One of the tough things about a party-controlled, self-hosted e-signature is that it becomes easier to repudiate because a party to the contract has custody of the platform.
The non-custodial party can claim they never signed, and when the custodial party produces evidence of IP address and timestamp, the non-custodial party may have a credible argument that they are faked and the person asserting those authenticated details has the motive and means to fake them.
That argument is much harder to assert with something like DocuSign because it is unlikely DocuSign would put their business on the line to fake someone's signature.
I'm not saying repudiation based on custody of the e-signature platform is a winning argument, but it's something to consider before self-hosting if you are going to use the platform to sign your own contracts.
The problem is that it would require everyone to monitor the ledger for falsified versions of their own signature. That works a lot better in the world of Certificate Transparency where Google can scan for google.com registrations. It does not scale well to every human being doing that, or outsourcing it.
The fundamental challenge here is that there's no way to tell, based on a the signature alone, which signatures are "valid" and which are "forged"; they're not cryptographic signatures. And getting cryptographic signatures for lay people is apparently too hard to do, outside of Estonia's digital citizenship initiatives.
It might be neat if the big guys agreed on an OIDC extension that let you piggyback text to be affirmed by the user. Cryptographic proof that jane.doe@gmail.com saw text with hash H at time T and chose "Accept".
Wait... You're talking about Git, right? Brilliant idea! You could sign a pull request, and once it's signed, you can then merge the businesses. But how do you show a diff of the signature? And what if it's not for a corporate merger?
But what keeps someone from forking your git repository and insisting that their HEAD is the source of truth? How can we get a globally agreed upon source of truth?
As long as we're talking about non-cryptographic-signatures, the party hosting the e-signing software can claim any signature to have happened at any time. The whole point was DocuSign would be unlikely to do this.
someone should combine a chain of blocks for identity management with one for financial transactions/tokens and one for signature attestation. We could call it the cube chain and usher in web 4.0.....
Yeah, I really like this initiative, but this is not a technology problem. This is a trust problem. The EUJ actually has a not-terrible framework in place around electronic signatures, and _some_ countries are pushing hard for adoption and implementation.
> That argument is much harder to assert with something like DocuSign because it is unlikely DocuSign would put their business on the line to fake someone's signature.
This seems like the claim that the USG will be unlikely to put it's Military on the line so they won't leak any tank designs on discord.
Happy to concede that the CEO of DocuSign wouldn't do this but surely some 15$/h employee doesn't have that same opinion.
The support person should not have that kind of access without auditability and traceability. Even Sundar should not be able to log into a console and read your emails either.
Someone implied that counterfeiting a sig or altering one, etc. was just as easy in Docusign as it would be with on on-site one-party controlled system. It just isn't.
IP addresses and browser User Agent strings are stored for each signature/submission - those are the only measures for 'non-repudiation' currently available.
but i think it doens't differ from other mainstream SaaS solutions - if you read through their terms of services - they put 'non-repudiation' liability on users of their services
From my research this has 0 legal validity, at least in germany in regards to the EU eIDAS. They are just smoke and mirrors for companies to make them "feel" secure but without cryptographic ensurances (Advanced Electronic Signature) or TLS like Signed Cryptography (Qualified Electronic Signature) this is just as legally binding or not binding as an E-Mail
> just as legally binding or not binding as an E-Mail
Which is legally binding. In Germany most contracts are free-form contracts (Formfreiheit) and only need declarations of intent in the form of offer and acceptance. This can be a handshake or even a head shake.
Yeah, it’s not like in the spirit of the law you can perform your part of the contract and then get away with saying “I never agreed”.
In the US, we have a federal law that covers electronic contract signing. I believe it’s part of the UCC? (I’m not an attorney, and that area isn’t one I practice with in tech either.)
What mechanism(s) is used to ensure non-repudiation?
I appreciate that the demo is not behind a sign up wall, but is account creation and email verification required for invitees to sign any documents?
Are IP addresses stored as part of the digital signature?
Any other mechanism?