My understanding (possibly incorrect) is that competing with DocuSign is hard because of the need to follow obscure state and National laws (many of which are defined by case law rather than published law) in order for the signatures to be legally binding.
Is that the case? And if so, is there evidence OpenSign has done this kind of SME research to make sure the electronic signatures are legally binding, or is this more "we brought in some devs and UI designers and built something" without actual legal review and guidance?
I haven't researched the law here in a while, but my general impression the last time I did was that there isn't much in the way of legal requirements for signing things digitally beyond the federal ESIGN Act, general principles of state contract law, and the smattering of very particular kinds of transactions that require processes like notarization or recording. For everyday deals between the vast majority of people and companies, it really comes down to whether what the e-sign collects and saves will be available and convincing down the line, when there's a dispute.
All that said, I have both implemented electronic signature in my own software and reliably recommended clients running sales ops just buy DocuSign. Familiarity and credibility can matter way more than legal or technical details...or not at all.
We also generate a completion certificate that has the time & ip addresses of everyone who accessed and modified a doc during the entire signing process, plus we are open source which means more transparent. We plan to publish a lot of content in that space but with limited resources currently we plan to build the product features first. Also, we are soon going to start our fund raise efforts which will ultimately speed up things.
Lawyer here. Not legal advice. Really not that much by way of law to consider. If everyone agrees that an E-signature is good, then, generally speaking, an e-signature is good. I’d suggest it’s more on the people actually drafting the documents being signed than the software layer facilitating.
Lawyer here as well, but from Europe. Here the same is true, unless the government is involved.
Documents from/to any agency, including anything that has any tax relevance, - generally speaking (there are many caveats) - shall be signed with services compliant with the e-signature standards provided by Regulation 2014/910/EU (in short: PADES, CADES, XADES).
Out of curiosity: is there a similar requirement in terms of e-signature in the US when documents need to be sent to some agency, such as the IRS?
Not a lawyer, but I know the position in the UK is pretty simple and much the same.
The purpose of someone like Docusign is to provide a trusted third party to provide evidence.
For most purposes GPG signed email (or anything else with a similar signature) would work perfectly well provided you could prove who the keys belong to. In fact it would be better than DOcusign who can (from the few documents I have signed) ultimately only really show they sent an email with a signing link to your email address.
The last one from them has a warning:
"Do Not Share This Email This e-mail contains a secure link to DocuSign. Please do not share this e-mail, link or access code with others."
True. Even if one party from the signers dont trust e-sign, it wont work. But the number of people thinking an E-signature is good is only increasing day by day.
Wouldn’t it be amazing, since e signatures have been around for ages, that governments just published the requirements for legally binding digital signatures rather than ask each maker to go talk to them and get some obscure license or blessing?
Yeh, its already happening in a lot of regions across the world. We see a future that will have more open standards, it is precisely the reason we are working on this solution now.
You know that there's nothing stopping an open source project funded as a not for profit from doing the same thing right?
If something is hard, that's an argument for making a standard not for profit version of it, so it becomes a common good instead of platform rent seekers keeping out competition by saying it's "too hard".
You're getting a lot of responses to the effect that there aren't really any laws that require particular formalities to sign contracts, and while this is true in the "normal case" in many jurisdiction, there certainly are some categories of document that have more specific signing requirements. In most common law jurisdictions, for example, certain agreements must be signed as deeds which require certain formalities to be observed, and without enabling legislation it's not always easy to square these formalities with electronic signatures.
Thanks for asking the right question. We are taking legal help to be compliant with various jurisdictions. Our solution is currently able to safely sign a document with a digital signature that will make it tamper-proof and show a geen tick in Adobe PDF while keeping track of incremental annotations added by multiple signers. We envision to add support for eIDAS and AADHAAR e-sign(widely accepted in India) very soon.
> Our solution is currently able to safely sign a document with a digital signature that will make it tamper-proof
Who holds the secret key that actually signs the document? If this is in fact a self-hosted, open-source, project then clearly the user does, and they could sign a different, tampered, version of the document after the fact. I would hesitate to use the term "tamper-proof" in that situation. Right now your documentation doesn't make it clear how this actually works.
I'll also point out, that even if you were using my OpenTimestamps scheme or some other secure timestamping system, I would still hesitate to call the solution "tamper-proof". The problem is that even with timestamps someone can in many situations pre-generate alternate versions of a document in advance. Calling this type of system "tamper-resistant" is better IMO.
