Problem solve Get help with specific problems with your technologies, process and projects.

Using a digital signature, electronic signature and digital certificate

While they may seem similar, a digital signature, electronic signature and digital certificate all have unique functions. In this IAM expert response from Randall Gamby, learn the differences and how each is used.

In simple terms, what are the differences between a digital signature, an e-signature and a digital certificat...


Ok, keeping it simple: A digital signature is a number derived from an algorithm run against the content of a document. This number is attached to the document when sent by any electronic format. If the receiving application receives the document with the attached digital signature, and the digital signature number doesn't match the content when the same algorithm is run against it, this indicates that the content has been changed somewhere in transit (possibly by a man-in-the-middle attack). It doesn't say where the content was changed, only that it is different, or not different, than what the original sender sent.

An e-signature is basically an electronic version of a handwritten signature used in legal documents. Since you can't sign a document in electronic format with a pen, an e-signature is needed. It comes in several forms, but the most common types are a scanned image of an actual signature imported into a document, a code, which can be determined arbitrarily or consistently depending on the policies governing the individual, that one would type in, something like "rsg02182010" or a script font that looks handwritten, but is actually typed. Be aware, though, that using an e-signature in a document doesn't mean that the content is verified and that the content has not changed, as with a digital signature.

Digital certificates are another name for public key certificates. They're used to validate that information was sent from a particular user or source. So if you wanted to send a document to someone and wanted to ensure he or she knew it came from you and no one else, you would use a private key certificate to sign the document. When it was received by the recipient, he or she would get the public key certificate -- either from an agreed upon publicly available site or through some other electronic channel that's locally communicated -- and run it against the document. If the checksum came out correctly, he or she would know without a doubt that the document came from you.

So let's use a digital signature, electronic signature and a digital certificate in a scenario. Perhaps you're sending a completed business contract to a third-party provider. The first step, after filling out the contract details inside a word processing application, would be to go to the bottom and put an e-signature in to add your authorization for the contract. Then, to ensure no terms or content are changed, you would use your digital signature to generate a unique number to be attached to the document. But just because your electronic name is on the document, and you've ensured the content can be flagged if it's been modified, that doesn't mean you've proved it actually came from you. So you use your private digital certificate and sign the document. (In all three cases, you probably have a program that does all this for you, and it's just a matter of clicking options.) You can then email the document to the provider. Upon receipt, the provider would reverse the order, so he or she would start by getting your public key digital certificate, ensuring that the email did, in fact, come from you. Then he or she would run the digital signature application and verify the contract is unchanged from what you sent. Finally, he or she would open the document and see that you did indeed agree to the contract terms by putting your e-signature at the bottom. Now the provider is ready to process your order. Simple.

This was last published in May 2010

Dig Deeper on PKI and digital certificates