Authenticated Clickwrap signatures are a blending of Clickwrap and digital signatures. This enables users to securely sign a form without relying on an extended PKI infrastructure. During normal use, the user signs the form by entering an ID and secret, such as a password. When the form is sent to a server, the server retrieves the user’s secret from a database and uses that secret to verify the signature. Furthermore, the server can notarize the Authenticated Clickwrap by signing it with a digital certificate, thereby creating a secondary digital signature. This secondary signature shows that the server has confirmed the identity of the signer, and ensures that the original signature can be trusted over time.
Authenticated Clickwrap signatures work like normal Clickwrap signatures, except they also incorporate a shared secret. Typically, this shared secret is a user ID and password. When you sign the form, you provide your shared secret as part of the signature, using the typical Clickwrap question and answer system. When you submit the form, the server then creates a second signature using its copy of the shared secret, and compares it to the signature in the form. If the signatures match, then the server has positively identified you as the signer, and the server then countersigns the form with a digital signature.
This combines the ease-of-use of the Clickwrap signature with the inherent strength of a digital signature and relies on a shared secret infrastructure that likely already exists in the organization.
When to use Authenticated Clickwrap signatures
Authenticated Clickwrap signatures are an effective solution for organizations that cannot maintain an extensive PKI infrastructure, but continue to require a high degree of security. Typically, they work best for organizations that currently make use of user IDs and passwords, or some other shared secret.
Parent topic: Signature types