The authenticity of a document can be proven digitally. Documents can also be signed digitally. But how does this work, and what is the difference between an electronic seal and an electronic signature? An overview of the various procedures.
Download the form, print it out, sign it, scan it and send it as a PDF. How often have time-consuming processes like this got on your nerves? In the context of digital working, media disruptions can cause issues when documents need to be signed in a legally binding way.
It’s no wonder that the need for purely digital processes has grown among companies, public authorities and private individuals. Contracts, application forms, medical prescriptions, invoices – interactions between companies and their clients and business partners are increasingly processed digitally. This reduces the administrative burden and makes cooperation easier and more efficient for everyone involved. At the same time, when it comes to digital processes, it is important to protect documents from manipulation and, in doing so, protect customers from attempts at fraud.
A look at security problems using the example of QR invoices
Imagine that your client receives a digital QR invoice, which appears at first glance to come from your company. But who’s to say that this is not a fake invoice from a criminal sender?
Scenarios like this affect companies and customers from all sectors and of all sizes time and again. As the QR code contains all the payment details, it can be manipulated so that the money is transferred to another recipient and the amount is changed. For companies and their customers, this can lead to considerable additional costs and even serious reputation al damage. Dealing with digital documents, such as QR invoices, therefore requires sound protection against misuse. This protection can be achieved by enabling all the parties to verify who sent the documents and that the content has not been altered.
This article presents five ways in which companies can validly sign digital documents. It also explains how clients and business partners can verify the authenticity and unalterability of the documents they receive.
An electronic seal as a digital signature
Companies have the option of attaching an electronic seal to files. This is like a digital company stamp and is equivalent to an advanced or qualified electronic signature for natural persons (more on this below). Electronic seals serve as evidence that the document (a contract, an invoice, a picture, etc.) has been issued by a particular organisation, and also prove its integrity and origin. The recipient has an assurance that the document is authentic and has been issued by the expected sender. Furthermore, the seal proves that the actual content has not been changed (integrity).
Like any digital signature, the electronic seal is based on asymmetric encryption. This public key procedure uses a public and a private (secret) key. The private key creates the digital signature, while the public key checks the authenticity of the signature.
Blockchain-based electronic seals
The blockchain-based electronic seal is a further development of this technology that likewise demonstrates the integrity and origin of a document. The hash value (“fingerprint” or verification code) of the document is stored in the blockchain in a tamper-proof manner. This seal can certify individual files or transactions, and can also be used for mass processing.
Recipients can check whether the hash value of a document is the same as that stored in the blockchain. “As blockchain technology is used in this case, the saved entry is sufficient for authentication by customers. Demonstrating unalterability is precisely the purpose of blockchain,” explains Nicole Sigrist, Head of Customer Success & Projects at Swisscom Blockchain. Returning to the example of the QR invoice, in this case the seal is stored in the blockchain immediately after the invoice has been drawn up. The recipient can verify the authenticity themselves.
Swisscom Blockchain’s Electronic Seal
Swisscom Blockchain’s Electronic Seal stores the unique fingerprint of a certified document using the Swiss Trust Chain, Swisscom and Swiss Post’s highly secure blockchain infrastructure. This cost-effective solution makes it possible to store 1,000 seals per second, and can be scaled for any volume required. This not only allows you to sign PDFs, but to exchange all types of data with your clients in a certified manner. Revoking a seal (declaration of invalidity) is also straightforward. Your clients can validate the fingerprint with a few clicks.
Simple electronic signatures
According to the federal law on the electronic signature, simple electronic signatures are data that is “attached to, or logically linked to, other electronic data for authentication”. This includes signatures that are signed in a PDF document in Adobe Reader, for example. The certificate, which is produced in the background, merely ensures the integrity of the document. If validated, the certificate only confirms that the document has not been changed between the moment of signing and the moment of opening.
A simple electronic signature does not therefore serve to identify a person. It thus offers the least legal certainty and is primarily suitable for signing documents internally within a company, or for proving that a document has not been altered.
Advanced electronic signatures
Unlike a simple electronic signature, an advanced electronic signature can be used to identify individuals: the certificate issued upon signature assigns the signature to the person who signed the document. This means that they have sole control over the means by which the signature is attached. This may be a SIM or a smart card, which contains a user identification certificate and an electronic signature certificate and is used in a card reader or USB stick. Alternatively, you can enter all the necessary data on your mobile phone and receive a code for authentication by text message. The methods must make subsequent changes to the data visible.
Qualified electronic signatures
A qualified electronic signature has, in principle, the same characteristics as an advanced signature, but is based on a qualified certificate issued by a recognised provider. For example, Swisscom’s Signing Service generates new certificates and signature keys in the cloud for each signature process. Authentication takes place via a mobile ID-capable SIM card over a mobile phone.
In Switzerland, KPMG verifies whether the certificates issued by the signature provider meet the requirements not only for advanced but also for qualified electronic signatures. Qualified certificates must be marked as such. In addition, unlike advanced signature certificates, they are issued exclusively for one natural person and may only be used for an electronic signature. Only qualified signatures are defined in Swiss law (Art. 14 (2) bis OR). Only a qualified electronic signature is legally equivalent to a handwritten signature.
For most contracts, there are no formal requirements in Switzerland. The signature serves as a form of assurance for the contractual partners and a qualified electronic signature is therefore often used, as it provides the highest level of security. For some types of contract, this is even mandatory, for example for consumer credit agreements, assignments of claims or post-contractual bans on competition.
Ultimately, however, it sometimes remains a matter of discretion, although economic factors usually make qualified electronic signatures the obvious option. “Unlike in the past, the cost of identification is hardly a factor when it comes to qualified signatures,” explains Benoit Strölin, Head of Product & Innovation Management at Swisscom Trust Services. At the end of the day, one thing is certain: with qualified electronic signatures, you can stay on the safe side when it comes to digital contracts.