Signature Policy Content Highlights | Social and Economic Transformation in the Digital Era

A signature policy specifies the technical and procedural requirements regarding signature creation and validation in order to meet business needs. A given statutory or contractual context may recognize a particular signature policy as meeting its requirements. For example, regarding the relationship between statutory requirements and a signature policy, the latter may be recognized as meeting the requirements of a transaction such as a tax declaration or a formal sales agreement, etc. General information might include the following:

Signature policy issuer name: An identifier for the body responsible for issuing the signature policy. This may be used by the signatory or verifier to decide whether a policy can be trusted, in which case the signatory/verifier needs to authenticate the origin of the signature policy as originating from the identified issuer.
Signature policy identifier: The signature policy shall be identifiable by an identifier, e.g., an OID (Object Identifier) whose last component (i.e., right most) is an integer that is adapted to a particular version issued on the given date.
Signing period: The start time and date, optionally with an end time and date, for the period over which the signature policy may be used to generate electronic signatures.
Date of issue: Optionally, when the signature policy is issued.
Field of application: Defines the general, legal, contract, and application contexts in which the signature policy is to be used and the purposes for which the electronic signature is meant to be applied.

Certain commitments that can be undertaken by the transacting parties can also be part of the signature policy. Such commitments set a transaction framework for the usage of electronic signatures when signing a document. A commitment type can be:

the object identifier for the commitment, or
a qualifier to provide more information about the commitment itself, like for example information on the contractual, legal, or application contexts.

The example below further highlights the role and scope of a signature policy. A transaction within an organization using electronic signatures can include transacting parties under such roles as purchase officer, treasurer, chief executive officer (CEO), president of the board of directors, etc. In any purchase, the purchase officer is the typical first instance authority to sign transaction documents. Increased value requirements in a transaction might invoke a need for a sequential or chained authorization of this transaction. For example, due to the purchase officer's signature limitations, the signed document may have to be further passed for authorization by the treasurer. Depending on the treasurer's budget authorization limits, the transaction might be forwarded for signature to the CEO, etc. The signature of the CEO might not be sufficient if the decision for the transaction requires the direct involvement and approval of the organization's president. In such a case where two parties are directly and simultaneously involved in a decision, a concurrent authorization should be appropriate for the validity of this transaction.

A signature policy in this example might state that the purchase officer can sign a document for up to a certain value that corresponds to its usual type of business. A signature policy might further state that the purchase officer's signature should be valid for a certain period of time, depending on the duration of the project or the duration and agreement of the purchase officer's employment. In a similar way a signature policy might further state signature constraints for all parties in the hierarchy of a company, as well as the rules that apply in the transactions of the company.

Upon receipt of a signed document, the recipient is required to validate a signature prior to taking any further action that may be required within a transaction context. The signature-validating party collects elements of information that include certificate validity information and the validation of the electronic signature. If the signature policy is recognized, within a legal or contractual context, as providing commitment, then the signatory explicitly agrees with terms and conditions that are implicitly or explicitly part of the signed data. The validation of a signature policy is done at the time when a recipient receives the signed data either directly through human interaction or in an automated way.