For fun, I recently build a e-signature web app to allow users to add a handwritten signature to PDF (IE signing a TOS agreement).

It only took a couple minutes of research to realize my method of just added a written signature image to a PDF probably wouldn't hold up very well in a legal dispute.

A cryptographic digital signature is needed to verify the identity of the signee as well as ensure the document has not been altered since signing.

It got me wondering how companies like Docusign can provide digital signatures without having a certificate from the signee.

I found this marketing heavy explanation where it says that they are considered a trusted CA themselves.

Does this mean Docusign is issuing certificate to the users who are signing for them to sign with?

Even that you just need a link to a document envelope to sign (in most cases), this doesn't seem very meaningful.

UPDATE

Looks like you can "verify" signatures using acrobat reader to see the details. I opened up a PDF that I recently signed on Docusign and it appears that docusign is the signing identity?

Maybe I'm confusing "adding an e-signature" with "digitally signing", but shouldn't I be the Signed By __ identify?

Re: It got me wondering how companies like Docusign can provide digital signatures without having a certificate from the signee.

Answer: DocuSign enables three different types of electronic signatures:

1. Simple Electronic Signatures (SES) are legal in the US and other common law countries for many purposes. They don't require a digital cert from the signer.

2. Advanced Electronic Signatures (AES) are a digital signature which provides a guarantee that the signer was identified by a digital cert and that the signed document has not been changed since it was signed. This type of signature is required for some purposes in common law countries (like the US) and for many purposes in civil law countries.

3. Qualified Electronic Signatures (QES) are like AES signatures but the signer cert is granted by a company that is authorized directly or indirectly by a government authority.

How it works

If the DocuSign signature is an SES signature then no signer cert is needed. And yes, these types of signatures are valid and legal for most any type of transaction in the US. See a lawyer for details on whether your transaction type can use this type of eSignature or not. Here is a summary of the law for the US.

For these types of signatures, when you download the signed document from DocuSign, the downloaded document is digitally signed (using an AES signature) by the company DocuSign. The DocuSign AES signature assures you that the document is the same as the document that was signed by one or more signers who used SES via DocuSign.

For AES signatures via DocuSign, the signer can use a cert that is issued to them by DocuSign. Or the signer can use a cert issued to them by their associated company/organization.

For QES signatures via DocuSign, the signer's cert comes from a qualified trust provider.

Re: Does this mean Docusign is issuing certificate to the users who are signing for them to sign with?

Yes, for AES signatures, DocuSign can issue a cert to a signer. But that is not what happened in your example screenshot. In your screenshot, DocuSign enabled the signer to use a SES eSignature. DocuSign then provided an AES signature to guarantee to any relying party that the document was SES signed via DocuSign.