[HN Gopher] Show HN: OpenSign - Open source alternative to DocuSign
___________________________________________________________________
Show HN: OpenSign - Open source alternative to DocuSign
Author : alexopensource
Score : 82 points
Date : 2023-10-28 18:47 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| yodon wrote:
| My understanding (possibly incorrect) is that competing with
| DocuSign is hard because of the need to follow obscure state and
| National laws (many of which are defined by case law rather than
| published law) in order for the signatures to be legally binding.
|
| Is that the case? And if so, is there evidence OpenSign has done
| this kind of SME research to make sure the electronic signatures
| are legally binding, or is this more "we brought in some devs and
| UI designers and built something" without actual legal review and
| guidance?
| wrs wrote:
| DocuSign itself just refers you to your own counsel for legal
| advice, but does publish and update a handy multi-country legal
| reference.
|
| For the US one, at least, they give examples of where
| electronic signatures are pretty common and straightforward,
| and where you need to be careful.
|
| Software-wise, they have features to help you show evidence of
| who signed, where, and when in multiple ways. Nothing magical,
| though.
|
| If there were secret sauce, you would think they'd mention it
| prominently, but they don't.
|
| https://www.docusign.com/products/electronic-signature/legal...
| alexopensource wrote:
| We also generate a completion certificate that has the time &
| ip addresses of everyone who accessed and modified a doc
| during the entire signing process, plus we are open source
| which means more transparent. We plan to publish a lot of
| content in that space but with limited resources currently we
| plan to build the product features first. Also, we are soon
| going to start our fund raise efforts which will ultimately
| speed up things.
| szundi wrote:
| And soon after suddenly the Pricing page appears, after 3
| months of disappointment convenient features turn paying
| ones. In some more years it is just as expensive as
| Docusign.
|
| Eh sorry, I'm just sad about Rocket Chat.
| alexopensource wrote:
| The self hosted version will always be free :)
| josephcsible wrote:
| Your CONTRIBUTING.md file says "By contributing, you
| agree that your contributions will be licensed under its
| MIT License." Since OpenSign is AGPLv3, why don't you
| allow contributions under the same license, if the self
| hosted version will always be free? I'm worried that the
| purpose of that might be to let you make it proprietary
| later.
| alexopensource wrote:
| Thanks for asking the right question. We are taking legal help
| to be compliant with various jurisdictions. Our solution is
| currently able to safely sign a document with a digital
| signature that will make it tamper-proof and show a geen tick
| in Adobe PDF while keeping track of incremental annotations
| added by multiple signers. We envision to add support for eIDAS
| and AADHAAR e-sign(widely accepted in India) very soon.
| petertodd wrote:
| > Our solution is currently able to safely sign a document
| with a digital signature that will make it tamper-proof
|
| Who holds the secret key that actually signs the document? If
| this is in fact a self-hosted, open-source, project then
| clearly the user does, and they could sign a different,
| tampered, version of the document after the fact. I would
| hesitate to use the term "tamper-proof" in that situation.
| Right now your documentation doesn't make it clear how this
| actually works.
|
| I'll also point out, that even if you were using my
| OpenTimestamps scheme or some other secure timestamping
| system, I would _still_ hesitate to call the solution
| "tamper-proof". The problem is that even with timestamps
| someone can in many situations pre-generate alternate
| versions of a document in advance. Calling this type of
| system "tamper-resistant" is better IMO.
| alexopensource wrote:
| In the hosted version, we sign the document on behalf of
| the user using our own private key. Our roadmap also has
| the feature to bring your own cert(not relevant here). As
| soon as a user signs a document, a copy of the signed
| document is instantly sent to all the parties involved.
| This ensures that the signer cannot revoke the documents
| already signed. If the receiving party tries to modify the
| document, the signature becomes invalid. This is how we
| make sure that the docs are "tamper-proof" after signing.
| jjeaff wrote:
| Are there really any laws requiring special types of
| signatures? Because I've never had a legal doc sent to me that
| they weren't fine with just stamping my signature on the line
| or even printing it out, signing it, and scanning it back in.
| alexopensource wrote:
| It depends on jurisdiction you are located in and the level
| of legal safety and acceptance you need. Our solution is
| already able to digitally sign the document which kind of
| makes it tamper proof and electronically sign(draw
| annotations) which will have you covered in most regions.
| Some regions have specific laws for example India has IT Act
| 2000, UETA & ESIGN Act while Europe has eIDAS.
| baz00 wrote:
| Depends where you are but contracts and other legal documents
| are only ultimately enforceable in court usually. Electronic
| signatures tend to shorten that process somewhat as they
| provide signatory verification, contract integrity and ID
| verification so it's seen as a legal risk and cost mitigation
| rather than an actual hard contractual requirement.
| p_l wrote:
| European Union (and some states connecting with the same
| infrastructure, like Switzerland), have standardized formats
| as well as defined CAs that provide certificates for
| "qualified" signatures, which have the same legal weight as
| if you had a printed document with physical signature.
