Hacker News new | past | comments | ask | show | jobs | submit login

AFAIK DocuSign acts as a trusted third party and protects/prove chain of custody. Think of them like a digital notary public.



Our understanding is that DocuSign does not have any legal authority, they prove the chain of custody/modifications using digital traces which our solution can also do, arguably in a more open way.


One think that I think they provide (as opposed to the self hosted version) is just the fact of being a relatively neutral third party.

If there’s a dispute over the veracity of a signature, it’s probably helpful to have a third party say “according to our server logs and software stack, this was signed by johndoe@example.com at 12:41pm on August 3rd, from the IP address XX.XXX.XXX.XX, and they authenticated with their email and password”. If I’m self-hosting, it’s marginally less convincing when I’m before a court if I say *my* software stack says that, since I have more direct control over it.

So, I agree DocuSign doesn’t have a special status, other than being a relatively neutral third party to that dispute. But if a signature’s validity is being questioned, that third party status is probably somewhat helpful.


Late to the party here, but I deal in this space all day. You are 100% correct.

Disputes over eSignatures come up allllll the time. And if you mention that it was "DocuSigned"... although you have done nothing aside from name-dropping... it will essentially end the dispute. Not saying that it should. Just saying that it does.


Hopefully people will say “OpenSigned” one day and it will have the same impact.


I think that could totally be possible for your hosted offering, but my point is largely that I don’t see how the self-hosted offering could ever get there, unless there was some technical measure that could prevent the operator of the system from tampering with the logs/database/etc

Edited to add: mild disclosure, I’m working on a product that has e-sign as a feature. It’s not really the main thrust of the application, but probably worth mentioning here.


Electronic signatures legally recognized in the United States are provided for in the Electronic Signatures in Global and National Commerce Act (“ESIGN”) and state and territory versions of the Uniform Electronic Transactions Act (“UETA”).

These are the regulations you’ll want to adhere to in order to provide parity with digital signature authority of traditional commercial providers (in the US at least).

Great work btw!

(Not an attorney, not your attorney, but happy to chip in fiat so you can consult with counsel and obtain an opinion letter from one in support of your project)


UETA has been substantially adopted by 49 states. The state of New York has their own statute.

So, if you look at e-sign, UETA, and NY’s Electronic Signatures and Records Act, then you have fairly comprehensive coverage across the US.

Also not an attorney, and this is also definitely not definitive legal advice!


Saved the info in my notes. Will discuss it with our counsel in the next meeting. Thanks :)


Yes, making a mill for supposedly trusted third parties, over having an actual trusted third party, is a more open way.

Edit: I suppose in all except the free self hosted one, OpenSign would be the trusted third party, which I guess is more plausible. Unless the paid customers are given something close to root to administrate them. Still, a trusted third party is generally based on recognition. Even if I really dislike a company I eventually acknowledge they're trusted if it lasts long enough, like with ID.me. I didn't use ID.me until it was required for logging into the IRS and now I grudgingly admit that I think it's an extra security check on logging in. So until you're big like DocuSign I wouldn't view you in quite the same way as a trusted third party.

That does bring a question, are your paid customers prevented from going under the hood in such a way that they would also have to be trusted at such a level along with OpenSign?

--

This to say I'm open to using OpenSign, because there are plenty of uses where I would be open to using something that doesn't have this "trusted third party at the level of DocuSign" feature. The "digital notary public" analogy is apt. I sometimes sign documents with a notary, and other times without.


Great insights. The hosted version functions in a more or less same way as DocuSign with an added advantage of knowing what the code is doing under the hood. We dont intend to provide root/admin privileges as its going to be a multi-tenant system at the end of the day.


Ah, I see. A multi-tenant system makes sense, I was thinking it might be closer to managed hosting. With managed often people have root or close to it. Just make sure people understand that it’s a multi-tenant system where the customers don’t have access to do anything which would make it less secure, unless they’re using the self-hosted version. And when you grow, maybe there will be an enterprise self-hosted and/or managed hosting version where the customer needs to be trusted to provide security. That would be appropriate with some potential customers.

So that leaves the challenge of becoming a well known trusted third party, which is a challenge but doable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: