My understanding (possibly incorrect) is that competing with DocuSign is hard because of the need to follow obscure state and National laws (many of which are defined by case law rather than published law) in order for the signatures to be legally binding.
Is that the case? And if so, is there evidence OpenSign has done this kind of SME research to make sure the electronic signatures are legally binding, or is this more "we brought in some devs and UI designers and built something" without actual legal review and guidance?
I haven't researched the law here in a while, but my general impression the last time I did was that there isn't much in the way of legal requirements for signing things digitally beyond the federal ESIGN Act, general principles of state contract law, and the smattering of very particular kinds of transactions that require processes like notarization or recording. For everyday deals between the vast majority of people and companies, it really comes down to whether what the e-sign collects and saves will be available and convincing down the line, when there's a dispute.
All that said, I have both implemented electronic signature in my own software and reliably recommended clients running sales ops just buy DocuSign. Familiarity and credibility can matter way more than legal or technical details...or not at all.
Nothing in the American legal system is that straightforward and simple, even less so among our Supreme Court. Things got even more confusing now that this year the Supreme Court has set a new precedent that they can now overturn their own rulings from decades earlier.
While I think that’s generally true that online signatures are acceptable in most circumstances, I’d be careful to blindly believe it as a blanket statement.
> this year the Supreme Court has set a new precedent that they can now overturn their own rulings from decades earlier
What happened this year specifically?
Dobbs was in June 2022, but that isn't even close to the first time that the Supreme Court overturned precedent from 50+ years prior -- Brown v Board largely overturned Plessy v Ferguson ("separate but equal") from nearly 60 years prior.
Eliminating separate but equal was based on the evidence of how that statue was used.
Eliminating abortion protections was based on "we don't think the founders meant that" which is a form of consideration never before used.
This kind of test is effectively in the eye of the beholder. You can say whatever you want and disproving it requires Goldilocks evidence.
You can't talk about the case law the American system was based on even if it was adopted wholesale and unchanged. You can't talk about the intervening decades and how the legal system handled things.
You need to basically quote the founding fathers talking about a specific topic or the Supreme Court can say "no I disagree" and overrule you.
> Eliminating abortion protections was based on "we don't think the founders meant that" which is a form of consideration never before used.
Textualism and originalism have been in play for decades -- off the top of my head: 2008's DC v Heller basically codified today's broad interpretation of the second amendment's protections.
I don't personally agree with the decisions (among other things, the resulting patchwork application of laws has meant that your access to abortion is dependent on how strong your state's Democratic bent in the statehouse(s) is), but it's not novel to the past decade, even. The only new development from the past 5-10 years is the presence of 5 votes on the court willing to overturn Roe's long-standing precedent.
Wasn't DC v Heller ghost written by the same group as Dobbs? (not literally but guided in a similar fashion)
Of course it is similar it was a test bed to pull this.
At least DC v Heller could point to actual facts to back up it's interpretation. Dobbs just dances around the idea saying "we believe" a lot and super focusing on the Supremacy clause in a way not seen in... I couldn't even say how long ago it was that the SC said it couldn't restrict something in that way.
> Wasn't DC v Heller ghost written by the same group as Dobbs? (not literally but guided in a similar fashion)
What, the Federalist Society? In as far as the last three justices willing to overturn Roe were hand-selected by them, yes, but there was little doubt that any of them would vote to overturn Roe even before their confirmations.
> At least DC v Heller could point to actual facts to back up it's interpretation. Dobbs just dances around the idea saying "we believe" a lot and super focusing on the Supremacy clause in a way not seen in... I couldn't even say how long ago it was that the SC said it couldn't restrict something in that way.
On one hand, there's a difference between who authored those opinions (say what you will about Scalia, but his application of originalism didn't have as clear of a partisan bent). On the other, there was clearly an effort to thread the needle such that both Thomas (who wanted Dobbs to go so much further) and Roberts (who has started to think about his court's legacy and its public perception) were willing to sign onto said opinion.
I suspect we would have had the same style of opinions 5 years ago if it had been Ginsburg instead of Scalia who passed away in 2016.
