I don't understand it either; as others pointed out as well, I can't do a consistent signature even if I tried to (I've always had trouble with writing, and I barely do anything outside of shopping lists and a paper calendar nowadays).
I've always thought that as long as you can recognize your own signature and declare in a court of law, under oath, that the signature is or is not yours then it's fine.
It's still not foolproof though. An ex of my GF forged her signature and took out a loan in her name. They're still on her ass about that one, despite her claims that the signature isn't hers. They're not taking it to court though, they probably don't have a case. Doesn't stop them from harassing though.
A signature has no magic power. It's very simple. If you sign your name on a document, you are stating that you agree with the document. It doesn't matter if you use a feather pen or this guy's script. If you sign someone else's name on a document, it's obvious that you are committing fraud by impersonating them. Again, the instrument used to sign has no bearing on that.
You seem to be of the opinion that since it is possible to forge a signature, it cannot be legally binding.
Just because something can be forged doesn't mean it's useless. Signature in isolation doesn't mean anything, the surrounding legal environment is what gives it its powers. That legal environment doesn't operate on boolean logic, but on probability theory. Signature is just an input to that.
Agreed, rules exist for a reason, and good changes are planned and executed safely over time..
But there's still a delta of time during which old rules continue to be applied in a manner that can feel senseless, while new processes are figured out. :-)
The act of marking the sig field shows your intent to bind to the contract. You can digitally sign but there are a couple extra steps to confirm the intent and identity that aren't hard but are just hard enough to make DocuSign a lot of money and leave everybody else to print/sign/scan their stuff.
So you're saying the signature itself is irrelevant? It's just an elaborate checkbox? The question then is how do you prove I was the guy who checked the box?
It’s sort of is actually. What really matters is the providence of the approval, the adult trail or whatever you want to call it. You are creating a record of when and that you agreed to something and the signature is an artifact of that agreement.
A signature is somewhat harder to take them and checking a checkbox and can be somewhat more easily traced back to the signatory, so it’s probably somewhat better than a checkbox.
I mean it's just a paper record. It's existence alone doesn't necessarily prove anything on its own. It's when you're making a case to a judge that you didn't buy 1700 rolls of toilet paper they can say bring it out and say "Yes you did and we have your signature."
You're free to counter and say it's a forgery just as you would be to counter and say someone stole your private key. But the point of a signature in particular is that it's supposed to signal considered intent rather than mindlessly checking a box or being rushed and saying "sure sure whatever."
We pop up dialogs to ask users for confirmation before doing dangerous actions. What's wrong with the paper equivalent?
Actually yes. You can mark with an X, and that was somewhat common when the literacy rate wasn't as good as it is now. The answer to your last question is to have witnesses, either in person or proxied via a notary.
The willingness or need to enforce seems to correlate with the measures a company requires you to take on signing.
* TOS - a simple checkbox - or even just a "continue button"
* Moderately large purchase - type your name
* Larger purchase - draw your name
* Major contract - use this widely recognized signature flow
That's really just a defense against deleting the wrong repo. If you're typing in the whole repo name, including the account it's under, you're very likely to know which repo you are deleting when you hit the button. (Consider the horror scenario where you both own an org repo and have a personal fork, and you mean to delete your personal fork but delete the main repo instead.)
The moment you write out the private key it's no longer secure. Anyone who sees it (and has a good enough memory) could copy the key to another contract.
You'd need to perform the DSA algorithm in your head on the content of the contract, using your memorized private key, and write out the resulting signature block.
I have great difficulty maintaining a consistent signature, even when having to sign multiple times on the same page at the same time. A mediocre forger could probably do a better job replicating my signature than I can—if they could find a sufficiently median example of it.
In a way I don't think it's possible to forge one's own signature.
What's the diference of my signature from the forgery of the signature I did myself?
Signature on a piece of paper says "I read this and agree with what's written so I've put a unique piece of ink there to show my agreement" doesn't really matter what you put there if all parts agree on its validity.
The forging of a signature has always been a possibility, which is why witnesses are required for the important stuff.
On the other hand, you would be right in thinking that there is a somewhat anachronistic element of theater in having signatures on electronic documents.
In some ways, the theater is the point: the more elaborate the “production”, the easier it is to demonstrate that the required “meeting of the minds” took place.
