Understand common uses and the security they provide.
Most people are familiar with “electronic signatures” and “digital signatures,” but not everyone understands the difference between the two terms. While the term electronic signature is broad and unstandardized, a digital signature refers to a very specific kind of electronic signature based on public key cryptography. This underlying cryptography provides greater security and assurance regarding the signer’s identity, validity of the signature, and integrity of the document contents. By using digital signatures, civil and structural engineers can reap benefits such as faster time-to-market, meeting the regulatory requirements of departments of transportation (DOTs), and even protection against litigation.
Today, more than a dozen states allow digital signatures for signing a wide variety of engineering documents as a replacement for wet ink signatures, seals, and stamps. For those civil and structural engineers who haven’t yet used digital signatures, it’s likely it won’t be very long before you do. Because of this, it will be important to understand the “ins and outs” of how digital signatures are most commonly used by professional engineers.
What does a digital signature do? — Not only does a digital signature vastly improve security versus an electronic signature, it also verifies document authenticity of the signer and document integrity by providing proof of tampering (see Figure 1).
How does a digital signature get applied? — Avoiding the complicated math associated with public key cryptography, the most important point to understand is that your digital ID will be tied to a public and private key pair (www.ssl2buy.com/wiki/what-is-a-public-and-private-key-pair) that although related are distinctly different (asymmetric). Your public key is widely distributed along with your digital certificate that identifies you and perhaps your company to all who receive your signed documents. The associated private key is never shared since it’s the key that is used to apply your signature. The security of your private key is of the utmost of importance since a stolen or compromised private key is the equivalent of losing control of your driver’s license.
Although digital certificates can be self-generated, publicly trusted digital signatures have several additional attributes. The certificate issuer (e.g., GlobalSign) and user (e.g., professional engineer) must follow strict measures on how the certificate and associated private key is issued and maintained.
The Certificate Authority (CA; https://searchsecurity.techtarget.com/definition/certificate-authority) must:
- comply with strict governance established by major browser and document work-flow providers such as Microsoft, Adobe, and Mozilla;
- adhere to periodic audits to assure compliance; and
- meet third-party (e.g., Adobe) policy and technical requirements.
Policy and technical requirements identify verification (both the engineer and optionally his/her organization), detail how the signer’s private key is protected, and provide a mechanism to revoke certificates that are deemed compromised.
The end user (professional engineer) must protect their private key, whether stored locally on a USB token or other approved security device, or credential to invoke cloud signatures held by the CA.
While these collective obligations provide engineers a bit of extra burden initially, the benefits compared with basic electronic signatures or non-public trusted certificates are wide reaching:
- Recipients of signed documents are provided high assurances that the identity associated with the signature is authentic.
- Instant interoperability — Default settings in Adobe Acrobat, Reader, Cloud Signature Consortium, Microsoft Office, and many other document workflow software will automatically present a trusted signature, avoiding the need to ask recipients to manually trust your signature.
- Legally admissible — Should the document integrity or authorship get challenged, the signature evidence is likely to hold up in a court of law
How states employ digital signatures
Adobe’s Approved Trust List (AATL) certificates are used widely by civil engineers who submit documents such as shop drawings, working drawings, and product data submissions to state and local DOTs. Given the consequences of design flaws or contractors not following designs as specified, DOTs understand the stakes are high, especially when it comes to designs around roads, bridges, and tunnels.
For example, in Connecticut, engineers, architects, and construction contractors are able to digitally sign drawings, agreements, and other documents via engineering software such as Bluebeam. A digital ID must also be purchased in order to apply a digital signature, and they must meet the specifications of the AATL.
Four common digital signature requirements
It’s worth examining practices from other states as well since each one has the authority to decide which rules it will enforce. Following are four common core requirements for digital signature use based on language from digital signature laws in California, Oregon, and Washington, D.C. Check local laws and regulations before investigating solutions that will best meet your needs.
The digital signature must be unique to the person using it — Not surprisingly, whether you are receiving a signed document or signing one yourself, you want to be certain the person who needs to be signing your document is actually the right person. Because of the anonymity of the internet, there are limited ways to confirm that someone is who he or she says they are.
One method is to be externally vetted by a third-party CA. CAs are entities that are publicly trusted to assign digital identities to individuals, departments, or companies. This is accomplished by submitting identity verification documents to the CA, which then issues you a unique digital certificate confirming your online identity. You use this certificate to apply digital signatures to your project. This means you can be confident that you alone can apply a digital signature in your name and your recipients can also be confident that it was really you who signed the document.
The digital signature must be capable of verification — Verifying the validity of a signature is extremely important whether it is digital or wet ink. This is the reason high-value transactions (e.g., applying for loans and certain contracts) often require a notary for wet ink signatures — the parties involved want to ensure the people signing the documents are who they say they are. In this case, the signatures are verified by the notary.
But what about digital signatures? This is where acquiring one from a publicly trusted CA comes in handy. Because a trusted third-party CA verifies your identity before issuing your certificate and you use that unique certificate to apply your digital signature, there is clear evidence on every document you sign that shows who signed the document, when it was signed, and who verified the signer.
The digital signature must be under the sole control of the person using it — As discussed throughout this article, it’s critical to be certain a signature in the document was actually applied by the individual. All parties involved in the electronic document exchange need to know that you and you alone can apply your digital signature.
For digital signatures, this comes down to protecting your signing certificate because if someone has access to it, they can use it to digitally sign in your name. Storing your certificate on cryptographic hardware (e.g., FIPS-compliant USB token) is a common option for this and means that in order to apply your signature, you need the token itself and a password. In the case of theft of your physical hardware token, the thief would still need your token password to use your signing credentials. When you’re ready to begin researching vendors, make sure they offer some kind of hardware certificate protection, and if not, that they have an alternative means of meeting this requirement.
The digital signature must be linked to data in such a manner that if the data is changed, the digital signature is invalidated — Content integrity and protecting intellectual property is essential, especially for the engineering industry. You want to be certain that whatever is in the document you sign off on or publish can’t be altered. Fortunately, applying a digital signature essentially creates a tamper-evident seal on the document. Part of the signature validation process (which happens automatically and behind the scenes when someone opens a signed document) involves comparing the content of the document before and after the signature was applied. If changes were made, an error message will appear (see Figure 2).
Other benefits of digital signatures
The benefits of going paperless have been clear for years, but signatures were often a sticking point — what is a secure electronic alternative and would that electronic signature be accepted legally? Fortunately, state electronic signature regulations are helping to answer both of those questions for engineering companies that want to make the switch.
Digital signatures are the clear solution for professional engineers. Capable of authenticating the signer, validating the signature, and ensuring content integrity — coupled with secure time-stamps — they meet the requirements highlighted above that are the basis to most state engineering electronic signature requirements. In fact, the California, Washington, D.C., and Oregon laws referenced in this article all mention digital signatures specifically, as opposed to other types of electronic signatures. While there are other components needed to implement a fully electronic document workflow, when it comes to signatures, all signs are pointing to digital.
Lila Kee is GlobalSign’s (www.globalsign.com) general manager of the Americas and chief product officer.