Signatures - is there any point?

[telstarbox]

My company is paperless so if a client or supplier asks us to 'sign' a document we drop in a scanned signature into the Word document or PDF and this seems to be accepted by everyone.

I've done the same for some paperwork for buying a house and again no problems there.

So do signatures count for anything any more?

[Little Jim]

Solicitors still often require what they call "wet ink" signatures - so proper ones done with a pen.  I guess that is to prevent fraud as anyone could have got hold of a scanned signature.  We had this at work recently with some  lease documents on our business premises, and one of the signatories lives in Spain which caused a bit of a delay.  Some documents still require the signature to be witnessed, so, again they have to be signed with ink.  I guess a lot depends on who the documents "belong" to, so their rules apply, and how important they are.

[Kim]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptographic signing is a decades old technology that actually works and is readily available on all mainstream computing platforms, but the only lawyers who understand it work on intellectual property.  Everybody else is working on the "we accept faxes, so if we make the process sufficiently fax-like, it'll do" principle.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSXpcZVT011T8o2KC4h91XBFYKSRAUCYnVUAgAKCRAh91XBFYKS
RM9mAJ0Sk8/WEVrdPBbTrm/AndfNzGJ7sQCePQOzD/PMLPxNmINVDr+Bahm3qrU=
=gcJJ
-----END PGP SIGNATURE-----

[barakta]

Certain government agencies who we shall call DWP for the sake of argument, who run certain schemes for DISABLED people are obsessed with wet ink signatures. However I appear to have manage to LART them into accepting entirely e-comms these days.

I think signatures are silly. I think a graphic of your sig which is a thing at my work is dangerous and silly. But all the digital options aren't straight forward or understandable to the user, so.......

[Graeme]

Weddings!

I require real signatures when a wedding is booked... confirming the couple are legally entitled to get married. There's no way I'm going to prison for presiding at a marriage I've been misled over.

On the day... legal document and witnesses. All signed in person, and I then write (in pencil in the margin) what the signature says so that the Registrar can complete the electronic copy. Five signatures: the couple, their witnesses and myself.

Edit:

The signatures at the beginning of the process are very important for me... making it clear where the blame lies if a couple are lying to me.

Oddly, the marriage is legal once the vows have been made. The lack of signatures doesn't invalidate the wedding but it does make for a huge headache for all concerned... that is, proving the marriage happened.

.

[Kim]

But all the digital options aren't straight forward or understandable to the user, so.......

Signing things is easy.  You just type your password in when prompted.

Verifying signatures is slightly more complicated, but considerably less so than verifying a paper signature.  I mean, normally the way it works for xkcd://1181 compliance testing of wet-ink signatures is that you look to see if there's a scribble that looks roughly equivalent to some reference scribble^[1].  If you need further verification, for wet ink you're hiring handwriting analysis expert witnesses or something.  For an electronic signature, you're just checking some random string of ASCII matches some other random string of ASCII (which is probably automated by your email client anyway).

The only reason it's not 'easy' is that Microsoft/Google/Apple haven't made everyone do it^[2].  And the reason for that is because the law is still stuck in the fax era.

People not understanding cryptography is as irrelevant as people not understanding law.  They still have to use it on a daily basis.  (You did just now to read this post.)


_{[1] Authenticating reference scribbles is basically the same problem as authenticating PGP keys.  Ultimately, you need people in a room who can say "yes, I was there, and I saw that happen".
[2] At a content level, at least.  Try sending an email to a mainstream free webmail service user without valid DKIM and watch it get spam-bucketed.}

[barakta]

Weddings!

I require real signatures when a wedding is booked... confirming the couple are legally entitled to get married. There's no way I'm going to prison for presiding at a marriage I've been misled over.

On the day... legal document and witnesses. All signed in person, and I then write (in pencil in the margin) what the signature says so that the Registrar can complete the electronic copy. Five signatures: the couple, their witnesses and myself.

Edit:

The signatures at the beginning of the process are very important for me... making it clear where the blame lies if a couple are lying to me.

