Digital Signature Capture FAQ's

What is the difference between an Electronic Signature and a Digital Signature?

"Electronic Signature" is a generic, technology-neutral term that refers to the universe of all of the various methods by which one can "sign" an electronic record. Although all electronic signatures are represented digitally (i.e., as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics); a secret code or PIN to identify the sender to the recipient; a code or "handle" that the sender of a message uses to identify himself; a unique biometrics-based identifier, and a digital signature (created through the use of public key cryptography).

"Digital Signature" is simply a term for one technology-specific type of electronic signature. It involves the use of public key cryptography to "sign" a message and is perhaps the one type of electronic signature that has generated the most business and technical efforts in addition to legislative responses.

SIGNificant combines the handwritten electronic signature with the PKI digital signature to achieve a binding signature process using the familiar handwritten signature. It also enables electronic signatures based, for example, on SMS validation for Web transactions.

What is a biometric handwritten signature?

A captured handwritten signature looks identical to a person’s original, wet-ink signature. But, should one use the xyzmo digital signature suite, it is much more than merely an electronic image. SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. Once a signature, including all the biometric parameters, has been embedded into a document, it is turned into a signed and sealed PDF. Anyone can verify the signature and content integrity anywhere and at any time. Thus, unrecognized, post-signing manipulations are impossible.

SIGNificant creates a specific personal profile for each individual. The personal profile is a biometric analysis of a person's signatures over time. A person's two signatures can never be the same, but the degree of signature fluctuation is unique per individual. SIGNificant detects each individual's unique fluctuation and fine-tunes each personal profile over time.

Can documents signed by SIGNificant be viewed and verified by users who don't have SIGNificant installed?

Yes. Viewing the handwritten signature and verifying the digital signature can be carried out by any user using the free Acrobat Reader. The signature block will be visible, and it is possible to verify the authenticity of the signature or document with Adobe Reader.

What happens if one's signature changes over time?

All signatures naturally change over time. SIGNificant recognizes the natural fluctuations in a signature and verifies that it still belongs to that person. Because the SIGNificant engine updates the personal profile as each new electronic signature is added, it detects the natural changes or drift that occurs in each individual's signatures over time.

Can the signature verification engine support long signatures?

Yes. There is no limitation on signature length. In fact, a long signature creates a higher complexity level, making the signature profile more secure.

I have two different signatures. How will the engine be able to authenticate me?

You will have to create two user names and assign each signature to a specific name.

Can I change my signature?

You may re-enroll anytime with a new signature.

Can I install the tablet myself?

Yes, the tablet installation, demo and client application are very simple to install and come with an automatic setup utility. The installation of a server application, however, requires the knowledge of a system administrator.

How is this different from fingerprints and retinal recognition?

The act of signing a document has long been accepted by nearly every culture as one’s recognition of and agreement on the contents. Although we never sign exactly the same way twice, the signature adheres within certain boundaries unique to each individual. This is a huge difference from fingerprints or retinal patterns, which remain constant over time. The execution of a person’s signature will always be unique and individual at that particular moment and for each individual document.

How does the xyzmo Time-Stamping Authority work?

A dedicated document - see below - describes the policy with which the xyzmo Time-Stamping Authority (TSA) is operated. This includes operational security, maximum time deviation, availability and the timestamp signing certificates. With this TSA and appropriate signing software, any electronic document or file can be equipped with a timestamp refer to http://en.wikipedia.org/wiki/Trusted_timestamping). For the creation of a timestamp, a hash value of the document is sent to the TSA. Please read the following document for more information: Please click this link

SECURITY

Can an captured signature from a signature pad be forged?