Wasn't Originalism brought to Roberts decades ago by right leaning groups trying to push him towards more explicitly Conservative rulings?
I am not saying he is partisan but it is hard to say he is neutral when Originalism has been used as a hammer to eliminate Liberal ideas like "maybe we shouldn't regulate modern guns used to kill dozens like muskets" or "what right does the state have over what health care a woman chooses with regards to the most dangerous thing she will do in her life".
I'm not saying Roberts is actually neutral, for what it's worth. He just doesn't want his court to be seen as particularly partisan. He and Kavanaugh are just the closest we have to the center of the current court.
Canada you can use what ever you want, and it also includes things like "doing activities". Like if you click an "approve" button that can be considered a signature.
We also generate a completion certificate that has the time & ip addresses of everyone who accessed and modified a doc during the entire signing process, plus we are open source which means more transparent. We plan to publish a lot of content in that space but with limited resources currently we plan to build the product features first. Also, we are soon going to start our fund raise efforts which will ultimately speed up things.
And soon after suddenly the Pricing page appears, after 3 months of disappointment convenient features turn paying ones. In some more years it is just as expensive as Docusign.
Your CONTRIBUTING.md file says "By contributing, you agree that your contributions will be licensed under its MIT License." Since OpenSign is AGPLv3, why don't you allow contributions under the same license, if the self hosted version will always be free? I'm worried that the purpose of that might be to let you make it proprietary later.
I guess this allows them integrate with proprietary code on their back end if necessary, whilst making it hard for a competitor to take their code and undercut them, since most corps with proprietary software to protect won't touch AGPLv3 with a barge pole.
Nothing prevents an AGPLv3 fork if OpenSign goes proprietary in future.
I'd rather this approach than yet another non-standard Amazon-proof licence.
> I guess this allows them integrate with proprietary code on their back end if necessary
Couldn't they have accomplished that just by asking for GPLv3 instead of AGPLv3? That would let them do so without letting them make the self-hosted version non-free, unlike asking for MIT.
> Nothing prevents an AGPLv3 fork if OpenSign goes proprietary in future.
Yes, but this would be true for almost any FOSS license offered and regardless of what they ask of contributors.
> I'd rather this approach than yet another non-standard Amazon-proof licence.
Lawyer here. Not legal advice. Really not that much by way of law to consider. If everyone agrees that an E-signature is good, then, generally speaking, an e-signature is good. I’d suggest it’s more on the people actually drafting the documents being signed than the software layer facilitating.
Lawyer here as well, but from Europe. Here the same is true, unless the government is involved.
Documents from/to any agency, including anything that has any tax relevance, - generally speaking (there are many caveats) - shall be signed with services compliant with the e-signature standards provided by Regulation 2014/910/EU (in short: PADES, CADES, XADES).
Out of curiosity: is there a similar requirement in terms of e-signature in the US when documents need to be sent to some agency, such as the IRS?
Not a lawyer, but I know the position in the UK is pretty simple and much the same.
The purpose of someone like Docusign is to provide a trusted third party to provide evidence.
For most purposes GPG signed email (or anything else with a similar signature) would work perfectly well provided you could prove who the keys belong to. In fact it would be better than DOcusign who can (from the few documents I have signed) ultimately only really show they sent an email with a signing link to your email address.
The last one from them has a warning:
"Do Not Share This Email This e-mail contains a secure link to DocuSign. Please do not share this e-mail, link or access code with others."
Not a lawyer but I do deal with contracts under English law day in day out for my day job.
Docusign always saves the IP addresses and timestamps for any signatures. In addition it can be set up to require 2FA prior to accepting a signature - eg our lawyers will set it up to require an SMS 2FA confirmation and I've heard them say that this is a hard requirement for deeds as opposed to simple contracts (tho whether that's down to law firm policy, Docusign policy or court precedent I don't know).
True. Even if one party from the signers dont trust e-sign, it wont work. But the number of people thinking an E-signature is good is only increasing day by day.