Oddly, the marriage is legal once the vows have been made. The lack of signatures doesn't invalidate the wedding but it does make for a huge headache for all concerned... that is, proving the marriage happened.

.

How does that work for say a blind person, or someone who can't physically handwrite? I can manage a signature even on a bad day.

One of my disabled friends gets her PA to sign with PP to get round that but don't know how that works for weddingy legal documents etc.

[Graeme]

Weddings!

I require real signatures when a wedding is booked... confirming the couple are legally entitled to get married. There's no way I'm going to prison for presiding at a marriage I've been misled over.

On the day... legal document and witnesses. All signed in person, and I then write (in pencil in the margin) what the signature says so that the Registrar can complete the electronic copy. Five signatures: the couple, their witnesses and myself.

Edit:

The signatures at the beginning of the process are very important for me... making it clear where the blame lies if a couple are lying to me.

Oddly, the marriage is legal once the vows have been made. The lack of signatures doesn't invalidate the wedding but it does make for a huge headache for all concerned... that is, proving the marriage happened.

.

How does that work for say a blind person, or someone who can't physically handwrite? I can manage a signature even on a bad day.

One of my disabled friends gets her PA to sign with PP to get round that but don't know how that works for weddingy legal documents etc.

I haven't had that situation arise - my gut / pastorally sensitive reaction would be that we'd find a way to make it work for all concerned. The signature is only important as evidence - so there'd be some other way of giving evidence that took into account the needs of those getting married.

Edit again: the marriage is legal when the vows are made... the lack of signature is merely an administrative headache. There'll be another way of handling it I'm sure.

[Rod Marton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptographic signing is a decades old technology that actually works and is readily available on all mainstream computing platforms, but the only lawyers who understand it work on intellectual property.  Everybody else is working on the "we accept faxes, so if we make the process sufficiently fax-like, it'll do" principle.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSXpcZVT011T8o2KC4h91XBFYKSRAUCYnVUAgAKCRAh91XBFYKS
RM9mAJ0Sk8/WEVrdPBbTrm/AndfNzGJ7sQCePQOzD/PMLPxNmINVDr+Bahm3qrU=
=gcJJ


-----END PGP SIGNATURE-----

Then how come patent applications still have to be signed in ink and witnessed? It's about the only time I physically sign my name nowadays.

[Feanor]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptographic signing is a decades old technology that actually works and is readily available on all mainstream computing platforms, but the only lawyers who understand it work on intellectual property.  Everybody else is working on the "we accept faxes, so if we make the process sufficiently fax-like, it'll do" principle.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSXpcZVT011T8o2KC4h91XBFYKSRAUCYnVUAgAKCRAh91XBFYKS
RM9mAJ0Sk8/WEVrdPBbTrm/AndfNzGJ7sQCePQOzD/PMLPxNmINVDr+Bahm3qrU=
=gcJJ


-----END PGP SIGNATURE-----

Then how come patent applications still have to be signed in ink and witnessed? It's about the only time I physically sign my name nowadays.

Because such institutions are moribund in their ways and are slow to change.

[quixoticgeek]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptographic signing is a decades old technology that actually works and is readily available on all mainstream computing platforms, but the only lawyers who understand it work on intellectual property.  Everybody else is working on the "we accept faxes, so if we make the process sufficiently fax-like, it'll do" principle.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSXpcZVT011T8o2KC4h91XBFYKSRAUCYnVUAgAKCRAh91XBFYKS
RM9mAJ0Sk8/WEVrdPBbTrm/AndfNzGJ7sQCePQOzD/PMLPxNmINVDr+Bahm3qrU=
=gcJJ
-----END PGP SIGNATURE-----

gpg --verify /tmp/kim.txt
gpg: Signature made Fri 06 May 2022 17:59:46 BST using DSA key ID 15829244
gpg: BAD signature from "Kim <kim@<redacted>.net>"

Um...

J

[quixoticgeek]

But all the digital options aren't straight forward or understandable to the user, so.......

Signing things is easy.  You just type your password in when prompted.