|
| DocuSign supports those mainly through some interop
| connections where, for example, a qualified signature vendor
| provides an API that DocuSign can use to sign the document.
| alexopensource wrote:
| You are right, that is precisely the route we will also
| have to take for certain regions. For example in India,
| there are only 3 entities that are authorized by the
| government to enable Aadhaar based e-signature. We will
| have to integrate with any of those in order to be
| compliant. We have already started working in this
| direction.
| candiddevmike wrote:
| AFAIK DocuSign acts as a trusted third party and protects/prove
| chain of custody. Think of them like a digital notary public.
| alexopensource wrote:
| Our understanding is that DocuSign does not have any legal
| authority, they prove the chain of custody/modifications
| using digital traces which our solution can also do, arguably
| in a more open way.
| toomuchtodo wrote:
| Electronic signatures legally recognized in the United
| States are provided for in the Electronic Signatures in
| Global and National Commerce Act ("ESIGN") and state and
| territory versions of the Uniform Electronic Transactions
| Act ("UETA").
|
| These are the regulations you'll want to adhere to in order
| to provide parity with digital signature authority of
| traditional commercial providers (in the US at least).
|
| Great work btw!
|
| (Not an attorney, not your attorney, but happy to chip in
| fiat so you can consult with counsel and obtain an opinion
| letter from one in support of your project)
| alexopensource wrote:
| Saved the info in my notes. Will discuss it with our
| counsel in the next meeting. Thanks :)
| ncallaway wrote:
| UETA has been substantially adopted by 49 states. The
| state of New York has their own statute.
|
| So, if you look at e-sign, UETA, and NY's Electronic
| Signatures and Records Act, then you have fairly
| comprehensive coverage across the US.
|
| Also not an attorney, and this is also definitely not
| definitive legal advice!
| benatkin wrote:
| Yes, making a mill for supposedly trusted third parties,
| over having an actual trusted third party, is a more open
| way.
|
| Edit: I suppose in all except the free self hosted one,
| OpenSign would be the trusted third party, which I guess is
| more plausible. Unless the paid customers are given
| something close to root to administrate them. Still, a
| trusted third party is generally based on recognition. Even
| if I really dislike a company I eventually acknowledge
| they're trusted if it lasts long enough, like with ID.me. I
| didn't use ID.me until it was required for logging into the
| IRS and now I grudgingly admit that I think it's an extra
| security check on logging in. So until you're big like
| DocuSign I wouldn't view you in quite the same way as a
| trusted third party.
|
| That does bring a question, are your paid customers
| prevented from going under the hood in such a way that they
| would also have to be trusted at such a level along with
| OpenSign?
|
| --
|
| This to say I'm open to using OpenSign, because there are
| plenty of uses where I would be open to using something
| that doesn't have this "trusted third party at the level of
| DocuSign" feature. The "digital notary public" analogy is
| apt. I sometimes sign documents with a notary, and other
| times without.
| alexopensource wrote:
| Great insights. The hosted version functions in a more or
| less same way as DocuSign with an added advantage of
| knowing what the code is doing under the hood. We dont
| intend to provide root/admin privileges as its going to
| be a multi-tenant system at the end of the day.
| ncallaway wrote:
| One think that I think they provide (as opposed to the self
| hosted version) is just the fact of being a relatively
| neutral third party.
|
| If there's a dispute over the veracity of a signature, it's
| probably helpful to have a third party say "according to
| our server logs and software stack, this was signed by
| johndoe@example.com at 12:41pm on August 3rd, from the IP
| address XX.XXX.XXX.XX, and they authenticated with their
| email and password". If I'm self-hosting, it's marginally
| less convincing when I'm before a court if I say *my*
| software stack says that, since I have more direct control
| over it.
|
| So, I agree DocuSign doesn't have a special status, other
| than being a relatively neutral third party to that
| dispute. But if a signature's validity is being questioned,
| that third party status is probably somewhat helpful.
| figassis wrote:
| Wouldn't it be amazing, since e signatures have been around for
| ages, that governments just published the requirements for
| legally binding digital signatures rather than ask each maker
| to go talk to them and get some obscure license or blessing?
| amolshejole wrote:
| Yeh, its already happening in a lot of regions across the
| world. We see a future that will have more open standards, it
| is precisely the reason we are working on this solution now.
| saled wrote:
| You know that there's nothing stopping an open source project
| funded as a not for profit from doing the same thing right?
|
| If something is hard, that's an argument _for_ making a
| standard not for profit version of it, so it becomes a common
| good instead of platform rent seekers keeping out competition
| by saying it 's "too hard".
| latchkey wrote:
| It is interesting to me how they (tm) on OpenSign, but don't do
| it in all their references to their competitors...
| wizzwizz4 wrote:
| That's because they're staking a claim to a trademark. They're
| not staking a claim to the trademarks of their competitors.
| baz00 wrote:
| This is naive. DocuSign's main sell from a commercial perspective
| is it separates the parties into the signer, the signee and the
| authority. If the authority is the signee or the signer then it
| could be considered unfair. And really no one wants to end up
| having to hire lawyers to unfuck that mess.