Wouldn’t it be amazing, since e signatures have been around for ages, that governments just published the requirements for legally binding digital signatures rather than ask each maker to go talk to them and get some obscure license or blessing?
Yeh, its already happening in a lot of regions across the world. We see a future that will have more open standards, it is precisely the reason we are working on this solution now.
You know that there's nothing stopping an open source project funded as a not for profit from doing the same thing right?
If something is hard, that's an argument for making a standard not for profit version of it, so it becomes a common good instead of platform rent seekers keeping out competition by saying it's "too hard".
Not the OP, and this isn't something I'm dramatically invested in, but...
Rent seeking would be designing a product for collecting rent (not a one time payment) for a product (e.g. SaS) that doesn't wear out or has separate maintenance costs. Like a house that is rented the value comes from the income stream and it likely is adjusted by something like inflation.
Not renting would be selling a product for a one time fee, perhaps even if there are many customers (you still get to play ticket pricing games like the airlines so different people pay different amounts at different times, but not as variable as rent). Making the product non-transferable blurs the rent line a bit. Also not rental is the maintenance or improvement on the product (or the house) since that is new work that is being done.
It used to be that only physical objects were rented and services were inherently work and required new effort/ingenuity to be solved each time. However, with the introduction of art reproduction (visual, audio, physical) and copyright/patent, as well as, non-perpetual licensing of software this is no longer the case. It's possible to hold a piece of intellectual property and collect perpetual rent with little or no future investment.
It does create a different incentive structure that can be quite customer hostile.
Rent seeking is trying to create a legal/regulatory structure that means you can farm people. E.g. coming to the UK from some countries you need to prove you can speak English. Assuming you can, and you need a waiver on the test, there is a sole organisation you can pay hundreds of pounds to to send them your degree certificate, and for them to say in some government UI "yes, this probably means they can speak English".
It's not just general and optional recurring payments.
Regulatory lock-in is certainly one method of guaranteeing rent. I'd argue copyrights and patents are as well. Microsoft and Google get accused of rent seeking because of their near monopolies, but I don't think most of their income is particularly based on regulation. You find other forms of lock-in can come from network effects in social media (Facebook), or B2B lock-in due to outsourcing of basic business operations (IBM, Oracle, Salesforce).
I think the accusations can be divided into several categories:
- actual rent-seeking (as you say, not really true for companies such as Microsoft and Google, except where you see e.g. government documents needing to be submitted in Word. But that's very likely incompetence on behalf of the bureaucracy rather than Microsoft)
- having a dominant market position due to having a very high quality product, or set of products that work together well
- a random grudge phrased as rent-seeking, because the Twitter user in question doesn't know what rent-seeking is, but has seen their friends accuse companies of it
I don't know what the proportions are, but I suspect the former is minimal to nonexistent for e.g. Google.
You mean a SAS? The monthly payment goes towards support, maintenance, and further development. Or you could rebuy essentially the same thing every couple years.
You're getting a lot of responses to the effect that there aren't really any laws that require particular formalities to sign contracts, and while this is true in the "normal case" in many jurisdiction, there certainly are some categories of document that have more specific signing requirements. In most common law jurisdictions, for example, certain agreements must be signed as deeds which require certain formalities to be observed, and without enabling legislation it's not always easy to square these formalities with electronic signatures.
Thanks for asking the right question. We are taking legal help to be compliant with various jurisdictions. Our solution is currently able to safely sign a document with a digital signature that will make it tamper-proof and show a geen tick in Adobe PDF while keeping track of incremental annotations added by multiple signers. We envision to add support for eIDAS and AADHAAR e-sign(widely accepted in India) very soon.
> Our solution is currently able to safely sign a document with a digital signature that will make it tamper-proof
Who holds the secret key that actually signs the document? If this is in fact a self-hosted, open-source, project then clearly the user does, and they could sign a different, tampered, version of the document after the fact. I would hesitate to use the term "tamper-proof" in that situation. Right now your documentation doesn't make it clear how this actually works.
