Thursday, September 30, 2021

Digital Signatures or Block Chain - Which is more suitable for Education Credentials?

Digital Signatures based on Public-key alogrithms are an established technology for authenticating documents. A more recent alternative is based on Distributed Ledger (Block-chain). Here we explore which option is more suitable for authenticating Educational Credentials such as those issued by universities, colleges, etc in India. 

Digital Signatures: 
1) Signing Certificates are issued by designated Certifying Authorities after a detailed verification of identity of the Signature Holder. This ensures that impersonation of the Signature Holder (Universities / Colleges) is ruled out. 

2) The Signature Holder can use the Signing Certificate to sign documents, and this requires 2 factor authentication. If a Certificate is misplaced or compromized, there is a process to revoke / cancel such a Signing Certificate, thereby rendering it useless. 

3) A Signed document can be verified simply by opening it in an Adobe Reader. The Signature panel immediately shows if the document is signed / modified after signing, and the identity of the Signer can be verified via the Signature Panel. There is no need to upload the document anywhere or visit any website. Verification of documents in bulk can also be automated. 

4) Signed Documents cannot be tampered without breaking the Signature, and therefore these can be uploaded to repositories. The Govt therefore correctly selected Digital Signature Technology for its repositories such as Digilocker and NAD. 

5) Digital Signature implementations come at significantly lower costs since there is no need to maintain distributed ledgers, etc. 

1) There is no Govt body that governs or defines how the identity of a block chain participant is to be verified. 

2) Every time one needs to verify a document, it has to be uploaded to a specific website. This in turn brings the risks associated with phishing. 

3) Block chain is not compatible with various initiatives of the Govt including Digilocker. 

4) The costs associated with Distributed Ledgers are always higher. 

5) Finally, there is no legal framework in place governing Block-chain documents. 

To summarize, Educational institutions in India are better off authenticating their documents with Digital Signatures as opposed to using distributed ledgers / block chains.

Monday, June 7, 2021

Pitfalls of Signature Annotations

After the previous blog on "Collaboration" during Signing process, a question was asked if it was a good idea to permit a Signer to insert annotations into the document being signed. Technically, "annotations" are also "edits". 

Ask yourself the simple question: Can a particular Signer enter the annotation "Do not accept 2), 5), 6)" on the document when he / she signs it.

If a system allows a Signer to insert such an annotation while signing, ask yourself if you want to permit such a thing!

Wednesday, May 19, 2021

Collaboration must end before Signing can begin

As the adoption of electronic Signatures increases, a frequently asked question is whether it is a good idea to permit collaboration / editing of a document while its being signed by multiple parties.

In general, when confronted with any such question, it is best to ask what makes sense in the physical world. Electronic Signatures are also signatures and the common sense precautions that apply to physical signatures apply to them as well.

Imagine a situation wherein a document is to be signed by 3 persons - A, B and C. Suppose it has already been signed by a person A. Would it be OK to allow the next signer - person B, to make edits / insertions on the document before he signs it? Indeed, would it be OK to allow B to annotate anything on the document other than his signature? The answer would be clearly "NO". The reason is that any change to the document cannot be made without the concurrence of A, who in this case has already signed the document and therefore isnt a party to the subsequent changes, howsoever minor they may seem. Indeed, A's signature should be invalidated by any subsequent edits made to the document. The same applies to Electronic Signatures as well. Ideally, no edits / insertions / annotations should be permitted in a document once its electronically signed by even one of the signatories. In fact, any good system would expressly prevent such edits / insertions. Any "collaboration" has to happen before the process of signing begins, and should end before the first signature is inserted.

Further, its only common sense that a good Electronic Signing System should not permit the download of partially signed documents. So, signatory B or C should not be able to download a document signed only by signatory A. The document should be made available simultaneously to ALL signatories ONLY after it has been signed by all parties. The document should be invalidated the moment any of the signatories refuses to sign it.