|
| Not only that DocuSign does ID verification if you pay them which
| is required for a bunch of contract types. This does definitely
| not!
| alexopensource wrote:
| We are working on all these features, even an optional webcam
| capture during signing. This is just the beginning. Even with
| current features we are arguably the most complete solution in
| this space in open-source world.
| baz00 wrote:
| I appreciate what you're doing but we buy DocuSign so the
| problem is far far away from us. This turns it into a problem
| we have to manage ourselves or a problem of finding a vendor
| stable enough to host your stuff that will make it not our
| problem long enough for the longest contract retention to
| expire. Which is difficult.
| yborg wrote:
| I'm sure these problems were also difficult for DocuSign in
| the beginning.
| baz00 wrote:
| Not really. They actually ran mock trials with legal
| professionals as test cases. That was an _instant_ win
| for anyone wanting assurance of admissibility.
|
| No open source startup is going to win there because it's
| about entities and process, supported by technology not
| technology on its own. The technology is absolutely
| worthless without the framework and legal entities
| surrounding it. It's a unique position no one really
| understands that well.
| alexopensource wrote:
| They began when Digital signatures were not understood
| well even by legal professionals. Somewhere fear might
| have came in picture. Today, its easier to digest the
| fact that digital signatures are just cryptographic
| functions that guarantee the authenticity and integrity
| of documents and various actions on those docs. Plus the
| legal framework around it is better defined now. I am
| confident that we will be able to change the perception
| and make this the de-facto digital signing solution. The
| movement has just began, there is a long way ahead.
| throwaway237289 wrote:
| This answer is incredibly technocratic, and misses the
| mark on what a digital signature is.
|
| A digital signature is a legal construct that stands up
| in court.
|
| The movement might have begun, but you need to change
| your perception. You have to stop talking like a
| technocrat and address the business problem that
| signatures solve.
| alexopensource wrote:
| That is a great input, we need to put efforts into ensuring
| that we are seen as a long term player, in-fact we envision
| to be one, assuming some contracts might be really long
| term. I hope a day comes when you trust us enough :)
| d3w4s9 wrote:
| No business cares about whether it is open-source or not.
| They care about when things somehow end up in the court,
| there is clear understanding of a signed document and nobody
| has any question about it. More or less a guarantee --
| probably not really a guarantee but good enough to hold in
| court. If your selling point is open source or "free" you
| have already lost.
| alexopensource wrote:
| We take pride in being open source as we are sure being
| open source brings a lot more transparency in the entire
| process. When it comes to the authenticity of a signed
| document, the cryptographic proofs generated by our
| solution and digital traces are no different than those
| generated by DocuSign. It will hold equally true in any
| court. We understand that we might need some time to be
| universally acceptable in terms of the perception of the
| people, but we are confident that we will reach there.
| petertodd wrote:
| > For comprehensive guidelines on how to use OpenSign, please
| consult our User Manual.
|
| FYI, USAGE.md seems to be missing.
|
| Also, a suggestion: while I agree with other posters that this
| isn't a replacement for the third-party trust model DocuSign
| provides, you might as well use my OpenTimestamps project to
| timestamp the documents OpenSign produces. Being able to prove
| that a document was in fact created in the past, before a dispute
| existed about the document, is significantly better than not
| being able to prove that. OpenTimestamps is free and open source,
| using Bitcoin so that you don't have a trusted third party.
| Timestamps made with OpenTimestamps are free, as merkle trees are
| used to allow the whole world's documents to be timestamped with
| a single Bitcoin transaction.
|
| https://opentimestamps.org/
|
| A good example of how it's been used recently is by the official
| election authority in Guatemala to timestamp polling documents in
| their recent presidential election:
| https://www.youtube.com/watch?v=g0nnM5_Z90E
| alexopensource wrote:
| Thanks for the suggestion. We will definitely consider this. We
| have just released v1 48hrs before. We are working hard to put
| together a usage guide with docusaurus. You will see huge
| updates to documentation soon.
| Animats wrote:
| If you get something to sign, can you modify it and send it back
| to the other party so they can sign the modified version? Or is
| this a "take it or leave it" system?
| alexopensource wrote:
| Its really important to preserve the integrity of the document
| during the signing process because of which modifications other
| than annotations are currently not allowed. We are building
| this to support an open architecture(micro frontend based add-
| ons). The two add-ons currently under development are - - A
| document organizer for signed/in-progress documents as we
| believe organizing legal documents is very different from
| organizing regular files as the user should be able to visually
| identify the status of the document and just hover on a
| document to see the current status of signers, etc. - An AI
| based assistant that will allow you to get any clause of a
| contract re-worded, explained, analysed for risks, etc.(we dont
| intend to replace lawyers here) Once we have these plugins
| ready. You will be able to create/modify docs before signing.
___________________________________________________________________
(page generated 2023-10-28 23:00 UTC)