Digital Identity, Signatures, and Certificates

Digital Identity Basics

Digital Identity

Similar to a passport in electronic form, a digital identity (digital ID) allows you to securely prove that you are who you say you are – such as when e-signing a document. Each digital ID is backed by a digital certificate issued by a trusted 3rd party, such as a bank or government, after thoroughly verifying your identity.

Using a digital ID provides a higher level of assurance that you are the person who authorized your e-signature on a specific document.

  • Digital Certificates - A digital certificate (or public key certificate) is an electronic representation of data associated with a person or organization based on the X509 standard maintained by the International Telecommunications Union (ITU). A digital certificate is often stored in a password-protected file on a computer or network, USB token, smart card, or other security hardware device.
  • Certificate Authority (CA) - A certificate authority or certification authority (CA) is an entity that issues digital certificates which can be used for e-signing and certifying documents.
  • Trust Service Provider (TSP) - A trust service provider (TSP) is an organization that provides secure identity and transaction, registration authority, certificate authority, and/or time stamp authority services. TSPs issue the digital signing certificates used to create and validate digital signatures. Adobe Sign lets organizations choose from multiple TSPs to sign and time stamp documents and utilizes trust lists, such as the Adobe Approved Trust List (AATL) and the European Union Trusted Lists (EUTL) that are natively incorporated into Adobe software.
  • Qualified, regulated, or certified trust service provider (QTSP) - A regulated, certified, or qualified trust service provider (QTSP) is a TSP that has been certified by an accredited auditor to certify TSPs who provide digital certificates used to create the highest quality of digital signatures, such as a qualified, reliable, valid, secure, or certified e-signature. For example, in the EU, only a QTSP can issue the digital certificates required to generate a QES that is recognized by all EU Member States. Depending on the country, the term used in regulations may vary.
  • Identity Provider (IDP) - An Identity Provider (IdP) is usually a government or private sector organization (such as a bank) that provides a locally trusted digital identification service. During the onboarding process, the individual's identity is thoroughly verified before they are issued a digital ID that can be used for everyday financial or other citizen transactions and to sign documents in Adobe Sign. For more information on which IdPs are available for use in Adobe Sign, please see the Cloud signature identity providers (IdP) article on adobe.com.

Signature Types

  • e-Signatures - An electronic signature (or e-signature) is the most simple, basic form of e-signature that usually includes low or no additional signer identification beyond an email address. This type of e-signature may also appear in graphical formats, such as an image of a handwritten signature. Signatures vetted by email, password, phone authentication (SMS), and one-time passcodes all fall into the category of a simple e-signature.
    • e-Signatures with identification - Electronic signatures can involve more robust identification processes that provide a more rigorous vetting of the signer's identity. For example, signature processes that include knowledge-based authentication or government document identification.
  • Digital Signatures (Certificate-based) - Although sometimes used interchangeably with "electronic signature," the term "digital signature" refers to an electronic signature that is generated using a digital certificate. Digital certificates used for this type of e-signature are typically issued by a trust service provider (TSP) or certificate authority (CA) after thorough verification of an individual's identity. Digital certificates and the resulting digital signatures are unique to the individual and, depending on the level of identity verification, virtually impossible to spoof.
    • Qualified Signature (QES) - As defined in EU law, a qualified electronic signature (QES) is a digital signature backed by a specific digital certificate issued by an accredited, qualified trust service provider (TSP). This type of highly secure digital signature is defined in regulations in many countries worldwide and may be referred to as a reliable, valid, secure, or certified e-signature. Even if the text of the regulation doesn't use the same terminology, laws around the world prescribe the same level of security and technology (PKI) to bind the signer's identity and time signed to the digital signature field with cryptography. Depending on the country's law, a qualified, reliable, valid, secure, or certified e-signatures is usually considered legally equivalent to a handwritten signature.
    • Certification Signature (Acrobat) - A certification signature is the first signature in a document where the user has indicated the choice to "certify" the document. Certifying the document provides greater control over how the document can be updated by subsequent signers, limiting the possible actions to annotations, form-filling, and application of additional (approval) digital signatures.
    • Approval Signature (Acrobat) - An approval signature is a digital signature applied to a document that does not certify the document nor limit further actions by subsequent signers.
    • Digital Seals - Where a digital signature is used for an individual to apply a personal signature to a document, a digital seal is used by an organization to certify the integrity of any digital asset, including software code, servers, or documents as being from that legal entity. Both digital signatures and digital seals utilize a digital certificate. Each digital certificate contains a field for the subject name which is used to identify:
      • The name of an individual (for a digital signature)
      • A group/department or organization (for a digital seal)

For example, the Adobe Sign environment applies a digital seal (or qualified electronic seal) to ensure origin and integrity for every signed document or audit report each time it is exported as a PDF. The digital seal is shown as a blue bar at the top of the document. Depending on the shard that the Adobe Sign account was provisioned, different digital certificates are used to create the digital seal:

► NA1 and all other shards use DigiCert

► EU1 uses Intesi Group

► IN1 uses Emudhra

  • Cloud Signature - A cloud signature is a digital signature where the signer's digital certificate is securely stored in the cloud by a trust service provider (TSP). Each cloud signature uses the protocols outlined in ETSI Technical Specification 119 432 to generate a remote e-signature using digital certificates that are provided as-a-service in the cloud. Compared to traditional methods based on smart cards or USB tokens, a cloud signature allows signers to apply highly secure, trusted digital signatures direct from a mobile or browser.

