Comment by KronisLV

Am i the only one who finds the current state of signing documents to be a bit incomplete, inconsistent and all over the place?

For historical reasons, we still need to allow signing things by hand, which has a number of challenges in proving the authenticity of any such signature and preventing falsification of signatures (especially if you don't have the original document with the ink but rather a scanned copy).

Then, there are digital signatures, though instead of one large standard for all of the world, we have a whole bunch of regional ones. For example, in Latvia we have eParaksts (translates to "eSignature"): https://www.eparaksts.lv/en/

It is a largely commercial venture, which allows signing documents with either data in the chip that's embedded in our national ID, or i guess mobile solutions as well and also gives you the ability to verify these arbitrary documents in a centralized manner as well. The good thing here is that it supports signing arbitrary documents and storing them in an .edoc container or even embedding the signature inside of PDFs or whatever, but it still feels very regional, is still centralized and most of the software for reading PDFs directly doesn't recognize their CA or intermediate certs as trusted and therefore gives you errors, so you need to do verification on their site.

But what happens when you need to somehow indicate within a document that you're signing it digitally? You just put the text: "THIS DOCUMENT IS SIGNED WITH AN ELECTRONIC SIGNATURE AND A TIMESTAMP" in text at the bottom, which seems silly and doesn't really mean anything - how are you supposed to examine that if you ever need to print it? Furthermore, this kind of locks you in to using the .edoc container and keeping it around and perhaps even think about how to quickly get and display its contents. Sure, they have desktop software for that, but it's not like you can automate that super easily (not saying that working with digitally signed PDFs is a walk in the park, either).

In some parts of the world, an electronic signature just means taking a JPEG (or an equivalent) of your signature and embedding it in a particular spot of your PDF or whatever, which is plain nonsense in my eyes - sure, it looks pretty, but there's no actual cryptographic protection or benefit to doing so, since it's laughably easy to reproduce by anyone who wants to fake your signature. It actually surprised me when digitally signing a PDF came up as a Linux challenge on Linus Tech Tips and Luke thought that this approach is what was intended (whereas Linus interpreted it more or less correctly but searched for the wrong thing, more or less): https://www.youtube.com/watch?v=TtsglXhbxno&t=257s

So, here's my questions to all of you, maybe you have some thoughts to share:

  - why don't we have one centralized format of signing any and all pieces of data, with a focus on documents? (think GPG but actually used and internationally recognized)?
  - why don't we have one centralized, yet distributed CA infrastructure with intermediate certificates by country and then further nodes for each institution with people's certs being the leaf nodes, so that we can validate any signature globally?
  - why don't we have a format that involves representing this data both in digital and printed form, say, when you want to print a document, it essentially gives you this picture of your signature with a QR code besides it, that either involves enough information to validate this signature (be it crypto data or just an URL in the case of a web based solution), as well as the parsing logic to go the other way when scanning signed documents?
  - how did we get to the point where the above is not our current reality? why didn't document signing ever get the love that something like SSL/TLS did?
  - any ideas on how these things could possibly be improved? thoughts on fully decentralized solution (everyone has a private/public key) vs something that holds one's hands more and provides an easy to use interface or even lets you sign things on your behalf (e.g. like eSignature), ideally behind 2FA?
  - could any such initiative ever be fully free and open source, possibly subsidized by the governments of the world? i mean, (almost) everyone has a pen, but not everyone should pay for DocuSign or whatever, right?