1

I need to make an app where you will open a PDF document, show it to a customer and he will electronically sign it(write his signature on a tablet).

From what I read you need the data from the signature being created (time stamp, pressure and time from drawing) and attach it to the PDF.

But is this enough? So to open a canvas, read the data and attach it to the PDF with the signature image itself or do I need to digitally sign the PDF as well? If this is it enough, then where to attach all that additional data(time stamp...)? - I plan on using itext library.

Tadej Vengust
  • 1,351
  • 4
  • 18
  • 35
  • It depends on what your customer wants. Because the first part of your question is about a signature image, which is not the same as a digital signature. – Amedee Van Gasse Dec 28 '16 at 10:45
  • He just needs a electronic signature that is the same as a hand written one. – Tadej Vengust Dec 28 '16 at 10:54
  • Well, that's not really an electronic signature then, just a digital image of a handwritten signature. Electronic Signatures in the context of pdfs are a totally different thing. – Samuel Huylebroeck Dec 28 '16 at 11:18
  • From what I read electronic signature is the same as handwritten but you need some extra data to validate it.. – Tadej Vengust Dec 28 '16 at 11:23
  • Please clarify if you need a digital signature (you would need a private key associated to a X509 certificate) or not. – Egl Dec 28 '16 at 13:09
  • No I do not need it to be digitally signed what I need is basic e-signature that is valid underneath eIDAS: https://ec.europa.eu/digital-single-market/en/news/questions-answers-trust-services-under-eidas – Tadej Vengust Dec 28 '16 at 13:14
  • *"basic e-signature that is valid underneath eIDAS"* - eIDAS covers many technologies with differing legal consequences. Please be more specific. – mkl Dec 28 '16 at 16:39
  • It will be used for delivery. So that the customer will sign a pdf delivery bill. I will contact my order-er for more info. – Tadej Vengust Dec 29 '16 at 07:30
  • Ok, I finally got more information. It is not enough to be just a picture it has to be like the signature that is added trough adobe app. But there is no need for any certificate. – Tadej Vengust Dec 29 '16 at 14:01

1 Answers1

3

There are lots of aspects coming with your question. In the end it all comes down to your/your customers requirements of the process. Let me illustrate what you can do:

Firstly: There is a difference between a digital signature and a handwritten representation of a signature - although you can combine both...

Solution I

  1. Capture the signature image (from a canvas), create an image out of it
  2. Put the image into the PDF

Solution II

  1. Same as above
  2. Create a standard PDF signature field, set the signature-image as its appearance and digitally sign the field and thus the document (you need a certificate for that, but it can be self-signed). The timestamp (and further infos like location, reason etc.) can also be added and are part of the signature

Solution III

  1. Same as above
  2. Also collect the so called biometric data of the signature (x,y coordinates, pressure like you mentioned (however not always available) and timestamp for each coordinate pair
  3. Encrypt the biometric data and add it to the signature field (strongly oversimplified)
  4. Same as step 2 from above (cp. Solution II)

Solution IV (Update)

As you mentioned in your comment you want an eIDAS compliant signature:

"I do not need it to be digitally signed what I need is basic e-signature that is valid underneath eIDAS"

To make it clear: eIDAS is a way to digitally sign PDF documents.

  1. Same as above
  2. If you want an eIDAS compliant eSignature you also need a certificate. There is no way around it. But the certificate can be self-signed so it shouldn't be a problem. The rest is the same like in Solution II (step 2)

There may be other combinations (e.g. using qualified certificates from a smart card etc.) but in the end only you can decide what's the right solution for you. It depends on your requirements, your countries regulations and the legal necessities of the contracts you want to sign.

What are the differences of the solutions?

The first solution doesn't provide any possibility to verify the authenticity of the signer nor does it ensure that the document wasn't altered after the signature-image was added. Solution II provides exactly that however if self-signed certificates are used the signer cannot be identified (anybody could have signed that document). To prove that, you have to use qualified certificates or go with solution III.

Last remarks:

  • If the signer should sign at a certain place it makes sense to add empty signature field(s) when creating the document. Then when opened in your application a user can click on the signature field he wants to sign.
  • There are many existing solutions you could use exactly for that use case. Thus you also have to ask yourself: Why to reinvent the wheel?
  • Most of those solutions also don't directly sign the document on the (android) client but do the actual signing on a central server. Using that approach you don't need to re-implement you solution for each platform (iOS, windows phone, Webbrowser on a desktop pc etc.)
Lonzak
  • 9,334
  • 5
  • 57
  • 88
  • My little addition: solution I would be an electronic signature. The others solutions would be digital signature. – Egl Jan 02 '17 at 13:22
  • Yeah we use the term "electronic signature" for the handwritten signature (with biometrics) but I think this is not an official term, but agreed, maybe helps to clear up the confusion... – Lonzak Jan 02 '17 at 14:06
  • I'm afraid it won't. The use of the term "electronic signature" simply is very inconsistent. – mkl Jan 02 '17 at 17:01
  • This is what I was looking for. Since the documentation about electronic signature is really bad you just don't know what the correct definition is and I as well as my client were confused. This clarifies when you need a digital certificate. The eIDAS is weird as well because their first clause says that they do not change that an e sign is valid in court as is but then make new conditions. The reason I want to "reinvent the wheel" is because my client wants it all in one application (with some other functionalities). Just out of curiosity which are the best solutions out there? – Tadej Vengust Jan 03 '17 at 07:27
  • Disclaimer: I am bit biased since our company offers such a solution ;-) For your case we offer the signing part as an independent component (like a library) and a customer can integrate it into his own application. But for sure there are others offering something similar but I don't have a market overview (since working on other things currently)... – Lonzak Jan 03 '17 at 09:34
  • What is the price for the library? – Tadej Vengust Jan 06 '17 at 07:24
  • You may take a look here: www.is2.de/insign (attention: biased! I'm one of the creators). – TomB Feb 01 '18 at 12:08