Kind of tangential, but I'll share a bit of a horror story from a friend when it comes to e-signatures.
The company in question uses DocuSign, and most of their clients do as well. They are big, serious companies. However, nobody is able to set up DocuSign in a reasonable way for a multi-client contract. Every company needs to use their own DocuSign.
Now, DocuSign embeds a cryptographic signature in the signed PDF. This means you can't sign a PDF twice.
So what my friend does is create the PDF to be signed, send it to one company for signatures, get it back and run it through Microsoft Print to PDF. This friendly utility happily strips away all cryptographic signatures, but importantly leaves the "signature picture" in place. And then they can send this PDF to the next company.
I joked that every time they do this, a cryptographer somewhere stubs their pinky toe on a corner.
Pdf signatures are a joke and entire wrb e-signature space is snake oil sales. Source: worked for docusign competitor and seen how signing twice works.
We at least did the print to pdf thingy ourserves on the backend to save users from this shame.
Add: you can in fact sign the pdf multiple times with a digital signature, which is an actual feature of PDF format. You can't however add electronic (drawn) signature on top of the digital one without (partially) invalidating previous ones. And to nobody's surprise, you can't see digital signatures if you decide to print the document with it.
pdf signatures are certainly not worth nothing, in fact they are eIDAS compliant. It's just the government being the government so it's left hand doesn't trust the right one.
What eIDAS actually solves is not signatures, but strong identification. You log into the system and it knows your tax id or whatever primary identifier you have. It's promoted as a secure way to sign documents, but it's just technofetishism.
Non-repudiation isn't even a technical problem, as you can have verbal contracts too. Replying to an email is totally fine way to enter into a contract too, but something like invoices have to be signed or stamped (or both). If you request something from the government (in the Netherlands), ticking a checbox and pressing a button is totally legit and you don't have to dance around ECDSA for a single moment, because the left hand trust the right hand.
Now if somebody is conspiring with a tax officer to commit VAT refund fraud and then telling to the judge they didn't send any refund and never got any money -- it's not checkboxes and pdfs to blame really.
We use Docusign (and occasionally Adobe Sign) for multi-client/multi-organization contracts all the time at my job. Docusign essentially acts as an escrow service for signatures. You need to make sure that all of the signers' are set up when you first send out the document for signatures. It doesn't matter whether they're part of a separate Docusign account or not; that just affects how they access the document after it's been signed by all parties.
If you're baking in "batches" of signatures into the PDF so you can do multiple rounds of signatures...you're using it wrong...and quite possibly invalidating the whole point of using Docusign (or a competitor) in the first place since your edited pdf is no longer authentic and wouldn't be admissible in a court.
My comments were from 2019. Paypal acquired Honey in 2020, and MegaLag's "expose" is for their alleged post-acquisition business practices.
I make no claims that their business model remained the same after the acquisition. But on that note: Paypal's acquisition of Honey was vetted by multiple law firms and by regulators in the U.S. and Europe, and even scrutinized by shortsellers. Nobody found anything wrong with Honey's business model or any serious legal risks with what they were doing. Another public company, Rakuten, has since launched a competitor to Honey with the same business model (and some of the same personnel).
Seriously. If Honey was doing something wrong, at the very least the shortsellers would be all over this because they'd be making a killing. This morning, Paypal's stock barely budged (and has actually gone up after-hours now that the market has had time to review MegaLag's "expose"). That should speak volumes to anyone with common sense.
If you think about it, the worse is just this kind of cargo cult to do the same thing that is used to be done with paper on a computer without really understanding why you do it.
Like, on paper, you are supposed to all "sign" the same paper document to show that this is the same document/content that is agreed by everyone. And so, when you DocuSign it, people do the same thing with everyone signing the same document even with a fake "handwritten" signature....
But if you really think about it, the signature already proves the content, so you would only have to have all the parties sign individually their own "copy" and then exchange the signed pdf signed by them.
If you own a copy signed by you, and a copy signed by another person, as we have the proof of the content of each one, you know that it is the same contract that was agreed...