Your overall understanding is correct. People pay DocuSign to "think" of everything for them (which is not at all bad, it just comes at a cost). Depending on the space, you have to deal with crazy laws that no one in their right mind would know about (nor think to even consider).
Essentially, "no one ever got fired for signing with DocuSign" (play on IBM).
I'm late to the party here, but if the authors want real world examples, please reach out.
You are right. But there are many Individuals/companies who cannot benefit from DocuSign's trust because of the price tag. We want to provide them the free/ open source option and during the process build a brand that is equally trusted if not more than DocuSign.
Are there really any laws requiring special types of signatures? Because I've never had a legal doc sent to me that they weren't fine with just stamping my signature on the line or even printing it out, signing it, and scanning it back in.
European Union (and some states connecting with the same infrastructure, like Switzerland), have standardized formats as well as defined CAs that provide certificates for "qualified" signatures, which have the same legal weight as if you had a printed document with physical signature.
DocuSign supports those mainly through some interop connections where, for example, a qualified signature vendor provides an API that DocuSign can use to sign the document.
There is one state agency in USA that requires wet black ink for contracts. I forgot which state it is, this happened two years ago. They said no expectations, it have to be wet black signature, period. They will inspect the PDF to check the signature that it is not e-signed.
It was odd because I handled federal and state contracts in previous job, they don't have a problem with e-signature.
Depends where you are but contracts and other legal documents are only ultimately enforceable in court usually. Electronic signatures tend to shorten that process somewhat as they provide signatory verification, contract integrity and ID verification so it's seen as a legal risk and cost mitigation rather than an actual hard contractual requirement.
It depends on jurisdiction you are located in and the level of legal safety and acceptance you need. Our solution is already able to digitally sign the document which kind of makes it tamper proof and electronically sign(draw annotations) which will have you covered in most regions. Some regions have specific laws for example India has IT Act 2000, UETA & ESIGN Act while Europe has eIDAS.
You are incorrect. I'm not familiar with any law that requires Docusign in any jurisdiction in which I practice.
The Federal Esign Act provides: 15 USC 7006(5):
The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
AFAIK, anything that is intended to be a signature, is a signature. This can be a hand-drawn "X", a signed name, a typed name, a fingerprint, a rubber stamp, clicking "I Agree" checkboxes, etc.
Close, the whole point of docusign is to avoid all of that by, one, paying docusign to solve those problems, and two because docusign is a "neutral" 3rd party who has good housekeeping records compared to "Opensign" where a self hosted sleazy hacker may decide he wants to fudge the datestamps on the signatures etc.
Note that DocuSign does not automatically provide this as well in Europe. For example, in Germany, digital signature is not legal at all. So for every occasion, DocuSign is mainly used as a binding in a nonlegal way (for example, employee and employer agreed on paper that there will be a contract). But until both of you signed a physical copy, this is not legally binding at all.
Our understanding is that DocuSign does not have any legal authority, they prove the chain of custody/modifications using digital traces which our solution can also do, arguably in a more open way.
Depends on the jurisdiction and your definition of "hard" - in the EU there's some kind of qualification process by the regulators but the system is supposedly design to encourage competition and be open to new providers, and it's enough to be approved by one country's regulators I think.
> For comprehensive guidelines on how to use OpenSign, please consult our User Manual.
FYI, USAGE.md seems to be missing.
Also, a suggestion: while I agree with other posters that this isn't a replacement for the third-party trust model DocuSign provides, you might as well use my OpenTimestamps project to timestamp the documents OpenSign produces. Being able to prove that a document was in fact created in the past, before a dispute existed about the document, is significantly better than not being able to prove that. OpenTimestamps is free and open source, using Bitcoin so that you don't have a trusted third party. Timestamps made with OpenTimestamps are free, as merkle trees are used to allow the whole world's documents to be timestamped with a single Bitcoin transaction.
A good example of how it's been used recently is by the official election authority in Guatemala to timestamp polling documents in their recent presidential election: https://www.youtube.com/watch?v=g0nnM5_Z90E
Thanks for the suggestion. We will definitely consider this. We have just released v1 48hrs before. We are working hard to put together a usage guide with docusaurus. You will see huge updates to documentation soon.
