The Signinghub API: Ink the Deal With Secure Digital Signatures

The Signinghub API helps accomplish something that looks simple (see image below) but is tricky to do securely: digitally sign a document. The API, using REST-based web services with XML responses, makes its possible to incorporate digital signing into your application that is based on the Public Key Infrastructure. (According to Wikipedia, "A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.")

The API allows you to add users, and upload and track documents into a workflow, among many other functions. In a discussion of its e-signing app for the iPad, Signinghub explained why it's not enough to just scrawl your John Hancock across the glass.

...just signing your e-signature provides no security from copying this image and placing it on other documents. Also the e-signature cannot detect later edits to your documents. What’s different about the SigningHub app is that it overcomes these limitations by also creating advanced, long-term PKI digital signatures which sit behind you[r] hand-drawn e-signatures. Each user has his or her private digital signature PKI key securely managed on the server. The server also keeps a secure detailed audit trail of all signing operations.

Using easy-to-follow flowcharts, Signinghub demonstrates the intricacies of getting multiple parties to sign on to a document in a way that meets standards for being legally enforceable in the US, the EU and many other countries.

There are three phases: upload and add signers; prepare and send the document to the signers; and the signers review and sign the document.

In each phase, there are a few steps. In the first phase, after uploading and adding the names of the signers you can change the order of the signers. In phase 2 of preparation, you place the signature fields where you want the signatures, adjust the sizes if needed, add additional signers if needed, and move one or more signatures to a different page if required. In the last phase, the signer reviews the document prior to signing (one would hope!), and then has a choice: draw their signature or select a predefined image of their signature. Then the vital part for security: to make it work you have to enter a password. Press sign and you are done.

Be sure to read the next Security article: Codeproof Provides Mobile Device Management via API