How to Digitally "Sign" a document

Question

I don't like paper documents. I like everything stored on a server. I'd like to avoid printing, signing, and scanning, if possible.

How do I get signatures from people to sign-off on forms and still keep it digital?

The purpose of signing is to prove that certain departments have OK'd the document. Most of these people are non-technical.

The ideal is that each person would open the document and type in their name and close the document. The problem is that how do I know that Fred didn't sign for Ralph.

Answer 1

There are legal regulations defining what qualifies as a digital signature (electronic signature, or "eSignature"). In the USA, there is an act called "Uniform Electronic Transactions Act" (UETA), describing how a digital signature is defined and used in legal context.

Basically, the following components may be involved:

1. An electronic document, representing the form with legal obligations when signature is applied.
2. A digital signal (picture, sound, etc.) applied additionally to the above document, serving as a signature, i.e. legally accepted proof of approving the document. (The most straight-forward example is applying a transparent picture of a person's hand-written signature onto a PDF document.)
3. A digital certificate key pair (with validation from approved Certificate Authorities) to "tamper seal" the document. Using the private key to "sign" the document, legal authorities can use the public key to verify the integrity of the document.
4. A "vault" system to store the tamper-sealed document for later legal inquiries.

One may argue that not all of the steps are necessary; however, in certain industries, step 3 and 4 are required by legal regulations, as these are designated to prevent forgery or spoofing. As a result, step 3 is most likely perform by / with a Notary, and sometimes performed together with step 2.

For step 2 and 3, APIs and examples are available on the internet. Adobe PDF's API can deal with both steps, and some open-source components can deal with individual steps. One such example of using an open-source component, iTextSharp, is in CodeProject: E-signing PDF documents with iTextSharp. For more information about eSignature in general, please look at the Wikipedia page Electronic Signature.

Answer 2

There are myriad approaches discussed in Schneier's Applied Cryptography.

Much of what you're looking for comes down to a Digital Signature Algorithm (DSA) - of which NIST has one, asymetric encryption algorithms can provide, etc.

The simple route would be to collect delivery and read receipts on email, but that's not fool-proof.