I'll also point out, that even if you were using my OpenTimestamps scheme or some other secure timestamping system, I would still hesitate to call the solution "tamper-proof". The problem is that even with timestamps someone can in many situations pre-generate alternate versions of a document in advance. Calling this type of system "tamper-resistant" is better IMO.
In the hosted version, we sign the document on behalf of the user using our own private key. Our roadmap also has the feature to bring your own cert(not relevant here). As soon as a user signs a document, a copy of the signed document is instantly sent to all the parties involved. This ensures that the signer cannot revoke the documents already signed. If the receiving party tries to modify the document, the signature becomes invalid. This is how we make sure that the docs are "tamper-proof" after signing.
That's a reasonable, and pragmatic, way to implement this. But I'd still call it "tamper-resistant". One reason why is in situations where senders or recipients have modified something, proving that the _keys_ used to sign the documents were the correct ones can itself be a difficult problem.
>This ensures that the signer cannot revoke the documents already signed. If the receiving party tries to modify the document, the signature becomes invalid
This,fortunately, is a feature of the PDF digital signatures standard.
Your overall understanding is correct. People pay DocuSign to "think" of everything for them (which is not at all bad, it just comes at a cost). Depending on the space, you have to deal with crazy laws that no one in their right mind would know about (nor think to even consider).
Essentially, "no one ever got fired for signing with DocuSign" (play on IBM).
I'm late to the party here, but if the authors want real world examples, please reach out.
You are right. But there are many Individuals/companies who cannot benefit from DocuSign's trust because of the price tag. We want to provide them the free/ open source option and during the process build a brand that is equally trusted if not more than DocuSign.
Are there really any laws requiring special types of signatures? Because I've never had a legal doc sent to me that they weren't fine with just stamping my signature on the line or even printing it out, signing it, and scanning it back in.
European Union (and some states connecting with the same infrastructure, like Switzerland), have standardized formats as well as defined CAs that provide certificates for "qualified" signatures, which have the same legal weight as if you had a printed document with physical signature.
DocuSign supports those mainly through some interop connections where, for example, a qualified signature vendor provides an API that DocuSign can use to sign the document.
You are right, that is precisely the route we will also have to take for certain regions. For example in India, there are only 3 entities that are authorized by the government to enable Aadhaar based e-signature. We will have to integrate with any of those in order to be compliant. We have already started working in this direction.
More than aadhar enabled signatures, India has pfx based digital signature system in place which is legally acceptable as good as a physical hand signature.
There is one state agency in USA that requires wet black ink for contracts. I forgot which state it is, this happened two years ago. They said no expectations, it have to be wet black signature, period. They will inspect the PDF to check the signature that it is not e-signed.
It was odd because I handled federal and state contracts in previous job, they don't have a problem with e-signature.
Depends where you are but contracts and other legal documents are only ultimately enforceable in court usually. Electronic signatures tend to shorten that process somewhat as they provide signatory verification, contract integrity and ID verification so it's seen as a legal risk and cost mitigation rather than an actual hard contractual requirement.
It depends on jurisdiction you are located in and the level of legal safety and acceptance you need. Our solution is already able to digitally sign the document which kind of makes it tamper proof and electronically sign(draw annotations) which will have you covered in most regions. Some regions have specific laws for example India has IT Act 2000, UETA & ESIGN Act while Europe has eIDAS.
You are incorrect. I'm not familiar with any law that requires Docusign in any jurisdiction in which I practice.
The Federal Esign Act provides: 15 USC 7006(5):
The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
AFAIK, anything that is intended to be a signature, is a signature. This can be a hand-drawn "X", a signed name, a typed name, a fingerprint, a rubber stamp, clicking "I Agree" checkboxes, etc.
Close, the whole point of docusign is to avoid all of that by, one, paying docusign to solve those problems, and two because docusign is a "neutral" 3rd party who has good housekeeping records compared to "Opensign" where a self hosted sleazy hacker may decide he wants to fudge the datestamps on the signatures etc.
Note that DocuSign does not automatically provide this as well in Europe. For example, in Germany, digital signature is not legal at all. So for every occasion, DocuSign is mainly used as a binding in a nonlegal way (for example, employee and employer agreed on paper that there will be a contract). But until both of you signed a physical copy, this is not legally binding at all.
