The digital signature

Digital signatures are marketed as a form of electronic signature that enables the recipient to prove a document or communication actually came from the person whose digital signature was used to ’sign’ the data. This is not correct.

The private key of a digital signature (also known as an ‘advanced electronic signature’ in the EU) is protected by a password. If you use a digital signature (or you are the recipient of a document or e-mail with a digital signature affixed) the most important point to be aware of is this: the private key of a digital signature is only as good as the password that protects it. This means that when the password is inserted into a computer to provide access to the private key of a digital signature (or PIN) it proves any of the following:

The person that keyed in the password (or username and password) knew the password (or username and password); or

The person with access to the computer (whether they were sitting in front of the computer or whether they obtained control of the computer remotely) did not need to know the password because the computer was instructed to remember the password.

Many people (including lawyers) actually believe that if the private key of a digital signature is affixed to a document or e-mail, it means that the digital signature was actually affixed by the person whose key it was. One must beware of anybody that does not understand logic.

The comments above were previously set out in White Paper Number Seven, Electornic Signatures - Signing up to the Digital Economy (InterForum, 1999) [this paper no longer seems to be available on the internet]. On page 3, the following comments were made:

‘Just as possessing a credit card does not prove you are the rightful owner, electronic signatures do not categorically prove that a signed document came from the claimed sender. It only shows that someone had access to the token or PC on which the digital certificate and signing process was stored.’

Case law

For case law from across the world, see Electronic Signatures in Law and the Digital Evidence and Electronic Signature Law Review.