
Digital signatures are one of the most technically robust forms of authentication available for electronic documents. The short answer to whether they can be trusted is yes, provided certain conditions are met. But “digital signature” covers different things in different contexts, and the trust level depends significantly on which type of digital signature is being used and how it was issued.
This article explains how digital signatures work, why they are trustworthy, what their limitations are, and what the specific position is under Indian law.
A digital signature is a cryptographic mechanism that uses a pair of mathematically related keys, a private key and a public key, to authenticate a document and its signatory.
When someone signs a document digitally, the signing software uses the signatory’s private key to generate a unique hash of the document’s content. This hash is encrypted with the private key and attached to the document as the digital signature.
Anyone who subsequently receives the signed document can use the signatory’s public key to decrypt the hash and compare it with a freshly computed hash of the document. If the two hashes match, two things are confirmed: the document has not been altered since it was signed (because any change would produce a different hash), and the signature was created using the private key that corresponds to the public key, which means it was created by the signatory.
This mechanism produces two core properties that make digital signatures trustworthy.
Authentication. The signature confirms who signed the document, because only the person who holds the private key can create a valid signature that the corresponding public key will verify.
Integrity. The signature confirms that the document has not been altered after signing, because any alteration changes the document’s hash and the verification fails.
These two properties together make digital signatures significantly more trustworthy than a wet ink signature (which authenticates the signatory at the time of signing but does not detect post-signing alterations to the document) or a basic electronic signature such as a scanned signature image (which confirms neither the signatory’s identity reliably nor the document’s integrity).
The cryptographic algorithms underlying digital signatures, primarily RSA and Elliptic Curve Cryptography (ECC), are mathematically secure against current computational capabilities. Forging a digital signature without access to the private key would require computational power that is not practically achievable.
This means that a valid digital signature verification confirms, with a very high degree of certainty, that the signature was made by the holder of the corresponding private key and that the document has not been altered.
The security of a digital signature depends on the private key remaining under the exclusive control of the signatory. When a Digital Signature Certificate (DSC) is issued by a Certifying Authority, the private key is generated on a cryptographic hardware device (a USB token) that stores the key securely. The key cannot be exported from the token. To use the private key, the signatory must physically possess the token and enter the correct PIN.
This physical control mechanism means that a digital signature can only be applied by someone who has both the physical token and the correct PIN. It is significantly harder to misuse than a password or a signature image.
In India, Digital Signature Certificates are issued by Certifying Authorities (CAs) licensed by the Controller of Certifying Authorities (CCA) under the IT Act, 2000. Before issuing a DSC, the CA verifies the applicant’s identity through a process that typically includes checking government-issued identity documents and, for higher-assurance certificates, in-person or video verification.
This identity verification process means that the certificate links the public key to a verified identity. When you verify a digital signature and it shows as valid, it confirms not just that the private key was used but that the private key belongs to the verified identity shown in the certificate.
Trusted timestamps, applied by a timestamp authority at the moment of signing, provide cryptographic proof of when a digital signature was applied. The timestamp confirms that the signature was applied at a specific time, which is relevant for establishing the order of execution, proving that a document was signed before a particular date, and protecting against backdating.
Despite their technical robustness, digital signatures are not unconditionally trustworthy in all circumstances. There are specific failure modes that users need to understand.
If a signatory’s private key is compromised, an attacker who obtains the key can create valid digital signatures in the signatory’s name. This is rare with hardware token-based private keys because the key cannot be exported from the token. It is more of a risk with software-based private keys stored on a computer, which can potentially be stolen through malware.
Where key compromise is suspected, the Certificate Authority can revoke the certificate. Certificate revocation information is published through Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP). A digital signature verification should check the revocation status of the certificate to confirm that it had not been revoked at the time of signing.
Digital Signature Certificates have a validity period, typically one to three years. A signature applied with an expired certificate does not carry the same assurance as one applied with a valid certificate. When verifying an old signature on a document signed some time ago, the verification system should check whether the certificate was valid (not expired and not revoked) at the time the signature was applied, not whether it is valid today.
This is typically handled through long-term validation profiles that preserve the revocation status information at the time of signing.
The trust in a digital signature ultimately rests on the trustworthiness of the Certifying Authority that issued the certificate. If a CA makes an error in identity verification and issues a certificate to someone who is not who they claim to be, signatures created with that certificate will verify as valid but will be attributable to the wrong identity.
In India, CAs are licensed and regulated by the CCA, which sets standards for identity verification. The regulatory framework reduces this risk, but it does not eliminate it entirely.