Our understanding is that DocuSign does not have any legal authority, they prove the chain of custody/modifications using digital traces which our solution can also do, arguably in a more open way.
One think that I think they provide (as opposed to the self hosted version) is just the fact of being a relatively neutral third party.
If there’s a dispute over the veracity of a signature, it’s probably helpful to have a third party say “according to our server logs and software stack, this was signed by johndoe@example.com at 12:41pm on August 3rd, from the IP address XX.XXX.XXX.XX, and they authenticated with their email and password”. If I’m self-hosting, it’s marginally less convincing when I’m before a court if I say *my* software stack says that, since I have more direct control over it.
So, I agree DocuSign doesn’t have a special status, other than being a relatively neutral third party to that dispute. But if a signature’s validity is being questioned, that third party status is probably somewhat helpful.
Late to the party here, but I deal in this space all day. You are 100% correct.
Disputes over eSignatures come up allllll the time. And if you mention that it was "DocuSigned"... although you have done nothing aside from name-dropping... it will essentially end the dispute. Not saying that it should. Just saying that it does.
I think that could totally be possible for your hosted offering, but my point is largely that I don’t see how the self-hosted offering could ever get there, unless there was some technical measure that could prevent the operator of the system from tampering with the logs/database/etc
Edited to add: mild disclosure, I’m working on a product that has e-sign as a feature. It’s not really the main thrust of the application, but probably worth mentioning here.
Electronic signatures legally recognized in the United States are provided for in the Electronic Signatures in Global and National Commerce Act (“ESIGN”) and state and territory versions of the Uniform Electronic Transactions Act (“UETA”).
These are the regulations you’ll want to adhere to in order to provide parity with digital signature authority of traditional commercial providers (in the US at least).
Great work btw!
(Not an attorney, not your attorney, but happy to chip in fiat so you can consult with counsel and obtain an opinion letter from one in support of your project)
Yes, making a mill for supposedly trusted third parties, over having an actual trusted third party, is a more open way.
Edit: I suppose in all except the free self hosted one, OpenSign would be the trusted third party, which I guess is more plausible. Unless the paid customers are given something close to root to administrate them. Still, a trusted third party is generally based on recognition. Even if I really dislike a company I eventually acknowledge they're trusted if it lasts long enough, like with ID.me. I didn't use ID.me until it was required for logging into the IRS and now I grudgingly admit that I think it's an extra security check on logging in. So until you're big like DocuSign I wouldn't view you in quite the same way as a trusted third party.
That does bring a question, are your paid customers prevented from going under the hood in such a way that they would also have to be trusted at such a level along with OpenSign?
--
This to say I'm open to using OpenSign, because there are plenty of uses where I would be open to using something that doesn't have this "trusted third party at the level of DocuSign" feature. The "digital notary public" analogy is apt. I sometimes sign documents with a notary, and other times without.
Great insights. The hosted version functions in a more or less same way as DocuSign with an added advantage of knowing what the code is doing under the hood. We dont intend to provide root/admin privileges as its going to be a multi-tenant system at the end of the day.
Ah, I see. A multi-tenant system makes sense, I was thinking it might be closer to managed hosting. With managed often people have root or close to it. Just make sure people understand that it’s a multi-tenant system where the customers don’t have access to do anything which would make it less secure, unless they’re using the self-hosted version. And when you grow, maybe there will be an enterprise self-hosted and/or managed hosting version where the customer needs to be trusted to provide security. That would be appropriate with some potential customers.
So that leaves the challenge of becoming a well known trusted third party, which is a challenge but doable.
Depends on the jurisdiction and your definition of "hard" - in the EU there's some kind of qualification process by the regulators but the system is supposedly design to encourage competition and be open to new providers, and it's enough to be approved by one country's regulators I think.
> For comprehensive guidelines on how to use OpenSign, please consult our User Manual.
FYI, USAGE.md seems to be missing.