> You will need to create an AWS S3 bucket or digital ocean space in order to store your uploaded documents
The org I work for would love to self-host on-premise a digital signing solution so they definitely won't use external dependencies like AWS. Theoretically they could swap with minio but last time we used it it was not a drop-in replacement yet.
> Theoretically they could swap with minio but last time we used it it was not a drop-in replacement yet.
Depends on whether AGPLv3 works for you or not (or whether you decide to pay them), I guess: https://min.io/pricing
I've actually been looking for more open alternatives, but haven't found much.
Zenko CloudServer seemed to be somewhat promising, but doesn't seem to be managed very actively: https://github.com/scality/cloudserver/issues/4986 (their Docker images on DockerHub were last updated 10 months ago, which is what the homepage links to; blog doesn't seem active since 2019, forums don't have much going on, despite some action on GitHub still)
This is naïve. DocuSign's main sell from a commercial perspective is it separates the parties into the signer, the signee and the authority. If the authority is the signee or the signer then it could be considered unfair. And really no one wants to end up having to hire lawyers to unfuck that mess.
Not only that DocuSign does ID verification if you pay them which is required for a bunch of contract types. This does definitely not!
DocuSign doesn't provide anything other than convenience. Generally, in the law, either a signature must be notarized or it doesn't. Docusign isn't a notary, it's really just an electronic document courier. If the legitimacy of a signature is challenged, Docusign isn't going to hire a forensic expert to testify that John Smith was actually the person who logged in and clicked the link. All they can say is that someone with access to the link from IP address 1.1.1.1 clicked Agree.
We are working on all these features, even an optional webcam capture during signing. This is just the beginning. Even with current features we are arguably the most complete solution in this space in open-source world.
I appreciate what you're doing but we buy DocuSign so the problem is far far away from us. This turns it into a problem we have to manage ourselves or a problem of finding a vendor stable enough to host your stuff that will make it not our problem long enough for the longest contract retention to expire. Which is difficult.
No business cares about whether it is open-source or not. They care about when things somehow end up in the court, there is clear understanding of a signed document and nobody has any question about it. More or less a guarantee -- probably not really a guarantee but good enough to hold in court. If your selling point is open source or "free" you have already lost.
I wish there was a free alternative to the German/Europe QES ("Qualified Signature"). The cheapest currently is about 20 EUR/ Month and allows you to make 3 Signatures. Others ask for 50 EUR for each QES. I hate to pay for my own Signature! We need something like Let's Encrypt for signatures.
I wanted to come back here and add a thank you. I registered at a-trust through their EU-Identity Login and now I am able to sign 5 Signatures (QES) for free each month. Great!
> We need something like Let's Encrypt for signatures.
It's not the technical infrastructure, it's about trust. LE only solved the problem of safe transport, but not verification of authenticity of the endpoints. That's what incurs such cost.
The endpoint (my ID) is free - it can be used to verify myself digitally. And that is what all QES services do, initially (once). What other costs if not hardware/bandwidth apply?
In Belgium you can digitally sign documents with your e-ID (mandatory ID card issued by the government) and it has the same value as "classic" hand signed documents. I use it myself for everything, whenever I get a PDF I just sign it with my e-ID and send it along its way.
Readit News
Is that the case? And if so, is there evidence OpenSign has done this kind of SME research to make sure the electronic signatures are legally binding, or is this more "we brought in some devs and UI designers and built something" without actual legal review and guidance?
When dealing with government entities, you may run into policies of those entities that require use of a pre-approved service. For example: https://www.sos.ca.gov/administration/regulations/current-re...
All that said, I have both implemented electronic signature in my own software and reliably recommended clients running sales ops just buy DocuSign. Familiarity and credibility can matter way more than legal or technical details...or not at all.
https://www.nationalnotary.org/knowledge-center/remote-onlin...
For the US one, at least, they give examples of where electronic signatures are pretty common and straightforward, and where you need to be careful.
Software-wise, they have features to help you show evidence of who signed, where, and when in multiple ways. Nothing magical, though.
If there were secret sauce, you would think they’d mention it prominently, but they don’t.
https://www.docusign.com/products/electronic-signature/legal...
Documents from/to any agency, including anything that has any tax relevance, - generally speaking (there are many caveats) - shall be signed with services compliant with the e-signature standards provided by Regulation 2014/910/EU (in short: PADES, CADES, XADES).