Adobe Trust Programs

  • AATL - The Adobe Approved Trust List (AATL) is a global network of certificate authorities (CAs), trust service providers (TSPs), and timestamp service partners. The AATL program allows hundreds of millions of users around the world to verify digital signatures based on the PDF standard seamlessly. When a PDF file, signed with a certificate that is trusted in the AATL, is opened in Adobe Acrobat or Reader software, the signature is automatically verified without requiring any additional configuration. For more information, see https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html.
  • EUTL - European Union Trusted Lists (EUTL) are public lists of trust service providers (TSPs) that are accredited explicitly as providers of trust services according to the EU eIDAS regulation. These providers offer certificate-based digital IDs for individuals, digital seals for organizations, time stamping, and other services that meet a qualified level of trust, such as a qualified electronic signature (QES). Adobe is EUTL-certified as a qualified trust service provider (QTSP) for timestamping.

Open Standards

  • Portable Document Format (PDF) - A file format Adobe originally developed in 1992 to deliver text and images in a manner that is software,  hardware, and operating system agnostic.  In 2008, the PDF format became the ISO 32000 standard in 2008. The IOS specification defines signature types (approval and certifications), how a signature message digest is embedded in a PDF, and other PDF details which influence signature workflows and behavior.
  • CSC - The Cloud Signature Consortium (CSC) is a forum of industry and academic organizations committed to creating a global market for cloud-based digital signatures that support web and mobile applications and comply with the most demanding electronic signature regulations in the world. The CSC develops and maintains a standardized API specification for building remote signature applications (cloud signatures) and helps facilitate a growing interoperable ecosystem of trust service providers (TSPs). Cooperating with ETSI to create standards for remote electronic signatures, the CSC API standard has been incorporated in ETSI Technical Specification 119 432. For more details, see https://cloudsignatureconsortium.org/
  • Open ID Connect (OIDC) - OpenID is a decentralized authentication protocol that extends OAuth 2.0, adding an identity layer that allows users (signers) to leverage a third-party identity provider (IdP) when authenticating to a cooperating site. OIDC and OAuth 2.0 combine to enable a single solution for web browsers, mobile applications, and API-based authentication requests., removing the need for site owners to develop and maintain their own ad hoc login systems.
  • PKI - Public key infrastructure (PKI) is a system for the creation, storage, and distribution (and revocation) of digital certificates that can be used for various purposes, such as securely verifying a user's identity and the integrity of a signed document. PKI relies on asymmetric cryptography (also referred to as public-key cryptography) to generate pairs of public/private keys that together are used to encrypt and decrypt information bound to a document. In Adobe Sign, PKI is used for digital signatures and document seals. Digital signatures leverage PKI to secure signing processes with a digital certificate issued to the signer from a trust services provider (TSP). Document seals leverage PKI to bind a digital seal to a signed document or audit report each time it is exported from Adobe Sign.  

Compliance

  • Legality kit - Information about e-signature laws and regulations around the world can be found in the Adobe e-signature legality kit, which includes more than 60 country pages. The Adobe e-signature legality kit is available in English and only accessible from the U.S. Adobe.com website.
  • E-signature framework - The Adobe e-signature framework is a publicly available tool designed to help customers analyze the connections between the type of e-signature, document category, knowledge of signer (status), and signer identification methods for e-signature use cases (or exceptions). The purpose is to augment existing risk analysis processes, help organizations think critically about e-signature policies, and provide a basis for more productive internal discussions about e-signature policies.  
  • Time Stamps and Long-Term Validity (LTV) - Time stamps are a critical component of the US and EU signature compliance standards when applying digital signatures. 

The time stamp acts as a locking mechanism for both the signer’s identity and the document itself.  Identity can be established in many ways (certificate, logon, id card), but a trusted and authorized time-stamping authority (TSA) has to provide the time stamp. 

The time stamp guarantees the Long-Term Validity (LTV) of the signed agreement by locking the signature as well as the document, essentially providing a lock for the lock.  This is critical for digital signature compliance because personal signing certificates can expire, while the time stamp LTV can be renewed over time without changing the validity of the signature.  The LTV time stamp assures the certificate was valid when applied and extends the validity of the signed agreement beyond the time scope of the signer’s actual certificate.

Get help faster and easier

New user?