Also, a suggestion: while I agree with other posters that this isn't a replacement for the third-party trust model DocuSign provides, you might as well use my OpenTimestamps project to timestamp the documents OpenSign produces. Being able to prove that a document was in fact created in the past, before a dispute existed about the document, is significantly better than not being able to prove that. OpenTimestamps is free and open source, using Bitcoin so that you don't have a trusted third party. Timestamps made with OpenTimestamps are free, as merkle trees are used to allow the whole world's documents to be timestamped with a single Bitcoin transaction.
A good example of how it's been used recently is by the official election authority in Guatemala to timestamp polling documents in their recent presidential election: https://www.youtube.com/watch?v=g0nnM5_Z90E
Thanks for the suggestion. We will definitely consider this. We have just released v1 48hrs before. We are working hard to put together a usage guide with docusaurus. You will see huge updates to documentation soon.
> You will need to create an AWS S3 bucket or digital ocean space in order to store your uploaded documents
The org I work for would love to self-host on-premise a digital signing solution so they definitely won't use external dependencies like AWS. Theoretically they could swap with minio but last time we used it it was not a drop-in replacement yet.
> Theoretically they could swap with minio but last time we used it it was not a drop-in replacement yet.
Depends on whether AGPLv3 works for you or not (or whether you decide to pay them), I guess: https://min.io/pricing
I've actually been looking for more open alternatives, but haven't found much.
Zenko CloudServer seemed to be somewhat promising, but doesn't seem to be managed very actively: https://github.com/scality/cloudserver/issues/4986 (their Docker images on DockerHub were last updated 10 months ago, which is what the homepage links to; blog doesn't seem active since 2019, forums don't have much going on, despite some action on GitHub still)
This is naïve. DocuSign's main sell from a commercial perspective is it separates the parties into the signer, the signee and the authority. If the authority is the signee or the signer then it could be considered unfair. And really no one wants to end up having to hire lawyers to unfuck that mess.
Not only that DocuSign does ID verification if you pay them which is required for a bunch of contract types. This does definitely not!
DocuSign doesn't provide anything other than convenience. Generally, in the law, either a signature must be notarized or it doesn't. Docusign isn't a notary, it's really just an electronic document courier. If the legitimacy of a signature is challenged, Docusign isn't going to hire a forensic expert to testify that John Smith was actually the person who logged in and clicked the link. All they can say is that someone with access to the link from IP address 1.1.1.1 clicked Agree.
Interesting, my mom just sold her house and there was no verification.
My point stands, legally either a signature has to be notarized or it doesn't. If it doesn't, any signature can be effective. I'll agree that 3rd party hosting provides an element of independence, however, legally it's not required, and could be done by anyone. E.g., a self-hosting a solution that required the signer to upload a video of them clicking I AGREE would provide just as much certainty as anything Docusign can.
Where is that required? Maybe POAs? At least Florida and Georgia real estate law (the only ones I'm familiar with) don't require anything of the sort for any of the paperwork (before closing).
And my memory of Florida law (when I was signing an apartment rental contract 4 years ago) was that any electronic signature agreed to by the contracting parties was valid. So I simply typed my name in the contract, emailed it to my landlord, and we were done.
Of course, I also used https:/.opentimestamps.org to store the hash of our contract on bitcoin's block chain, because that way we both had proof that the contract existed in a certain form on that date. (I never needed that proof, because he was a good landlord, and I paid rent on time.)
While probably enough to prove it existed, you'd probably need to pay a lot for an expert witness to testify to "hash of file on blockchain means it existed" if you did have to go to court over the existence of the contract.
We are working on all these features, even an optional webcam capture during signing. This is just the beginning. Even with current features we are arguably the most complete solution in this space in open-source world.
I appreciate what you're doing but we buy DocuSign so the problem is far far away from us. This turns it into a problem we have to manage ourselves or a problem of finding a vendor stable enough to host your stuff that will make it not our problem long enough for the longest contract retention to expire. Which is difficult.