Out of curiosity: is there a similar requirement in terms of e-signature in the US when documents need to be sent to some agency, such as the IRS?
The purpose of someone like Docusign is to provide a trusted third party to provide evidence.
For most purposes GPG signed email (or anything else with a similar signature) would work perfectly well provided you could prove who the keys belong to. In fact it would be better than DOcusign who can (from the few documents I have signed) ultimately only really show they sent an email with a signing link to your email address.
The last one from them has a warning:
"Do Not Share This Email This e-mail contains a secure link to DocuSign. Please do not share this e-mail, link or access code with others."
Article 26 (linked below) describes the requirements for an electronic signature to be legally binding.
https://www.eid.as/#article26https://en.m.wikipedia.org/wiki/EIDAS
If something is hard, that's an argument for making a standard not for profit version of it, so it becomes a common good instead of platform rent seekers keeping out competition by saying it's "too hard".
https://en.wikipedia.org/wiki/Deed
Who holds the secret key that actually signs the document? If this is in fact a self-hosted, open-source, project then clearly the user does, and they could sign a different, tampered, version of the document after the fact. I would hesitate to use the term "tamper-proof" in that situation. Right now your documentation doesn't make it clear how this actually works.
I'll also point out, that even if you were using my OpenTimestamps scheme or some other secure timestamping system, I would still hesitate to call the solution "tamper-proof". The problem is that even with timestamps someone can in many situations pre-generate alternate versions of a document in advance. Calling this type of system "tamper-resistant" is better IMO.
Essentially, "no one ever got fired for signing with DocuSign" (play on IBM).
I'm late to the party here, but if the authors want real world examples, please reach out.
DocuSign supports those mainly through some interop connections where, for example, a qualified signature vendor provides an API that DocuSign can use to sign the document.
It was odd because I handled federal and state contracts in previous job, they don't have a problem with e-signature.
The Federal Esign Act provides: 15 USC 7006(5):
The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
Deleted Comment
FYI, USAGE.md seems to be missing.
Also, a suggestion: while I agree with other posters that this isn't a replacement for the third-party trust model DocuSign provides, you might as well use my OpenTimestamps project to timestamp the documents OpenSign produces. Being able to prove that a document was in fact created in the past, before a dispute existed about the document, is significantly better than not being able to prove that. OpenTimestamps is free and open source, using Bitcoin so that you don't have a trusted third party. Timestamps made with OpenTimestamps are free, as merkle trees are used to allow the whole world's documents to be timestamped with a single Bitcoin transaction.
https://opentimestamps.org/
A good example of how it's been used recently is by the official election authority in Guatemala to timestamp polling documents in their recent presidential election: https://www.youtube.com/watch?v=g0nnM5_Z90E
https://github.com/OpenSignLabs/OpenSign/blob/main/INSTALLAT...
And it says you can auto-deploy to DigitalOcean (neat) and to a local server, and instructions are included for both.
There's the bit on AWS S3 which makes sense but then no build/install instructions for local deployment. are those somewhere else?
The org I work for would love to self-host on-premise a digital signing solution so they definitely won't use external dependencies like AWS. Theoretically they could swap with minio but last time we used it it was not a drop-in replacement yet.
It's not a problem if Minio is bundled into the self hosted stack as long as it's officially supported (paying for support is also okay).
Depends on whether AGPLv3 works for you or not (or whether you decide to pay them), I guess: https://min.io/pricing
I've actually been looking for more open alternatives, but haven't found much.
Zenko CloudServer seemed to be somewhat promising, but doesn't seem to be managed very actively: https://github.com/scality/cloudserver/issues/4986 (their Docker images on DockerHub were last updated 10 months ago, which is what the homepage links to; blog doesn't seem active since 2019, forums don't have much going on, despite some action on GitHub still)
There was also Garage, but that one is also AGPLv3: https://garagehq.deuxfleurs.fr/
The closest I got was discovering that SeaweedFS has an S3 compatible mode: https://github.com/seaweedfs/seaweedfs
Not only that DocuSign does ID verification if you pay them which is required for a bunch of contract types. This does definitely not!
What's even worse is that in Germany most companies and authorities refuse to accept those digitally signed PDFs.
It's not the technical infrastructure, it's about trust. LE only solved the problem of safe transport, but not verification of authenticity of the endpoints. That's what incurs such cost.
Since the project is open-source, update the documentation with local setup, architecture, design decisions made