Someone might blithely—-or accidentally—-click continue, but you can’t really sleepwalk your way through signing a document or lining up witnesses to the signing.
1. We have digital signatures we can use to sign documents and they are legally binding for gov. organizations and optionally every organization that accepts em.
2. For internal documents, metadata is sufficient after organization issues an order.
3. Between orgs, metadata is sufficient if you address that within contract.
At least I remember it being that way few years ago.
This pdf viewable signature stuff is void. Only to make feel some people better.
The question is, can you forge your own signature? If both parties agree that the document is legally binding it seems a bit unlikely that the document would fall under the forged label.
Though I am not a lawyer.
It's also worth noting that digital signatures throughout the european union have legal status.
Digital signatures also have legal status in the US.
Until society catches up and uses cryptographic primitives provided by a national ID smart card (such that Estonia has) for authorizing intents, this is a satisfactory method to make document execution less painful.
This project is already doing the easy part (“place pretty signature picture here”). Depending on your jurisdiction and their tolerance, you could also render a true crypto signature in ascii-armored format to assist in proving legitimacy (perhaps generated as a small print signature line under the signature).
Sidenote: Some transactions require a "wet" signature (as in, actual ink on actual paper from an actual pen). This doesn't get around those transactions unfortunately.
All the more baffling why some countries are moving away from national identification and other digital signing initiatives to prove identity. E.g. the UK that introduced and then subsequently dismantled a national ID card and database (apparently it was a "privacy" issue for the government to have a record of citizens?). Imagine this, a first world country, living in the dark ages essentially when it comes to identity.
>These ID cards are, however, preparing the way. The more people get used to some new government regulation, restriction, or provision, the more they tolerate it and eventually just learn to live with it. What may at first seem unthinkable and raise howls of protest, later becomes accepted by a few, then many, then most. And that’s how the Antichrist and his agents will capitalize on these compulsory ID cards to prepare the world for what’s next.
Dominionism is not a clearly defined practice/group/sect/etc. The most inclusive definition is basically just "people with strong beliefs want to run the democracy they live in according to those beliefs", which doesn't seem like a surprising way for anyone to behave.
Yet, take even the most expansive and uncharitable definition, and still "dominionism" =/= "the end times are at hand and there are signs everywhere of the coming anti-christ, such as national ID cards".
If you support national ID systems, please do your part to advocate for such systems whenever possible (as well as the necessary privacy and oversight controls). Progress is a function of effort. I'm working on the US side.
> (apparently it was a "privacy" issue for the government to have a record of citizens?)
That's because there's a 95% chance they'll sell it to the likes of Equifax and Experian - what minister could resist the temptation to 'make the system pay for itself' while 'reducing fraud' and 'working with the private sector' - and a 100% chance one of them will then lose it in a breach.
Just for what it's worth, a big part of the backlash against the national ID is that firstly we have a couple of decent proxies, for example driving licence and passport, and secondly we were being asked to pay for the privilege.
National ID systems are an incredibly bad idea. You can already get the entire authentication benefit from using decentralized ID systems (your bank authenticates you with your bank card, your employer authenticates you with your employee ID), so all a national ID adds is the ability for corporations to correlate all your different identities without your knowledge or consent, which is nothing but a privacy-invasive misfeature. Note that without a centralized ID they could still do it with your knowledge and consent by having you authenticate using multiple decentralized IDs.
Centralized identity is also a huge single point of failure and compromise. It would attract far higher resources from attackers than non-monoculture ID systems do, have far reaching consequences when vulnerabilities are discovered, and take far longer to respond when changes are necessary because of the scope of use.
I think you're forgetting the part where those existing so-called "decentralized" ID systems are by-and-large using a centralized system (your SSN) which is magntitudes worse than a cryptographic card.
Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both. The status quo is that any service which requires identity validation is requiring you to provide your SSN, which in internet terms is like authenticating with only a username (no password) on all websites, AND you have to use the SAME username for every different site.
Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
> I think you're forgetting the part where those existing so-called "decentralized" ID systems are by-and-large using a centralized system (your SSN) which is magntitudes worse than a cryptographic card.
It's orders of magnitude worse at authentication because that's not what it's for and everyone should immediately stop trying to use it for that. For that matter it would be better if they would stop using it for anything other than its original purpose as a tax ID.
> Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
But that's exactly the point. That isn't a national ID, it's ordinary public key cryptography which anyone can use right now already. You don't need a national ID for this, just create a new public-private key pair whenever you first interact with a new entity and use it to authenticate yourself to that entity going forward.
> Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both.
But there is no good reason they need to know this, because having a bank account has really nothing to do with having an employer. All your employer should need is your bank account number so they can deposit your paycheck -- or not even that, just to give you a signature authorizing their bank to transfer money to you, where "you" means the person who can prove they hold the private key corresponding to a public key you gave your employer.
Banks shouldn't even need to know your name if things were being done securely, much less your SSN. Having them is nothing but a liability because someone who doesn't know what they're doing could mistake them for an authentication method.
You do need the SSN to match up with the name and other personal information like age, gender, address, etc. In that way, it's a bit like authenticating with a common username and a password that is publicly available with the username obfuscated (except in the case of data leaks).
Instead of a unique ID like a SSN, we should be using an identity provider to support such use cases. Imagine instead that you would authenticate with https://login.gov (ideally with your credentials and a hardware 2FA device), which would then attest to whatever service you were logging in to that you are you.
You can't rotate a social security number with reasonable effort, and we can longer treat it as a secret, because it isn't one. It's time to move past it as an identifier.
Now imagine that for whatever reason you suddenly become persona non grata, and https://login.gov/ refuses to attest that you are you to any of the services you have come to depend on.
Or just imagine https://login.gov/ passively collecting information about all the services you're logging into.
I wouldn't be opposed to common login protocol—preferably a distributed or federated one—where the government and other parties can add their own signatures to attest that a particular identity belongs to a certain real-world person, and you can choose which of those signatures you present to any given service. However, having the login itself go through a government server would be an incredibly bad idea.
We're already at that point (driver's licenses, passports) and it hasn't happened yet. Yes, you can get blacklisted by the TSA for air transport, but they have an exception process for that (redress control number).
Proper functioning of democracy and government requires eternal vigilance (apologies to Jefferson).
You don't need your driver's license or passport to log in to your e-mail or Facebook account and communicate with your friends, or to buy groceries. Revoking your driver's license and passport affects your ability to travel long distances and not much else, at least in the short term. It's bad enough that you need a current government ID for domestic flights; we don't need to make it mandatory for everything.
> Proper functioning of democracy and government requires eternal vigilance
Indeed, and part of that vigilance is pushing back against government involvement in areas they have no business in, such as authentication for non-government services.
Nobody is proposing a system where you need to authenticate with some national ID in order to do any of the things you mentioned.
We are talking about having better authentication (both more privacy-aware and more flexible) for situations where it's needed. You don't need to validate your identity for email, facebook, or groceries, so obviously this wouldn't apply there. This would apply to things where some ID auth is already taking place (e.g. anything that asks for your SSN, KYC processes in general, etc).
It's interesting to see a mention of the ability "to correlate all your different identities" as a feature, which probably illustrates fundamental conceptual differences in different legal/social systems.
In European continental civil law (as opposing to common law e.g. USA and UK, as far as I understand UK law) there's no such legal concept as "different identities" or legal aliases - you have one identity, and that's it. You must have an official identity (it's a crime for adults to not have that official ID registered/issued) and you can't have more than one. There's no right to assume or use a different identity, doing so for any benefit is fraud or forgery. If you change your name, then that must be published so that it's trivial for anyone to link these "identities", or, more accurately, know that the same identity used a different name until a particular day.
That has some disadvantages (e.g. lack of pseudonymity - either you're not identified at all, or you're fully identified) and some advantages e.g. in commerce it's generally useful to have a strong identification of your counterpart rather than a weak one; and it eliminates a whole class of "identity confusion" for people with matching names and other features - there's a single "source of truth" for identity, and it can reliably distinguish all the different John Smiths.
If we're looking at the risk of compromise, it's worth noting that the whole concept of 'identity theft' is widespread in countries with weak ID systems like USA and not widespread in places with strong centralized IDs like continental Europe. A chain is as strong as its weakest point; if it's plausible that you might be using some weak form of ID (or even just 'something you know' like social security number/mother's maiden name/etc), then someone else can pretend to be you using that weak form of ID.
