Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: signature
What constitutes a "legal" digital signature for a web form (not a document)?
 
OPTION 1: I worked on a project where a doctor makes notes on the health of a patient. When the web form is submitted a PDF is generated and digitally signed with a digital .CER certificate and the PDF is saved to the file system. Each doctor had their own .CER file and password which was a real PITA to maintain and the overhead of generating, storing, and backing up PDF's is quite high.
 
There are also third-party solutions like CoSign which allow the user to authenticate to CoSign as the form submits and, if properly authenticated, somehow digitally signs that form. I believe all of these solutions require an export to various types of documents and then storage of the document and require the end signer to have an account with CoSign. That isn't going to work...
 
All of these signatures require the data to be stored in a document which is not ideal for many projects.
 
OPTION 2: I went to the Microsoft store at the Mall of America and purchased a new Surface (to be later returned :/ ) and when checking out they gave me a tablet (ironically it wasn't a Surface) and a pen and I jotted down my signature. Another example is the Square app which also requires the user to jot down their signature on a touchscreen of some sort. I would assume the signature is stored as an image somewhere in a database but does that constitute a "legal" document?
 
I've worked at a small medical device company which had their doctors evaluate tests on the web and digitally "sign" their evaluation, but all that did was upload an image of their signature saved in the database.
 
OPTION 3: Yet another way I've seen this done is when filling out my FAFSA for college tuition aid back in the day. They'd ask you to review the terms, yada yada, and then at the bottom I had to type in my full legal name "as it appears above" and the submit the form. What are they doing behind the curtains??
 
The project I'm working on is a simple one-page contract for a construction company which explains all of the services to be rendered and requires a signature and date. The electronic version of this form would collect all of the required data in a web form and save it to a data store.
 
My initial reaction was to provide a <canvas> based HTML5 element that can be signed on an iPad or something. Does the data need to be exported to a document and then signed using a digital signature or can the data be legal and "signed" in the data store?
Posted 4-Feb-13 7:41am
jabit10.6K
Edited 4-Feb-13 8:23am
v2
Comments
Mike Meinz at 4-Feb-13 14:22pm
   
You probably need to consult an attorney and the company auditor. At my company, the attorney's and auditor's opinion was that we were ok if we had a defined procedure that identified the person and then stored the associated documents so that other users could not change them. We developed a DLL that our programmers could use that asked the user to type in their Microsoft Active Directory password (The same one they used to login) to verify their identity. They programmers used the DLL to verify identity and then stored the data in SharePoint with appropriate access permissions on the SharePoint library or in a database with appropriate access permissions.

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

I agree with Mike, you need the company legals to define how strict your requirements are.
 
You need to ask who do we trust, if the data is just in the database, do we need a system that prevents a DBA modifying supposedly signed records??
 
I know of a system used to track drug samples left with doctors. The regular transactional records were in the database, but a separate encrypted Blob was stored with the same information, and the Drs captured signature. This was encrypted with sales rep logon account. This was the record for legal purposes (and approved by the FDA).
 
Thus it was tamper proof - a dba couldn't manipulate the Blob data, as they couldn't sign a different record, yet the regular transactional data was available for reporting, etc.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 DamithSL 265
1 CPallini 235
2 OriginalGriff 233
3 Maciej Los 175
4 George Jonsson 170
0 OriginalGriff 5,305
1 DamithSL 4,382
2 Maciej Los 3,760
3 Kornfeld Eliyahu Peter 3,470
4 Sergey Alexandrovich Kryukov 2,901


Advertise | Privacy | Mobile
Web03 | 2.8.141216.1 | Last Updated 5 Feb 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100