That is a great input, we need to put efforts into ensuring that we are seen as a long term player, in-fact we envision to be one, assuming some contracts might be really long term. I hope a day comes when you trust us enough :)
Gaining trust is one thing, I wish you the very best of luck with that.
Not losing it is another.
The people to preserve trust with are all potential signatories
(ie. the public), not the initiating counterparties. Because there are
many more of them.
Of course this reputation problem is one you'll share with banks,
PayPal and every other "official" type entity that phishers want to
jump on.
Now most "Docusign" communications go straight to my spam folder or
/dev/null if arriving by email and not from (forwarded) a whitelisted
business I already have a relation with. Those that come directly from
Docusign (as sender even if DKIM passes) are ignored unless I think
there's a reason to be contacted.
Docusign is one of the juiciest spoofing targets for phishing attacks
because people act rashly to what they think is something requiring a
signature. They also have no timeout on repeat sends, relentlessly
spamming users to sign something, which makes them look exactly like,
well.... phish-spammers.
Not really. They actually ran mock trials with legal professionals as test cases. That was an instant win for anyone wanting assurance of admissibility.
No open source startup is going to win there because it's about entities and process, supported by technology not technology on its own. The technology is absolutely worthless without the framework and legal entities surrounding it. It's a unique position no one really understands that well.
They began when Digital signatures were not understood well even by legal professionals. Somewhere fear might have came in picture. Today, its easier to digest the fact that digital signatures are just cryptographic functions that guarantee the authenticity and integrity of documents and various actions on those docs. Plus the legal framework around it is better defined now. I am confident that we will be able to change the perception and make this the de-facto digital signing solution. The movement has just began, there is a long way ahead.
This answer is incredibly technocratic, and misses the mark on what a digital signature is.
A digital signature is a legal construct that stands up in court.
The movement might have begun, but you need to change your perception. You have to stop talking like a technocrat and address the business problem that signatures solve.
No business cares about whether it is open-source or not. They care about when things somehow end up in the court, there is clear understanding of a signed document and nobody has any question about it. More or less a guarantee -- probably not really a guarantee but good enough to hold in court. If your selling point is open source or "free" you have already lost.
We take pride in being open source as we are sure being open source brings a lot more transparency in the entire process.
When it comes to the authenticity of a signed document, the cryptographic proofs generated by our solution and digital traces are no different than those generated by DocuSign. It will hold equally true in any court. We understand that we might need some time to be universally acceptable in terms of the perception of the people, but we are confident that we will reach there.
I wish there was a free alternative to the German/Europe QES ("Qualified Signature"). The cheapest currently is about 20 EUR/ Month and allows you to make 3 Signatures. Others ask for 50 EUR for each QES. I hate to pay for my own Signature! We need something like Let's Encrypt for signatures.
I wanted to come back here and add a thank you. I registered at a-trust through their EU-Identity Login and now I am able to sign 5 Signatures (QES) for free each month. Great!
> We need something like Let's Encrypt for signatures.
It's not the technical infrastructure, it's about trust. LE only solved the problem of safe transport, but not verification of authenticity of the endpoints. That's what incurs such cost.
The endpoint (my ID) is free - it can be used to verify myself digitally. And that is what all QES services do, initially (once). What other costs if not hardware/bandwidth apply?
In Belgium you can digitally sign documents with your e-ID (mandatory ID card issued by the government) and it has the same value as "classic" hand signed documents. I use it myself for everything, whenever I get a PDF I just sign it with my e-ID and send it along its way.
If you get something to sign, can you modify it and send it back to the other party so they can sign the modified version? Or is this a "take it or leave it" system?
Its really important to preserve the integrity of the document during the signing process because of which modifications other than annotations are currently not allowed. We are building this to support an open architecture(micro frontend based add-ons). The two add-ons currently under development are -
- A document organizer for signed/in-progress documents as we believe organizing legal documents is very different from organizing regular files as the user should be able to visually identify the status of the document and just hover on a document to see the current status of signers, etc.
- An AI based assistant that will allow you to get any clause of a contract re-worded, explained, analysed for risks, etc.(we dont intend to replace lawyers here)
Once we have these plugins ready. You will be able to create/modify docs before signing.
