Digitally Sign DATA, Not Documents

Question

4.00/5 (1 vote)

See more:

What constitutes a "legal" digital signature for a web form (not a document)?

OPTION 1: I worked on a project where a doctor makes notes on the health of a patient. When the web form is submitted a PDF is generated and digitally signed with a digital .CER certificate and the PDF is saved to the file system. Each doctor had their own .CER file and password which was a real PITA to maintain and the overhead of generating, storing, and backing up PDF's is quite high.

There are also third-party solutions like CoSign which allow the user to authenticate to CoSign as the form submits and, if properly authenticated, somehow digitally signs that form. I believe all of these solutions require an export to various types of documents and then storage of the document and require the end signer to have an account with CoSign. That isn't going to work...

All of these signatures require the data to be stored in a document which is not ideal for many projects.

OPTION 2: I went to the Microsoft store at the Mall of America and purchased a new Surface (to be later returned :/ ) and when checking out they gave me a tablet (ironically it wasn't a Surface) and a pen and I jotted down my signature. Another example is the Square app which also requires the user to jot down their signature on a touchscreen of some sort. I would assume the signature is stored as an image somewhere in a database but does that constitute a "legal" document?

I've worked at a small medical device company which had their doctors evaluate tests on the web and digitally "sign" their evaluation, but all that did was upload an image of their signature saved in the database.

OPTION 3: Yet another way I've seen this done is when filling out my FAFSA for college tuition aid back in the day. They'd ask you to review the terms, yada yada, and then at the bottom I had to type in my full legal name "as it appears above" and the submit the form. What are they doing behind the curtains??

The project I'm working on is a simple one-page contract for a construction company which explains all of the services to be rendered and requires a signature and date. The electronic version of this form would collect all of the required data in a web form and save it to a data store.

My initial reaction was to provide a <canvas> based HTML5 element that can be signed on an iPad or something. Does the data need to be exported to a document and then signed using a digital signature or can the data be legal and "signed" in the data store?

Posted 4-Feb-13 6:41am

jabit

Updated 4-Feb-13 7:23am

v2

Add a Solution

Comments

Mike Meinz 4-Feb-13 14:22pm

You probably need to consult an attorney and the company auditor. At my company, the attorney's and auditor's opinion was that we were ok if we had a defined procedure that identified the person and then stored the associated documents so that other users could not change them. We developed a DLL that our programmers could use that asked the user to type in their Microsoft Active Directory password (The same one they used to login) to verify their identity. They programmers used the DLL to verify identity and then stored the data in SharePoint with appropriate access permissions on the SharePoint library or in a database with appropriate access permissions.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

NeverJustHere · Answer 1 · 2013-02-04T18:00:00

I agree with Mike, you need the company legals to define how strict your requirements are.

You need to ask who do we trust, if the data is just in the database, do we need a system that prevents a DBA modifying supposedly signed records??

I know of a system used to track drug samples left with doctors. The regular transactional records were in the database, but a separate encrypted Blob was stored with the same information, and the Drs captured signature. This was encrypted with sales rep logon account. This was the record for legal purposes (and approved by the FDA).

Thus it was tamper proof - a dba couldn't manipulate the Blob data, as they couldn't sign a different record, yet the regular transactional data was available for reporting, etc.