Signatures Seem Useless

There are two types of signatures, the one written with a pen on paper and the cryptographic one. I want to argue that the former kind has many issues.

When I pay with my debit card in a store I occasionally have to sign a receipt. The cashier sometimes takes a look at my signature and compares it to the one on the back of the debit card. Sometimes they are not satisfied and want to see my ID document and just compare my face with the picture and the names on ID and debit card. The signature on the receipt is only checked if a charge is revoked with the bank and the supermarket has to find the receipt to show that it did nothing wrong. I presume that the issue is then settled in a court setting where a handwriting specialist appears as an expert witness and determines whether the signature is legitimate. Or the amount is not worth the hassle and the supermarket just takes the loss.

Signing a contract is similar. The company on the other side has no reference of my signature, so I can just sign however I like. Only when there is a serious issue the signature might be compared in a court setting. It becomes interesting when a contract is filled out on the computer and printed, then signed. Sometimes one does edits to the typed content and one should sign off these changes with a small signature or initials. This way the other side knows that these were made by me.

But do they? Forging initials seems to be pretty simple, especially when the company has only a few words written in my handwriting. Also somebody could just exchange a page in the contract and re-type it on the computer. The integrity of the document was never really there. The signature just gives the impression that it is legitimate, not certainty.

The fundamental issue is that the signature at some patch of paper does not prevent further changes to the document. A cryptographic signature does exactly this. I have signed the source code of the front page of my website with my private PGP key and this is the signature:

-----BEGIN PGP SIGNATURE-----

iQIcBAABAgAGBQJaxe2rAAoJEKdLQbJouKqQXK4P/0WlIW9xLBtitk0lU1zQgn/H
im8FGq2o3XIr8AQ6n3Q//bDwlRGsdIsY+QCZVhXtMoA8487xgJqS9I+V9Ox8JGqx
C9S3XW+uL7HAjHHv590fMrMUgXoNWfoG7b+k77HwwYQkKUL0kkSV7jdaxHoA245L
nbkYefeEU/P1nz/4Yk/iTJaXgvAAJ/614IIi9+UFJDN6vBK/8BGB8FB5Vf4sW79+
hfdn/hi1TjbkaH5p2kkcqll6XX8mAmaL4BYkoxgcsgreiOW4xmkfGeA+Ee+kVea8
bM2QZ11GyFvH/zco+HIa+GhdVK5zTE2Qnswj0J4R1RuAXPAEZB5c9uSe6WVq65B0
nVq3X/tWFdZl3LroyFSHx21ZrLeN5rv0EkPnuKCnBD32n3ucs4QZ3qxksJ967o8E
YFtS4ycIXz5QZQ8brrMkSDbmGKYsyiCnqk02DO++oMjCPOh4V5EAIAH0zOJTxRsZ
LEEOVmtTuSGCZprgNe/3o9Win9DAKXcOVLIrYhM6r4KgIf7kO5IghWT6WguVePL/
q/a/3G6SGCoBWTbc0IXZt8pN4PUEFKnGO0vi61Ot8qgjHVeTBI/23bzr1owjLc8u
WW3NMhJvNXEy8cXEUBBWgWK6ElXiZhVK4GQqoIcLxklrg/56VpPY4YwxtLm/h1Kw
ZVIJglkohxItAmcmCz26
=gA6p
-----END PGP SIGNATURE-----

Unless there is a flaw in the cryptography or one has unseen amount of computing power, there is no way to change the document without the signature becoming invalid. This is exactly what one wants but does not get with a signature on paper.

Now even better, every person with a German ID card in principle has a public-private key pair which is generated by the government. This might not be the ideal setting for private communication, but it certainly seems like a great way for signatures of official documents and contracts. The other party would know that it is my signature because the government checked this when I got my ID.

But the reality is that such a signature is either not legally accepted or the companies have no clue about cryptographic signatures. Instead I saw various backwards approaches to digitally signing contracts. The most amazing one comes from a company named InSign. They offer a service to sign PDF documents in a legally binding way. The process works as follows:

  • The company or agent prepares the contract for you.
  • You are send an email with the URL to the signing process.
  • You also receive a second email with the password to the signing process.
  • You open the URL in a browser and read through the document.
  • You click on the signature field of the form and are displayed a code. This is entered on your smartphone into the InSign app.
  • On the smartphone, you write your signature with your finger on the screen. If you have one of the rare smartphones with a stylus, your signature will actually be legible.
  • The process is finished and the document is send back to the agent.

This appears so backwards to have a handwritten signature on a computer screen, it is just an image file associated with that field. But unlike a signature on paper, it is really easy to just copy this signature into a different document. Also if you already have this much code written, a simple RSA signature would be much easier to implement.

Then there is this thing with the two emails. With credit cards and PIN codes it makes sense to have two letters. The PIN is mailed first and the card a few days later. An attacker would have to go through your mail on several days. Also once they find the envelope which contains the hard card, they will already have missed the PIN code. But sending two emails to the same account gives no additional security, it is security theater.

But apparently this is exactly what you need in order to have a legally binding digital signature. I use this process because it is no worse than the paper signature but saves me time and cost.

Why don’t we have a system where you just sign the PDF file with your national ID card and be done with it?