is probably a weak level of confidence because their are few guarantees about whether the email address address used to validate the DocuSign identity can be associated with a real person.

  2. DocuSign PKI based on corporate Single Sign-On (SSO) enabled authentication. Most organisations use SSO to establish a level of confidence (e.g. witnessing) that a user in their corporate systems is who they say they are e.g. HR processes will help establish a link between a real person and their identity on corporate systems, and thus the link between a DocuSign identity and the SSO identity used to authenticate it. DocuSign encode this in their PKI signature (DocuSign user X signed document Y at Z), and given you trust DocuSign to verify the user you can trust it was who they said it was.

  3. DocuSign PKI based on organizationl SSO with Multi-Factor authentication. As per the above, this provides a strong link between a real physical identity and the Corporate SSO verified identity, and their associated DocuSign identity that is subsequently encoded in the DocuSign digitaal signature (e.g. DocuSign user X signed a document at date Y). The multi-factor authentication provides an extra degree of confidence that the user authenticating to DocuSign is who they say they are i.e. it's not just a hacker who has remotely hacked a Corporate account.

So, based on this - and covering your points explicitly:

  1. Is kind of missing the point - as it's Docusign's ability to identify users and keep it's own PKI secure that is the basis of trust in their signatures.

  2. I agree with you. Not all DocuSign identities are equal, and trust relies on factors like authentication. Worth noting that in our proposed use case we are further enhancing security through multiple signatures i.e. it's concievable that User X in the organization has had his electronic identity hacked, but it's much less likely that all three signatures required for a document signature have been hacked.

  3. Ultimately all signatures are based on trust - either trust in a single entity, or trust in a chain of entities. For example all PKI based systems are based in trust in the Root CAs. I would argue that having an externally audited company, with a strong commitment to disclosure is about as trustworthy as you're likely to get. The trust comes from the fact that there value as a company would almost certainly disappear if they were to found to be lying or had security breaches. Did you follow what happened to RSA following their breaches? It's not that you have complete trust in DocuSign, but you trust them relative to other options. As others have put it - how do you know the wet signature you're relying on is trustworthy?

  4. The handwritten signature is eye candy. If you open a signed PDF you will be able to validate the digital signature based on the chain of trust to the root CA that signed DocuSign's signing key.

Michael
  • 19
  • 1
  • When I last downloaded a "signed" PDF from a DocuSign session it was not cryptographically signed. Why do you mention DocuSign's PKI when there doesn't seem to be much *infrastructure* around it? – Dai Sep 09 '17 at 05:10
-2

But validating your identity is more related to Notary work, not contract law. I don't notarize the majority of contracts I sign, but they are still legally binding. And no one I sign contracts with has ever asked me to positively identify myself outside of notarized contracts or applications. Heck...a handshake can be legally binding without positive ID. What you need for proof is witness to the fact I shook your hand. Contracts like wills will typically have a witness signatory for that reason. No one asks for a notary on a will, but they do ask for witness.