>If you own a copy signed by you, and a copy signed by another person, as we have the proof of the content of each one, you know that it is the same contract that was agreed...
Then you need to show a third party the contract signed by both sides. On paper or sent by fax. When you say digital document trust services eIDAS, the party replied that it's not a participant in the trust architecture (as defined by eIDAS-implementing law) and didn't buy the license for software needed to verify it. The party is a judge, so they are right and you are wrong. True story that did actually happen and nobody was even disputing the fact of document being signed.
Probably its electronic signature vs qualified digital signature. At the very least with swiss telecom they know who is keeping root certs at the end of the chain of trust.
And this week the product’s launched? That doesn’t inspire confidence in what’s supposed to be a legal matter, and trust seems to be the #1 thing you need in this business if the tech is so trivial. Putting signatures on PDFs is free, if I can’t trust your ability to resolve legal disputes I’ll use free instead of paying you whatever your idea of cheap is.
The problem with being in this space is that you need to have the financials to be around for long enough to be useful. For legal documents, that means a 3+ year horizon.
Right now, you might work for low-risk (meaning, essentially no risk of contract disputes) short-term gigs for freelancers and consultants, but you're a no-go for businesses of any size, or anyone else that needs a contract signed.
You need to demonstrate stability before you can expand from the short-term niche, or else that your signature/document validation service will survive the likely death of your company.
That in fact happens all time time with signatures...
A signature can be used to validate the existence and legitimacy of a contract and the terms contained within a specific version of a contract, so disputes over signatures happen quite frequently. Indeed, DocuSign spent years establishing that their system could be used to authenticate signatures and the documents they were attached to so they could break into the legal market.
It's not just a nice story. Law students learn about the importance of signatures on contracts during their first few weeks of law school.
Try getting a contract honored without a signature. You'll get laughed out of court. And unless they're you're best bud, you'll get laughed at by your counterparty for your naivete. Good luck proving the existence of an agreement with a piece of paper that the other party disputes.
I tried reading how to use DocuSign with eIDAS for a Qualified signature, which is the legal requirement in the EU. And it is such a mess that the DocuSign documentation [1] links to a page at passkeys.dev [2] which explicitly states in the first paragraph that it should not be linked to from user-facing documentation...
Where does the requirement come from? eIDAS regulation [0] establishes different signature profiles, from which qualified is the strongest, but doesn't say you can't use advanced or the basic electronic "draw here" kind of signature with no cryptography.
Sure, some national laws may require qualified with long term storage and implement it as part of closed document system, but people use less-than-qualified documents all the time.
“the e-signature space” shouldn’t exist. Slapping signatures on pdfs that get emailed to the relevant parties isn’t a legitimate industry, it’s just a small and overblown app that eventually people will self host or bundle for free with an existing document SaaS.
It’s a feature, not a company. It’s definitely not a whole
industry.
The feature is coordination of who to send it to and when, is it's own business, not the part where you slap a picture into the pdf and or generate write-once-read-never digital signature blob into it too.
The actual business here is the promise to keep the logs and the process to ensure you can connect the person who signs the document with the document and time, so in a very unlikely event it is being questioned you can testify that signing by a specific person happened or not. The more certifications you have for the process and the software/infra that implements it, the better you can sell.
> This event expanded the market with such massive awareness.
I think you might be overestimating the impact of this (whatever 'this' is) on the rest of the world that isn't trying to make signatures a business. This is the first I'm hearing that Google has introduced a (new?) signature feature, and the Google trends for "Electronic signature" haven't moved much if at all [0]. A Google search for "Google signatures" still mostly turns up information about email signatures, including when I filter to the News tab.
I'm honestly not even 100% sure what new feature you're talking about. In my searching I don't turn up any announcements about Google and signatures, and I do find a help article about it going back to 2022 [1].
In short, I have no idea what sparked this for you, but for the rest of us it's Tuesday. It might be good to slow down and figure out what's actually going on and what its real impact is?
All legal docs pages seem broken (at least on mobile).