SIGNificant records the handwritten signature of a person by parameters of pressure, acceleration, speed, and rhythm. These parameters are unique to every individual and cannot be easily reproduced by a forger. A forged signature is usually created by either tracing an existing signature or simply trying to re-create the signature by memory. Either way, the characteristics of a forged signature is either "accurate and slow or fast but inaccurate". SIGNificant is able to record the time that it takes someone to write their signature which means that a side by side comparison of a legit signature and a forgery will be quick and simple because typically the signature will either appear visually correct but the time stamp slower or the time stamp will be correct but the signature will be completely visually inaccurate. Of course the speed at which someone generates a signature is not the only characteristic considered when analyzing possible forgeries. Some other items include the sizes, connecting strokes, and proportions of the original signature. All of these parameters are recorded by SIGNificant and is retrievable for a forensic examiner using a tool, which is provided, named PenAnalyst if the need ever arises.

How can I be sure that my signature is not transferred to an unauthorized document?

The document contains a captured signature that has been encrypted (RSA 4096 + AES256). A person’s signature is encrypted immediately as it is captured by the signature pad, using the private key of a special certificate. This special certificate is selected by the company using the xyzmo suite, and is typically stored in a secure environment outside the company (bank safe, external notary, etc.). Thus, xyzmo itself has NO access to this certificate. For the encryption of signatures, the xyzmo suite just needs the public key of the certificate. It is only for decryption, and the extraction of signatures from a document, that the private key is required. Only specific people, to whom the company has granted access to this certificate, will be able to decrypt the profile using the PenAnalyst tool, which is provided as part of the suite. This tool was developed in consultation with forensic experts, and is useful in legal disputes for proving who signed a particular document. Furthermore, each captured signature is bound to a specific document (“document binding”). We generate a unique “fingerprint” for each document and store it together with the captured signature. Thus, it is easily possible to prove within PenAnalyst that a certain signature really belongs to a particular document.

What if my signature transmission is traced and re-sent later?

With a great deal of criminal energy, and with technical, in-depth knowledge about the special customer installation, the used signature pad, and unsupervised access to the computer, it is theoretically possible to carry out this action. Compared to how easy it is to fake signatures on paper, this really represents a big effort.

End-to-end security is only possible with the right signature pad in place. The processor of the SIGNificant ColorPad for example contains the public key of a second key pair (RSA 2048-bit). By means of this key, the biometric data is encrypted in the pad itself. This ensures that highly sensitive information can never be viewed in decrypted format in the unsafe “computer” environment (e.g. main memory). The private key of this second key pair is safely deposited by a notary public or in a safe deposit of your choice. With this setup a full end-to-end security is possible.

LOCALIZATION

Can the signature engine accept signatures in different languages?

Yes, the SIGNificant engine has been thoroughly tested in several languages. Among them are: English, German, Spanish, Portuguese, Italian, Dutch, French, Japanese, Chinese and many more.

Can the signature verification engine be localized?

Due to our vast experience in multilingual products, (we have translated the software to several languages including right2left, left2right and Asian languages), we provide the ability to localize all products without having to directly access the source code.

LEGAL ISSUES

How does SIGNificant comply with electronic and digital signature rules and regulations?

Based on a PKI digital signature infrastructure, SIGNificant electronic signature complies with the prevalent legislation and regulations, for both an "electronic signature" and an "advanced electronic signature."
The law discusses the terms regarding an advanced electronic signature:
(a) which is uniquely linked to the signatory,
(b) which is capable of identifying the signatory,
(c) which is created using means that the signatory can maintain under his sole control, and
(d) which is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

Basics of e-Signature laws in the US:

The definition of what qualifies as an electronic signature is wide and is set out in the Uniform Electronic Transactions Act ("UETA"). Many core concepts of UETA are echoed in the U.S. ESign Act of Oct 1, 2000. Forty-six US states, the District of Columbia, and the US Virgin Islands have enacted UETA. "Electronic signature" is broader than "digital signature," because "electronic signature" also includes clicking "I agree" f.e. Laws do not elevate electronic signatures, but they cannot be denied just because they are electronic. Studies conducted by Gartner research and law firms show that a reasonably-designed digital signature process, supported by solid technology, can even reduce risk, relative to traditional paper-based processes. Click here to read more.