Personal, server-based or electronic signature stamp: when to use them?

As well as providing different levels of security (single, advanced or qualified), electronic signatures have different characteristics depending on the signatories and required use.

Before starting an electronic signature project, you need to define your needs in order to choose the appropriate infrastructure: personal or server-based electronic signature, or electronic signature stamp.

Like its handwritten counterpart, an electronic signature, also known as a digital signature, authenticates the signatory (natural person or legal entity) and guarantees the integrity of the data. It’s based on a public-key encryption system, in other words, digital certificates.

Personal signature on the client machine for employees

As the name implies, the personal electronic signature allows employees to sign with their name and position. “Client machine” means that the electronic signature certificate is installed directly on the employee’s workstation or more generally, on a physical token such as a smart card or USB key for storing keys. Depending on the use cases and regulations, a physical (token, smart card, etc.) or logical (PKCS12) token can be used to sign the document.

If only the computer is used for authentication, it’s a simple signature. For a qualified signature, the employee must be given a secure device (an authentication token containing the certificate such as the ones offered by Yubiko).

In a professional environment, personal electronic signatures should only be used by company employees as they’re specific to an individual.

Below is a diagram showing the personal signature process on the client machine:

The server-based personal signature for one-off use

For one-off use such as obtaining the consent of an external person to sign an online contract, the server-based personal signature is the solution to use.

This involves generating a temporary certificate for a limited period in the name of the person who needs to sign it. The person then receives a time-limited (one session for example), one-time password to confirm their consent.

The company’s Public Key Infrastructure (PKI) issues a temporary certificate to sign in the name of the two contracting parties: the person who is signing the contract and the company.

For added security, you can add two-factor strong authentication before the electronic signature stage. The security keys can also be protected using an HSM (Hardware Security Module).

Below is a diagram showing the server-based signing process:

Depending on the use cases and regulations, a different certificate generation policy can be implemented for the signatories. The system can generate:

• “Long-term” certificates that can be reused for the same signatory;
• An ephemeral (or short-term) certificate which can only be used to sign the current documents.

Server stamp: the company’s electronic stamp

Sometimes erroneously called a server stamp certificate, this is a signature using a server certificate in the same way an SSL or TLS certificate is used for server-client authentication. The server stamp is a cryptographic operation based on the server stamp certificate to guarantee the integrity and authenticity of data on behalf of a legal entity. In other words, it can be likened to a company’s electronic stamp.

In accordance with eIDAS (Electronic Identification And Trust Services) regulations and the RGS (French general security guidelines), the server stamp enables large numbers of documents to be signed simultaneously to ensure their integrity and authenticity. The key can be stored in a HSM and also be combined with two-factor authentication for an advanced or qualified signature.

This means it can be integrated into many of the company’s systems including business management or ERP systems for quote signing for example, the HRIS for signing employment contracts, annual leave contracts and other expense accounts, or business applications via Business Process Management (BPM).

It is worth noting that server stamps are used for bid submissions for procurement contracts.

The server stamp process:

Electronic signature timestamping

Whether the signature is on the server or client machine, most regulations require timestamping as it offers several guarantees:

• The existence of an item of data at a given time
• Non-repudiation of data

Timestamping is also useful for ensuring long-time validity and archiving of data. A document’s electronic signature is only valid if the certificate used to create the signature is valid.

Below is an illustration of the timestamping process:

Adding a timestamp token extends the lifespan of the electronic signature until the timestamp certificate expires, beyond the expiration date of the original certificate. The timestamp token must be obtained from a trusted third party called the timestamp authority, guaranteeing that its clock is synchronized with a reliable time source. Other timestamp tokens can then be added to the signature to extend its lifespan, guaranteeing the validity of the data over time.

In other words, the mechanism prevents signature obsolescence. The cryptographic algorithms used to calculate the electronic signature change over time and an old signature may be compromised. Adding timestamp tokens protects the signature using certificates with an up-to-date security level, ensuring that data is valid and secure in the long term.

Key points to remember

The key points to help you choose the right signature for the signatories and required use are as follows:

Digitalberry can help you with your electronic signature design and integration projects to find the solution best suited to your needs.