[gruez]

>Anything else is not a "real" signature, as far as I'm concerned.

Courts don't really care about ECDSA signatures or x509 certificates. They readily accept faxed documents, which are literally low resolution scans and are trivial to forge. Moreover "real" digital signatures still need key management, which is basically an unsolved problem in countries without government issued e-ids. What's the practical difference between docusign attesting that jonh smith signed a document on some web interface, and john smith signing a document with a s/MIME certificate issued by docusign?

[ggm]

Came to say this. Courts have been dealing with intent vs proofs for a long time and the intent is central. Some jurisdictions used (maybe still do) stipulate real hand on real pen in real ink, sometimes even colour of ink. But at large, your intent to declare something by signing even with an "X" is taken as such.

Obviously as a computer scientist I want a render of my sig as an image/logo to underpin "the SHA512 checksum of the input byte stream under these canonicalisation rules <here> applied to this use of my X.509 private key" but in fact, I just have a clip of my signature as a PNG which Apple's preview tool pastes as an image into PDF documents and I send them on, and its fine.

Docusign is trash-theatre. Its secure because they say so. It may marginally add some value in some jurisdictions, I don't know.

Remember in Scotland, verbal contracts are binding with no need to witness. Bizarre! A family member nearly sold the flat under-value except the buyer was kind about it and accepted it was unintentional language not a verbal acceptance of offer.

[dragonwriter]

> Docusign is trash-theatre. Its secure because they say so.

Docusign's system is designed very specifically around the legal requirements of the US federal E-Sign Act, which guarantee, for transactions in interstate or foreign commerce, that even if there is a statute, regulation, etc., on its face requiring a written agreement, the electronic signature will be treated as satisfactory.

It did not become popular because it was viewed as particularly secure, it became popular because it was point-by-point checklist following the E-Sign requirements, and there are lots of entities who wanted to legal guarantees that come with complying with E-Sign.

> Remember in Scotland, verbal contracts are binding with no need to witness. Bizarre!

For most matters (there are some matters that legally--either by common law or statute--require a written contract) verbal contracts are binding without a need to witness in most common law jurisdictions (including the US); written and signed contracts are important even then because they provide evidence of both the content and the fact of the agreement, even when they are not required for a binding agreement to exist. Proving the existence and terms of an unwritten, unwitnessed contract when you want to take action over a breach by your counterparty can be tricky.

[RandomBacon]

> Remember in Scotland, verbal contracts are binding with no need to witness.

The same in the U.S., it's just a matter of proof.

[DaiPlusPlus]

> Courts don't really care about ECDSA signatures or x509 certificates. They readily accept faxed documents, which are literally low resolution scans and are trivial to forge

I'm aware (I asked a similar question almost 10 years ago[1] - but my love-affair for S/MIME is really quite unrelated to legal-repudiation: it's about basic e-mail security: S/MIME gives us encryption, which is still really late-to-the-party as even today probably all of our emails could be read by our MX/MTA sysops; and S/MIME signatures solve SMTP's unauthenticated sender problem (and sidesteps all of the half-measures since then to try to put the cat back in the bag like DKIM, SPF, etc). All of this is far removed from DocuSign and other "document signing" services, really.

But yes, I'll readily admit S/MIME is entirely irrelevant outside of paranoid security.txt contacts and is practically unusable by the masses - and then some.

[1]: https://security.stackexchange.com/questions/116896/are-docu... ) -

[jfengel]

Legally I don't think DocuSign will attest to anything. I wouldn't trust that for anything significant. It's only good when everyone is going in good faith. If there is a serious dispute you need lawyers.