[semi-extrinsic]

Kind of tangential, but I'll share a bit of a horror story from a friend when it comes to e-signatures.

The company in question uses DocuSign, and most of their clients do as well. They are big, serious companies. However, nobody is able to set up DocuSign in a reasonable way for a multi-client contract. Every company needs to use their own DocuSign.

Now, DocuSign embeds a cryptographic signature in the signed PDF. This means you can't sign a PDF twice.

So what my friend does is create the PDF to be signed, send it to one company for signatures, get it back and run it through Microsoft Print to PDF. This friendly utility happily strips away all cryptographic signatures, but importantly leaves the "signature picture" in place. And then they can send this PDF to the next company.

I joked that every time they do this, a cryptographer somewhere stubs their pinky toe on a corner.

[Muromec]

Pdf signatures are a joke and entire wrb e-signature space is snake oil sales. Source: worked for docusign competitor and seen how signing twice works.

We at least did the print to pdf thingy ourserves on the backend to save users from this shame.

Add: you can in fact sign the pdf multiple times with a digital signature, which is an actual feature of PDF format. You can't however add electronic (drawn) signature on top of the digital one without (partially) invalidating previous ones. And to nobody's surprise, you can't see digital signatures if you decide to print the document with it.

So pick your poison.

[shinycode]

In France/EU we can use certified eIDAS signature for documents. It’s not free but it makes the signature not worth nothing

[Muromec]

pdf signatures are certainly not worth nothing, in fact they are eIDAS compliant. It's just the government being the government so it's left hand doesn't trust the right one.

What eIDAS actually solves is not signatures, but strong identification. You log into the system and it knows your tax id or whatever primary identifier you have. It's promoted as a secure way to sign documents, but it's just technofetishism.

Non-repudiation isn't even a technical problem, as you can have verbal contracts too. Replying to an email is totally fine way to enter into a contract too, but something like invoices have to be signed or stamped (or both). If you request something from the government (in the Netherlands), ticking a checbox and pressing a button is totally legit and you don't have to dance around ECDSA for a single moment, because the left hand trust the right hand.

Now if somebody is conspiring with a tax officer to commit VAT refund fraud and then telling to the judge they didn't send any refund and never got any money -- it's not checkboxes and pdfs to blame really.

[gamblor956]

???

We use Docusign (and occasionally Adobe Sign) for multi-client/multi-organization contracts all the time at my job. Docusign essentially acts as an escrow service for signatures. You need to make sure that all of the signers' are set up when you first send out the document for signatures. It doesn't matter whether they're part of a separate Docusign account or not; that just affects how they access the document after it's been signed by all parties.

If you're baking in "batches" of signatures into the PDF so you can do multiple rounds of signatures...you're using it wrong...and quite possibly invalidating the whole point of using Docusign (or a competitor) in the first place since your edited pdf is no longer authentic and wouldn't be admissible in a court.

[popcalc]

https://news.ycombinator.com/item?id=42484410

https://news.ycombinator.com/item?id=21591466

Want to comment?

[gamblor956]

My comments were from 2019. Paypal acquired Honey in 2020, and MegaLag's "expose" is for their alleged post-acquisition business practices.

I make no claims that their business model remained the same after the acquisition. But on that note: Paypal's acquisition of Honey was vetted by multiple law firms and by regulators in the U.S. and Europe, and even scrutinized by shortsellers. Nobody found anything wrong with Honey's business model or any serious legal risks with what they were doing. Another public company, Rakuten, has since launched a competitor to Honey with the same business model (and some of the same personnel).

Seriously. If Honey was doing something wrong, at the very least the shortsellers would be all over this because they'd be making a killing. This morning, Paypal's stock barely budged (and has actually gone up after-hours now that the market has had time to review MegaLag's "expose"). That should speak volumes to anyone with common sense.

[greatgib]

If you think about it, the worse is just this kind of cargo cult to do the same thing that is used to be done with paper on a computer without really understanding why you do it.

Like, on paper, you are supposed to all "sign" the same paper document to show that this is the same document/content that is agreed by everyone. And so, when you DocuSign it, people do the same thing with everyone signing the same document even with a fake "handwritten" signature....

But if you really think about it, the signature already proves the content, so you would only have to have all the parties sign individually their own "copy" and then exchange the signed pdf signed by them. If you own a copy signed by you, and a copy signed by another person, as we have the proof of the content of each one, you know that it is the same contract that was agreed...

[Muromec]

>If you own a copy signed by you, and a copy signed by another person, as we have the proof of the content of each one, you know that it is the same contract that was agreed...

Then you need to show a third party the contract signed by both sides. On paper or sent by fax. When you say digital document trust services eIDAS, the party replied that it's not a participant in the trust architecture (as defined by eIDAS-implementing law) and didn't buy the license for software needed to verify it. The party is a judge, so they are right and you are wrong. True story that did actually happen and nobody was even disputing the fact of document being signed.

[sschueller]

I was told by two Swiss lawyers not to ever use DocuSign. Either use paper like before or the eSign service from Swisscom [1] which holds up in court.

[1] https://www.swisscom.ch/en/about/news/2023/10/12-sign.mobile...

[madeofpalk]

What makes the Swiss telecom product better other than regulatory capture preferencing domestic products?

[Muromec]

Probably its electronic signature vs qualified digital signature. At the very least with swiss telecom they know who is keeping root certs at the end of the chain of trust.

[YawningAngel]

Shouldn't it be possible to use a Merkle tree or similar structure to allow signature chains?

[NerdSniper9001]

Lol your workflow is fucked, mate. You need to unfuck it. Docusign is a fine tool. You just don't know how to use it.