You have to realize that the entire concept of "identity theft" comes from having centralized identity to begin with, otherwise there is nothing to "steal".
Suppose you want to take out a mortgage on a house. If you take it out in someone else's name, this is a problem. But suppose that didn't even enter into it. Instead you prove title to the house, i.e. you authenticate to the city title office as owner of that property using the authentication method you established when you bought it, and that proves to the bank that you own the property. You, having authenticated to the city, approve the bank to take a lien out on the house. They accept the lien as collateral for the mortgage loan, and you get a mortgage loan. Your name doesn't enter into it at all, so nobody could use your name to take out a loan. If you don't pay the loan, they don't care one bit what your name is, they just foreclose on your house.
That's one identity, but the owner of the house would have other identities. The fact that you know that the owner of the house approved the lien would not automatically tell you that, for example, the person living in the house approved the lien. Or that a certain employee of a certain company approved it. These would all be separate identities, even if they all refer to the same person.
Even in countries with unique, centralized identities, you don't go around handing your government ID to everyone you meet. You use it for official legal business only. In other contexts you still have less formal identities which remain separate from your official identity.
You seem to be conflating the two different, incompatible meanings of "digital signatures" here.
This article is about digital signatures as in digital pictures of a signature. There's some support of them in, for example, some PDF tools. These do not have a legal status in EU.
And there are "digital signatures" as in cryptographic digital verification of documents using private/public key cryptography. This is the type of digital signatures for which EU has a legal status, and in many countries a support for verifying identity - for example, I can cryptographically sign documents using the chip on my gov't ID card, and if I receive such a document, then I can securely verify the identity of the signer without needing any preexisting relationship with them. But this has nothing to do with the pictures of signatures that this article is talking about, that seems to be more like a USA thing.
The Uniform Commercial Code [1] in the United States says that:
> A signature may be made (i) manually or by means of a device or machine, and (ii) by the use of any name, including a trade or assumed name, or by a word, mark, or symbol executed or adopted by a person with present intention to authenticate a writing.
IANAL but I would think that this program would fall under "by means of a device" and thus be considered valid.
Signatures being meaningful is a downright American tradition. The country was founded based on signatures. It is never going away.
Crytographic protocols can be added to verify signing, but until every civilian practices perfect opsec (never gonna happen), in-person signatures in front of a notary will always be the way business is done.
Better technology (this program, Photoshop, deepfakes, quantum prime factorization) may actually increase the need for in-person wet signatures.
Post-quantum digital signature algorithms based on lattices are starting to get secure, efficient and based on simple mathematical constructs.
IIRC, the basic construction is you generate a lattice trapdoor matrix R, such that A*(Rt + e) ~= t. Finding an input p with small coefficients, for some t such that Ap = t reduces to one of lattice reduction problems, since it requires a finding "good" basis for the lattice (if you invert A you'll have huge coefficients, so you can't forge it. Having the trapdoor R to make p = Rt + e lets you use the trapdoor to find the preimage, and the gaussian vector e smudges it so that an attacker can't collect signatures to decipher R (this is learning with errors, another problem that reduces to lattice basis.) So the signature is easy to verify, and the trapdoor matrix is relatively small and efficient to compute (iirc a couple megs and <1s)
Are there any widely analyzed implementations that I can use today? Got any links? I'm interested, but I don't think I'd understand without seeing code.
It's a pretty bleak landscape, code-wise. The PALISADE crypto library is an implementation of many of these primitives in C++, but it will be nearly impossible to understand it without reading the papers. I recommend "Trapdoors for Lattices: Simpler, Tighter, Smaller, Faster" [0] and the many papers that build on it. That paper was fairly accessible to a layperson like myself. if you're interested you could play around with it in Sympy or Mathematica.
i think its possible to analyze signatures in various ways that are hard to replicate. but a copy is always just a copy. What i beleive the thing here is that there are court proven ways to analyze writing styles in signatures and some more forensic methods to analyze paper and pen.
as a side note: every time i get a new passport or id card i get told that my signature is not ok as it is (apparently not enough recognizable characters) but when confronted with the question how they would like me to change my signature as seen on all previous documents signed by me they shut up. I think its funny because it probably makes it even more unique.
This project basically allows you to forge your own signature. Is it still legally binding? Do these rules even remember the original intent?