Shouldn't be surprising as it is the only OSS license that protects your right to repair by guaranteeing source code availability. FSF doesn't get enough credit for their foresight.
Yeah, and a while ago there seemed to be people who didn't think it was F/OSS, and wanted to avoid it because it might reduce the likelihood of someone contributing.
One thing I do think that people misunderstand is that a company can absolutely take your project and run it as a service -- they just have to contribute code back if/when they modify it.
True. Someone here in another comment has already pointed out that this project's CLA demands that all submissions have to be under the MIT license! This seems shady and can be perceived as an attempt to "steal" code in the future (MIT licensed code can be incorporated into xGPL license code, but it doesn't prevent the original license holder of the xGPL product to close source the product in the future. If the contributed code was also AGPL, the project managers would have to get permission from all submitters to close source a project or would be forced to remove their code from the product).
I don't see that they have a CLA -- I can only find their note about the license contributors must take[0].
I guess that's one way around the CLA -- they don't need one if they force all contributions to be MIT in a file most people wouldn't read.
In the end people the actual likelihood of someone making a credible legal threat is low so it all seems somewhat spurious but great way to go around the overt beacon that requiring CLA signing is.
For a project that deals with signatures it should be pretty obvious that this does not quite work in a legally sound way. At least in the PR they will need some prove that I acknowledge to have read this Contributing.md. They is a reason why people go through the hassle of CLA signing flows. Wonder why they do not dog food their own system.
This is correct -- in fact, the article I posted goes over exactly that (though it is somewhat buried).
> There’s one caveat everyone is missing this is only a problem if you planned on modifying the software and not contributing back!. If you either do not modify the software or contribute back your changes you’re free to host and offer services built on AGPL.
I'm a bit worried about what all these companies will do once smaller/larger players change their stances appropriately and start hosting their software as a service. Will people run to BSL/Elastic/SSPL?
I suppose there is a need of a trusted 3rd entity that runs the service.
Otherwise anybody could run the service and pretend that anybody else signed any documents they want at any time they wanted.
I am not familiar with DocuSign internal but it looks like people are identified by their email. So only if you can click the link received in their email, it can be them.
I guess a problem with DocuSign is still that anybody can sign up for a new email and pretend to be anybody they want.
If there’s anyone familiar with this or from the product team would sincerely appreciate any insights on this scenario.
Looking at the AGPL license, where would the licensing prevent or impact building an independent source code plug-in to integrate n to a piece of software that calls the hosted service via API, or an unmodified self-hosted copy?
For me it helps spread awareness and use of a well made open source signature tool.
I think it needs a way to review the contacts (other than the request signatures form), and to edit them (in case I put the wrong e-mail originally), or at least delete and re-create them.
What kind of issue do you have in mind? By all accounts, the functionality or OpenOffice, LibreOffice, and Google’s suite are the same as Microsoft Office. There’s no theft unless they _actually stole intellectual property_
The commenter is confused, they mean infringing, not theft.
Theft is theft, no reason to get IP law involved.
Infringement can happen without intent. I don't know who would be liable, the open source company with little revenue, or the customers who are just using the software.
Say big Hooli company builds product/platform “A” and charges arm and foot for usage. Having tried the platform I personally find it ridiculous anybody is paying for this because I successfully (lone developer) hack together a trimmed down working clone of the core system *in under a week*. Furthermore, core aspects of Product/Platform “A” are open-source technology, in non trivial ways (like I’m not saying “oh they use YML for config files”, I’m saying “core engine component they’re using is explicitly open source”).
If I decide to open source my clone, am I asking for trouble?
This is all hypothetical, I’m not soliciting actual legal advice.
Doesn't contemporary PDF (for example) have something like a built in interpreter? How do you stop someone from, say, making a document that changes the wording after a certain date and then signing it?
Is that the case? And if so, is there evidence OpenSign has done this kind of SME research to make sure the electronic signatures are legally binding, or is this more "we brought in some devs and UI designers and built something" without actual legal review and guidance?