An effective Zero Trust architecture is built on a foundation of identity context. Digital signatures support a Zero Trust initiative by cryptographically assuring the identity of the signee, answering questions such as:
“How do you know if the person who signed electronically is who they claim they are?”
“How do you know that the virtual signature (or the document it signs) wasn’t changed after the fact?”
The real-world solution to these questions is as old as time – notaries. Notaries are granted the authority to witness document signing, attest to the identity of the persons involved, and confirm that the document is original and untampered with.
The digital equivalent of a notary is a certificate authority, the system responsible for generating X.509 digital certificates to accomplish all the same functions of a notary (and more – like role-based access control and passwordless authentication, if supported by a cloud PKI like ours).
Is a Digital Signature the Same as an Electronic Signature?
Given that these terms are often used interchangeably, it’s worth our time to lay out some definitions to reduce confusion.
An electronic signature is a broad, catch-all term for any signature applied digitally rather than the traditional method of pen and paper. The US Federal ESIGN Act, which was passed in 2000, granted legitimacy to electronic signatures – provided they meet certain security and compliance standards. The EU’s eIDAS has a similar function, and most signatures are rated to satisfy their requirements as well.
This is where the nuance of the digital signature begins. A digital signature is an electronic signature that meets the requirements established by the above entities, causing it to be classified as a Class 1, 2, or 3 digital signature. Each increasing level of signature corresponds to a proportional increase in security and assurance, due to the increased stringency of the cryptographic standards being applied to the signature.
Types of Digital Signatures
All digital signatures are secured by the principles of asymmetric cryptography that underpin public-private key pairs. It’s not as complicated as it sounds – you can quite easily protect your whole network with the same technology by using a RADIUS authentication server that supports certificate-based authentication like our Cloud RADIUS.
Here’s an overview of the differences between types of digital signatures:
Class 1 Digital Signature – Simple
A simple digital signature is the weakest form of digital assurance (though still stronger than a simple electronic signature). They are characterized by a lack of encryption and simple (or nonexistent) identity verification. They can’t be used for attestation.
Examples of simple digital signatures are checking the “I agree to these Terms and Conditions.” checkbox, your email signature, and a photocopy of a physical signature.
Class 2 Digital Signature – Basic
Basic digital signatures are a little more rigorous, but not by much. They typically don’t provide very high human identity assurance but do include device context related to the signature. However, they are sufficient to secure a document and attest to its authenticity, ensuring that it hasn’t been modified or tampered with.
This makes Class 2 signatures a cost-efficient option for document, code, or email signing.
Class 3 Digital Signature – Advanced / Qualified
Class 3 digital signatures can be either “qualified” or “advanced”; it’s at this stage that a digital signature is useful in a legal context.
An advanced digital signature is one that does positively identify and assure the identity of the author, as well as providing the assurances of the other classes of signature.
The qualified digital signature has all of the above, except that the info must be stored on an X.509 digital certificate distributed by a Qualified Trust Service Provider (QTSP, such as public certificate authorities). Furthermore, that certificate must be stored on cryptographically-secured hardware such as a hardware security module (HSM) or smart-card device (like a YubiKey).
It goes without saying that this class of digital signature is relatively expensive to procure and typically reserved for high-security or compliance scenarios.
Are Digital Signatures Zero Trust?
The hallmark of Zero Trust architecture is constantly validating and revalidating user or device authorization. Zero Trust network security is “perimeterless”, meaning that even once a user or device has been authenticated and allowed past the “perimeter” to “enter” the network, they will still be asked to prove their identity again for each resource they access.
Digital signatures are a key technique for applying Zero Trust to resources that interact with entities outside your network. When sending a digitally signed contract, cryptographic assurance is provided to not just the signature but the document as a whole (called “document signing”), lending both legal authority to the signature and peace of mind that the contract wasn’t intercepted and altered during transmission.
Creating Identity Context with Digital Signatures
X.509 digital certificates are the pinnacle of personal identifiers. They can be configured with a wide range of attributes that add identity context to authentication requests. Common examples of certificate attributes used to identify users and devices are:
- SAN (actually a group of several identity-related attributes)
- UPN (essentially email address)
- First + Last Name
- Device ID (unique ID associated with a device stored in the MDM)
- Group (what group the user is associated with in the directory, such as a departmental group like “Marketing” or “HR”)
- MAC address (less common now as they are often randomized)
With unique identifiers like the above, network admins can easily audit activities by a given user (even across devices, or vice versa).
Do you need a PKI for Digital Signatures?
While it might not look like it from the outside, all electronic signatures invoke some complex asymmetric cryptography in order to remain secure and create a virtual “tamper-proof seal”. The system necessary for this operation is called a “certificate authority”, which itself is but a component of a larger PKI (Public Key Infrastructure).
It’s certainly possible to digitally sign a document or file without your own PKI. There are many websites and applications that offer the ability to electronically sign, even for free, though the type of digital signature and the level of assurance they provide varies.
Whether or not you need an inhouse PKI for your digital signature comes down to two factors:
- The volume of signatures required.
- Increased security to meet compliance/audit requirements.
Cryptographically assuring a signature is a relatively resource-light process, so it scales cost-effectively. On the other hand, it’s expensive to build and operate an entire PKI, so it may make sense to pay on an as-needed basis or seek the services of a Managed PKI vendor like SecureW2.
Digital Signature-Capable PKI with Native Zero Trust
Digital signatures might not feel particularly binding or trustworthy when all you’re doing is typing your first name into a form field. However, some of them have very real legal power – and all of them have very real cryptographic protection against tampering.
Most organizations have a limited need for digital signatures, and for them, the wealth of free browser-based options should prove sufficient. If an organization has a need to generate digital signatures on a daily basis, perhaps for compliance reasons, they may find it cost-effective (or a security necessity) to spin up their own Certificate Authorities (CAs). Rather than building out a whole PKI from the ground up to support a CA, consider using a managed PKI like SecureW2.
In addition to supporting digital signing (and code signing), a PKI will enable you to use certificate-based authentication – a massive security upgrade and quality of life improvement for end-users and admins alike. We have affordable options for organizations of all sizes. Click here to see our pricing.