A digital signature confirms that the signatory applied their private key to the document at a specific time. It does not confirm that the signatory read, understood, or agreed with the document’s contents. A person can apply a valid digital signature to a document without having reviewed it. The legal effect of the signature still depends on the signatory’s legal capacity and the presence of the other requirements for a valid contract.
Aadhaar eSign is a form of digital signature specific to India that uses Aadhaar-based authentication rather than a hardware token-based DSC. The signatory authenticates through their Aadhaar number and OTP or biometric verification, and the signature is applied by a licensed Electronic Signature Service Provider on behalf of the signatory.
The trust model for Aadhaar eSign is slightly different from hardware token DSC: the private key is managed by the Service Provider on behalf of the signatory rather than being stored on a device under the signatory’s exclusive control. However, the Aadhaar authentication step verifies the signatory’s identity at the time of signing, and the resulting signature is cryptographically linked to the document and to the Aadhaar-authenticated identity.
Aadhaar eSign is legally recognised under the IT Act and is widely trusted for consumer-facing financial and insurance agreements where obtaining a hardware DSC from every signatory is not practical.
The term “e-signature” covers a wide range from a typed name in an email to a full DSC-based digital signature. The trust levels are very different.
A typed name or a scanned signature image provides no cryptographic authentication and no integrity protection. Anyone can type anyone’s name. A scanned signature image can be copied from one document to another. These basic forms of e-signature rely on the surrounding context, the audit trail, and the relationship between the parties for their evidentiary value.
An Aadhaar eSign provides identity verification through Aadhaar authentication and document integrity through cryptographic signing. It is significantly more trustworthy than a basic e-signature.
A DSC-based digital signature provides the highest level of trust: hardware-protected private key, CA-verified identity, document integrity protection, revocation status checking, and trusted timestamping.
For high-value commercial agreements, regulatory filings, and documents where the authenticity of the signature may need to be proved to a court or regulator, a DSC-based digital signature is the most trustworthy option available.
Digital signatures can be trusted, and they are among the most reliable authentication mechanisms available for electronic documents. The trust rests on cryptographic robustness, hardware-protected private keys, Certifying Authority identity verification, and integrity protection that detects any post-signing alterations. The main limitations are private key compromise (rare with hardware tokens), certificate revocation issues, and CA identity verification errors.
For Indian enterprises and individuals, the choice between Aadhaar eSign and DSC depends on the use case: Aadhaar eSign is practical for high-volume consumer-facing applications, while DSC is the standard for corporate filings, high-value contracts, and regulated transactions where maximum legal robustness is required.
Legistify eSign (legistify.com/sign-doc) supports both Aadhaar eSign and DSC Token signing — along with OTP-based Digital signatures — for free, with no account or credit card required. Every signed document carries a tamper-evident audit trail with timestamping and certificate chain records, making it court-admissible under the IT Act, 2000 and BSA 2023.
Digital signatures use public key cryptography. The signatory’s private key generates a unique encrypted hash of the document, which is attached to the document as the signature. Any recipient with the corresponding public key can verify the signature, confirming both the signatory’s identity and that the document has not been altered after signing.
A valid digital signature created with a properly secured private key cannot practically be forged. The cryptographic algorithms underlying digital signatures (RSA and ECC) are computationally secure against current technology. Forgery would require access to the private key. If the private key is compromised, the certificate should be revoked immediately, and any signatures created after the revocation date cannot be trusted.
An e-signature is a broad term covering any electronic representation of a signature, from a typed name to a cryptographic digital signature. A digital signature specifically uses public key cryptography to authenticate the signatory’s identity and protect the document’s integrity. Digital signatures provide significantly higher legal and technical assurance than basic e-signatures.
Yes. Aadhaar eSign is a legally recognised electronic signature under the IT Act, 2000. It uses Aadhaar-based authentication to verify the signatory’s identity at the time of signing and produces a cryptographically signed document. While the trust model is slightly different from hardware token DSC (the private key is managed by the Service Provider rather than held by the signatory), the Aadhaar authentication step provides strong identity verification, and the resulting signature is legally equivalent to a handwritten signature.
When verifying an old signature, the verification should check whether the certificate was valid at the time the signature was applied, not whether it is valid today. A signature applied while the certificate was valid remains valid even after the certificate expires. Long-term validation profiles preserve the revocation status information at the time of signing, enabling future verification of signatures applied with now-expired certificates.