Verifying signatures is slightly more complicated, but considerably less so than verifying a paper signature.  I mean, normally the way it works for xkcd://1181 compliance testing of wet-ink signatures is that you look to see if there's a scribble that looks roughly equivalent to some reference scribble^[1].  If you need further verification, for wet ink you're hiring handwriting analysis expert witnesses or something.  For an electronic signature, you're just checking some random string of ASCII matches some other random string of ASCII (which is probably automated by your email client anyway).

I dunno what would happen if that ever happened for me. When I worked as a delivery driver I had to sign each delivery note when it was delivered, Doing 20-30 signatures a day, my signature became an unrecognisable scribble that I never do the same way twice.

In my line of work I spend a lot of time dealing with cryptography and web of trust. The technology is there, it has massive UI/UX issues, and it's very much not evenly distributed. Even S/MIME for email has scaling issues. Sure each employee can send in the CSR, and get the cert, and the like, and you can walk most people through that. But the problem still comes that outlook et al don't have an easy work flow for adding public keys. It's suboptimal all round.

J

[quixoticgeek]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cryptographic signing is a decades old technology that actually works and is readily available on all mainstream computing platforms, but the only lawyers who understand it work on intellectual property.  Everybody else is working on the "we accept faxes, so if we make the process sufficiently fax-like, it'll do" principle.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSXpcZVT011T8o2KC4h91XBFYKSRAUCYnVUAgAKCRAh91XBFYKS
RM9mAJ0Sk8/WEVrdPBbTrm/AndfNzGJ7sQCePQOzD/PMLPxNmINVDr+Bahm3qrU=
=gcJJ
-----END PGP SIGNATURE-----

gpg --verify /tmp/kim.txt
gpg: Signature made Fri 06 May 2022 17:59:46 BST using DSA key ID 15829244
gpg: BAD signature from "Kim <kim@<redacted>.net>"

Um...

J

gpg: Signature made Fri 06 May 2022 17:59:46 BST using DSA key ID 15829244
gpg: Good signature from "Kim <kim@<redacted>.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: <redacted> 1582 9244


My bad, when I pasted into vi, it changed the formatting of the text. Fixed. Verifies. Now... do I trust Kim to be Kim...

J

[Cudzoziemiec]

Had a bank email the other week saying they'll be implementing some new security measures on online payments. One of these is they'll sometimes ask the customer to enter their email address along with the pin. Apparently they're not actually checking the address matches whatever is in their database, they're analysing the way you enter it; key strokes and so on. There would seem to be some problems with that (sometimes you type faster than other times, not all keyboards are alike, and so on – but then a positive side effect might be stopping you making drunken purchases!) and assuming it does actually work, I'd assume they can do something similar with 'wet ink' signatures. It's not just what it looks like but the pattern of hard and light pressure, direction and size of loops and so on.

[mrcharly-YHT]

I dunno what would happen if that ever happened for me. When I worked as a delivery driver I had to sign each delivery note when it was delivered, Doing 20-30 signatures a day, my signature became an unrecognisable scribble that I never do the same way twice.

In my line of work I spend a lot of time dealing with cryptography and web of trust. The technology is there, it has massive UI/UX issues, and it's very much not evenly distributed. Even S/MIME for email has scaling issues. Sure each employee can send in the CSR, and get the cert, and the like, and you can walk most people through that. But the problem still comes that outlook et al don't have an easy work flow for adding public keys. It's suboptimal all round.

J

In a previous job I wrote instructions for building and running tests of a new secure architecture on FPGA.

For each build it was necessary to generate a private/public key pair (needed for the debug access so you could run the tests).

The customers found this too onerous and difficult (bear in mind that they were co-developing a new secure SoC). They wanted a TAP point defining that would bypass security.

If people like that find creating and handling keys too hard, there is no hope for the rest of the world.

[Efrogwr]

Exhibition organisers often insist that paintings and drawings are signed. I always sign them on the back. no- one has ever insisted on a framed piece being removed from the frame to be checked...

[FifeingEejit]

The most obvious reason for signatures to me is for my bank to return documents that I once upon a time signed with the "wrong" hand.

This may be a unique problem...

Sent from my IV2201 using Tapatalk