I’m your target customer but would never use this because it inspires no confidence that when the shit hits the fan (ie: contract dispute) your signing tool will stand up to legal scrutiny. The sales page is all about being cheap and mobile responsive, but it doesn’t mention anything about the legality of document signatures processed through the tool, or the data security/privacy standards you uphold.
OP, agreed something better than DocuSign is required. Check out Estonia’s digital signature platform — been around and developed for a couple of decades as the entire country runs on it.
In other words, it’s a solved problem, just little known outside the EU. And it works really well! Second, I suspect there are things to learn from the platform they built and the way digital signatures can be trusted within an entire society. DocuSign is astonishingly bad not because of the tech alone but because of the approach.
(Signature spots are mimicking pen signatures. Why not avoid that, or generate them based on the digital signature, eg as a visual / printable representation then digital signature, the way a QR code carries bits? Make something that survives printing!)
>(Signature spots are mimicking pen signatures. Why not avoid that, or generate them based on the digital signature, eg as a visual / printable representation then digital signature, the way a QR code carries bits? Make something that survives printing!)
That's the actual unsolved problem of digital documents.
Regulatory technofetishism requires digital signatures strongly tied to identifiable person (natural or otherwise). eIDAS solves that perfectly, as long you have a digital id issued by your government of residence (the one expecting to connect the document through the signature to a primary key in their database). Nobody except a few governments here and there actually use it and when they do it's mostly a closed system with controlled access anyway.
What people actually need (i.e. how people really work with documents) is a PDF with a signature visible in all PDF viewers, that you can also print and bring to a local government office if they for some reason have in-person process for it. Now in theory, you can have PDF fields and fill them with digital signatures produced by your eIDAS-compatible qualified id. Nobody (almost) ever does that, because your typical workflow doesn't require extracting strong identity from the signed document. The fact that adobe viewer operates on a different chain of trust compared to eIDAS doesn't help.
So what people do is adding signatures as content to the document, than signing it digitally with pdf fields sequentially. It works fine, but you can't add another content-signature on top for obvious reasons and you can't counter sign if the field wasn't present before (and document is locked).
Add: to even start properly solving this, one needs to understand how documents generally work, how (federated) governments work, read the actual law, also understand cryptograrphy and PDF format and after all that make a nice UX. And people who can mostly understand all of above have better things to be busy with, as there is no money in it anyway.
Best of luck to you. We spent the last 18 months trying to build and sell a contract management and esign tool for freelancers and agencies and we got almost universal feedback that it wasn’t needed. Hope your outcome is different than ours!
You guys gotta include the price and your main competitor that I was about to start using is esignatures.io which is email or sms at 0.50 each so would love a comparison!
I think the contact page might be broken on Firefox/android. I just get a fairly sizable whitespace with a twitter link if I scroll far enough. (I'm assuming there's supposed to be a contact form and/or email address. I'm old, I can't imagine using twitter for business communications.)
At first you want to keep it to a minimum which is not that hard. But in order to get more clients you will have to deal with more cases and add features. Which is what others have already done …
My sugestion is to change the title to "Show HN: SignWith: Get e-signatures & pay per document" or something like that and keep the explanation of the problem only in the description.
> That said, we see Google's entry in the signature space as validation.
Don’t worry, Google will cancel the service at some point. Just have your marketing campaign and onboarding process ready for those fleeing the sunset Google product
The company in question uses DocuSign, and most of their clients do as well. They are big, serious companies. However, nobody is able to set up DocuSign in a reasonable way for a multi-client contract. Every company needs to use their own DocuSign.
Now, DocuSign embeds a cryptographic signature in the signed PDF. This means you can't sign a PDF twice.
So what my friend does is create the PDF to be signed, send it to one company for signatures, get it back and run it through Microsoft Print to PDF. This friendly utility happily strips away all cryptographic signatures, but importantly leaves the "signature picture" in place. And then they can send this PDF to the next company.
I joked that every time they do this, a cryptographer somewhere stubs their pinky toe on a corner.
We at least did the print to pdf thingy ourserves on the backend to save users from this shame.
