How to distinguish a fake digital signature from a real one

There are lot misconceptions about digital signatures. Some think that adding an image of a signature to a document is sufficient to legally sign a document. Others know that digital signatures are described in standards, such as PDF 32000-1 and the ETSI Technical Standards TS 102 778 (part 1 to 6).

For those who don’t want to read the technical description and requirements to create a document with a legally binding signature, I’ve made this short movie:

I hope this explains why you should care about making the right choice regarding digital signature software. If you want to know more about this subject, please subscribe to our and you’ll receive the draft of the first 90 pages of our white paper about digital signatures for PDF (the final document will be presented at JAX München).

If you’re less interested in the technical aspects, but you want to know more about the legal aspects, please read this white paper published by the “Office of Legislative Counsel”: Authentication of Primary Legal Materials and Pricing Options (December 2011).

Leave a Comment


Leave a Reply

Bruno Lowagie

Hi Chris,

let’s assume you’re not only applying the signature in Adobe Reader (as is done in the movie), but that you’re also sending the document to a server where a digital signature is applied. In that case, your document is ‘sealed’ in the sense that changing its contents will break the signature.

However: many legislations in different countries in the world will have a problem with such signatures.

1. the document is sent to a server where it is signed. How can you be sure of the contents of that document? Somewhere in-between the document can be changed, something can be added, you can accidentally sign a different document without knowing. For a signature on some documents to be legal, the signer needs to KNOW what he signs. Therefore the signing has to be done on the client-side, NOT on the server-side. In some countries, and for some documents, there’s also a requirement that each page has the initials of the signer to prove that he has seen every page. That’s impossible with digital signatures; the concept ‘to initial a document’ doesn’t exist in PDF: you can’t sign an electronic document on a page per page basis.

2. The document is signed with a keystore that resides on a server. That means that somebody else is managing your identity. If somebody else is managing your identity, that person (or that company) can sign any document in your name. That’s problematic. In some European countries, this problem is solved with our identity card. Each citizen of the country I live in, gets an identity card. That identity card is a smart card containing two key stores (one for authentication, one for non-repudiation) with private keys that can’t be extracted from the card (that is: they can not be copied). We can use the key for non-repudiation to sign documents. We can’t deny we have signed a document if we signed it that way. An eID can only be abused if the person who steals it also knows our pin code. Typically, you’ll notice when your card is stolen (whereas you may not notice when a hacker steals a software certificate). If you’re eID is stolen, you’ll immediately revoke the certificate so that your private key can’t be abused.

See also legal aspects of e-signatures and Don’t be the merchandise: Your Identity is Your Own

Bruno Lowagie

You may think I’m a tad paranoid and you may think I don’t trust my identity with a private company.

But that’s not the issue.

When discussing security hazards, it’s your duty to be paranoid. There are just too many holes in some systems. A server can be hacked so that somebody can take your identity; but even more likely: your credentials can be stolen in order to sign documents in your name.

The only safe way to sign, is using hardware on the client side (smart card or USB token).