What is the difference between e-signature and digital signature?

Question

I want to know the difference between esignature and digital signature? I tried googling it and I got some information about digital signature and how they are authenticated.

But what I am not able to understand is whether the same authentication process is valid for eSignature? If it's different then what is the exact process?

Answer 1

An electronic signature is a legal concept that is defined in the eIDAS Regulation by the following:

‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign; (eIDAS Article 3.10)

This implies that an electronic signature may be represented by any type of data associated with a person and a content in electronic form. For example, it may be a text with a person's name in the end of an email, or a visual stamp within an electronic document.

A digital signature, on the other hand, refers to a mathematical and cryptographic concept that is widely used to provide concrete and practical instances of electronic signatures. The definition given by ETSI TR 119 100 is that of

Digital signature is data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient.

A digital signature provides a proof of the content integrity and the signature creator.

These two concepts should be distinguished, as all electronic signatures are not necessarily digital signatures.

For more information about electronic signatures, you will need to look into eIDAS Regulation, that distinguish three types of electronic signatures:

1. 'Simple' electronic signatures

See definition for "electronic signature" above.

2. Advanced electronic signatures (AdES)

An advanced electronic signature is an electronic signature which is additionally:

• uniquely linked to and capable of identifying the signatory;
• created in a way that allows the signatory to retain control;
• linked to the document in a way that any subsequent change of the data is detectable.

The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.

Advanced signature is a digital signature.

3. Qualified electronic signatures (QES)

A qualified electronic signature is an advanced electronic signature which is additionally:

• created by a qualified signature creation device (QSCD); and
• is based on a qualified certificate for electronic signatures.

For more information about electronic signatures please see eSignature FAQ from the European Commission website.

Answer 2

An eSignature refers to the electronic signing process that creates a legally binding agreement, while a digital signature tends to mean the cryptographic signature produced by public/private key signing.

A public/private key digital signature could be one of the signing methods used for eSignature.

The reason a digital signature is not an eSignature is that applying it alone won't create a legally binding agreement, for example, you could apply a digital signature to secure some data for transmission through an untrusted network (in fact this was the original purpose of the public/private key).

By analogy you could think of your handwritten signature equivalent - you can sign your name on a blank piece of paper or a guest book as many times as you like, no legal obligation is being created upon you. It's not only the signing method that creates a signature but the wider context.

I don't think there is a strict answer to the authentication process for an eSignature. It may be better to look at it as a set of principles that need to be established, since this can spawn any number of specific processes. (By 'authentication process' i take it you mean the process to generate a legally binding agreement).

The reason formation of contract is more principle-oriented and not a fixed process is that fundamentally you can form contracts in any way you choose between yourself and another party, so long as it conforms to a number of principles - for instance, that you're authorized to make that agreement in the first place, that there is consensus between you and the other person etc. Although some specific contracts may be regulated to be of a certain form and type.

I agree that the semantics around eSignature are still evolving and ambiguous. The industry is still relatively young and companies attempt to express their offering in different ways in the absence of a strong and developed vocabulary. Finally I would just say that nothing in this answer should be construed as legal advice. I hope this goes some way to answering your question.