Add: you can in fact sign the pdf multiple times with a digital signature, which is an actual feature of PDF format. You can't however add electronic (drawn) signature on top of the digital one without (partially) invalidating previous ones. And to nobody's surprise, you can't see digital signatures if you decide to print the document with it.
So pick your poison.
What eIDAS actually solves is not signatures, but strong identification. You log into the system and it knows your tax id or whatever primary identifier you have. It's promoted as a secure way to sign documents, but it's just technofetishism.
Non-repudiation isn't even a technical problem, as you can have verbal contracts too. Replying to an email is totally fine way to enter into a contract too, but something like invoices have to be signed or stamped (or both). If you request something from the government (in the Netherlands), ticking a checbox and pressing a button is totally legit and you don't have to dance around ECDSA for a single moment, because the left hand trust the right hand.
Now if somebody is conspiring with a tax officer to commit VAT refund fraud and then telling to the judge they didn't send any refund and never got any money -- it's not checkboxes and pdfs to blame really.
We use Docusign (and occasionally Adobe Sign) for multi-client/multi-organization contracts all the time at my job. Docusign essentially acts as an escrow service for signatures. You need to make sure that all of the signers' are set up when you first send out the document for signatures. It doesn't matter whether they're part of a separate Docusign account or not; that just affects how they access the document after it's been signed by all parties.
If you're baking in "batches" of signatures into the PDF so you can do multiple rounds of signatures...you're using it wrong...and quite possibly invalidating the whole point of using Docusign (or a competitor) in the first place since your edited pdf is no longer authentic and wouldn't be admissible in a court.
https://news.ycombinator.com/item?id=21591466
Want to comment?
I make no claims that their business model remained the same after the acquisition. But on that note: Paypal's acquisition of Honey was vetted by multiple law firms and by regulators in the U.S. and Europe, and even scrutinized by shortsellers. Nobody found anything wrong with Honey's business model or any serious legal risks with what they were doing. Another public company, Rakuten, has since launched a competitor to Honey with the same business model (and some of the same personnel).
Seriously. If Honey was doing something wrong, at the very least the shortsellers would be all over this because they'd be making a killing. This morning, Paypal's stock barely budged (and has actually gone up after-hours now that the market has had time to review MegaLag's "expose"). That should speak volumes to anyone with common sense.
Like, on paper, you are supposed to all "sign" the same paper document to show that this is the same document/content that is agreed by everyone. And so, when you DocuSign it, people do the same thing with everyone signing the same document even with a fake "handwritten" signature....
But if you really think about it, the signature already proves the content, so you would only have to have all the parties sign individually their own "copy" and then exchange the signed pdf signed by them. If you own a copy signed by you, and a copy signed by another person, as we have the proof of the content of each one, you know that it is the same contract that was agreed...
Then you need to show a third party the contract signed by both sides. On paper or sent by fax. When you say digital document trust services eIDAS, the party replied that it's not a participant in the trust architecture (as defined by eIDAS-implementing law) and didn't buy the license for software needed to verify it. The party is a judge, so they are right and you are wrong. True story that did actually happen and nobody was even disputing the fact of document being signed.
[1] https://www.swisscom.ch/en/about/news/2023/10/12-sign.mobile...
And this week the product’s launched? That doesn’t inspire confidence in what’s supposed to be a legal matter, and trust seems to be the #1 thing you need in this business if the tech is so trivial. Putting signatures on PDFs is free, if I can’t trust your ability to resolve legal disputes I’ll use free instead of paying you whatever your idea of cheap is.
Right now, you might work for low-risk (meaning, essentially no risk of contract disputes) short-term gigs for freelancers and consultants, but you're a no-go for businesses of any size, or anyone else that needs a contract signed.
You need to demonstrate stability before you can expand from the short-term niche, or else that your signature/document validation service will survive the likely death of your company.
A signature can be used to validate the existence and legitimacy of a contract and the terms contained within a specific version of a contract, so disputes over signatures happen quite frequently. Indeed, DocuSign spent years establishing that their system could be used to authenticate signatures and the documents they were attached to so they could break into the legal market.
Try getting a contract honored without a signature. You'll get laughed out of court. And unless they're you're best bud, you'll get laughed at by your counterparty for your naivete. Good luck proving the existence of an agreement with a piece of paper that the other party disputes.
[1] https://support.docusign.com/s/document-item?language=en_US&...
[2] https://passkeys.dev/device-support/
Sure, some national laws may require qualified with long term storage and implement it as part of closed document system, but people use less-than-qualified documents all the time.
[0] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:...
- yeah the agreement says that but sue us we’re not doing it
- we interpreted that clause to mean something different, pay us more or sue us.
Never anyone disagreeing about which version of the contract was the legit one.
I’m not sure what level of business that both happens, and is serious enough to litigate - I’m not able to picture it.
It’s a feature, not a company. It’s definitely not a whole industry.
The actual business here is the promise to keep the logs and the process to ensure you can connect the person who signs the document with the document and time, so in a very unlikely event it is being questioned you can testify that signing by a specific person happened or not. The more certifications you have for the process and the software/infra that implements it, the better you can sell.
I think you might be overestimating the impact of this (whatever 'this' is) on the rest of the world that isn't trying to make signatures a business. This is the first I'm hearing that Google has introduced a (new?) signature feature, and the Google trends for "Electronic signature" haven't moved much if at all [0]. A Google search for "Google signatures" still mostly turns up information about email signatures, including when I filter to the News tab.
I'm honestly not even 100% sure what new feature you're talking about. In my searching I don't turn up any announcements about Google and signatures, and I do find a help article about it going back to 2022 [1].
In short, I have no idea what sparked this for you, but for the rest of us it's Tuesday. It might be good to slow down and figure out what's actually going on and what its real impact is?
[0] https://trends.google.com/trends/explore?date=today%203-m&ge...
[1] https://support.google.com/docs/answer/12315692?hl=en
I’m your target customer but would never use this because it inspires no confidence that when the shit hits the fan (ie: contract dispute) your signing tool will stand up to legal scrutiny. The sales page is all about being cheap and mobile responsive, but it doesn’t mention anything about the legality of document signatures processed through the tool, or the data security/privacy standards you uphold.
I couldn't find the price per document in the home page.
In other words, it’s a solved problem, just little known outside the EU. And it works really well! Second, I suspect there are things to learn from the platform they built and the way digital signatures can be trusted within an entire society. DocuSign is astonishingly bad not because of the tech alone but because of the approach.
(Signature spots are mimicking pen signatures. Why not avoid that, or generate them based on the digital signature, eg as a visual / printable representation then digital signature, the way a QR code carries bits? Make something that survives printing!)
That's the actual unsolved problem of digital documents.
Regulatory technofetishism requires digital signatures strongly tied to identifiable person (natural or otherwise). eIDAS solves that perfectly, as long you have a digital id issued by your government of residence (the one expecting to connect the document through the signature to a primary key in their database). Nobody except a few governments here and there actually use it and when they do it's mostly a closed system with controlled access anyway.
What people actually need (i.e. how people really work with documents) is a PDF with a signature visible in all PDF viewers, that you can also print and bring to a local government office if they for some reason have in-person process for it. Now in theory, you can have PDF fields and fill them with digital signatures produced by your eIDAS-compatible qualified id. Nobody (almost) ever does that, because your typical workflow doesn't require extracting strong identity from the signed document. The fact that adobe viewer operates on a different chain of trust compared to eIDAS doesn't help.
So what people do is adding signatures as content to the document, than signing it digitally with pdf fields sequentially. It works fine, but you can't add another content-signature on top for obvious reasons and you can't counter sign if the field wasn't present before (and document is locked).
Add: to even start properly solving this, one needs to understand how documents generally work, how (federated) governments work, read the actual law, also understand cryptograrphy and PDF format and after all that make a nice UX. And people who can mostly understand all of above have better things to be busy with, as there is no money in it anyway.
Your pricing + testimonial link seems broken.
> That said, we see Google's entry in the signature space as validation.
I agree, it's a good new, but very scary.
thanks for the suggestions - made the change in the title.