For a few years now, Odoo has been offering an Enterprise module to manage documents for signing in a simple way, integrated with the tool. When we examine it thoroughly, questions arise that we consider necessary to address at this moment.
Legal regulations for signatures
In the field of digital signatures, there are various regulations, with the most relevant being eIDAS (in Europe) and the US ESIGN Act (in the United States). We will try to explain eIDAS more specifically, as it is more restrictive and would, therefore, encompass the US ESIGN Act.
Regulation (EU) No 910/2014, known as eIDAS (Electronic Identification, Authentication, and Trust Services), is a European Union legislation that establishes a framework for electronic identification and trusted services in electronic transactions. This regulation came into effect on July 1, 2016, replacing Directive 1999/93/EC on electronic signatures. In fact, it proposes three different types of signatures:
- Simple Electronic Signature (SES): The simple electronic signature is the most basic level of signature according to eIDAS. It involves electronic data attached to a message or document that serves as a method to identify the signer. The simple electronic signature has no specific security requirements, but its use is generally accepted in electronic transactions.
- Advanced Electronic Signature (AEA): The advanced electronic signature is an intermediate level that incorporates additional security measures to ensure the authenticity of the signer and the integrity of the signed document. To be considered an advanced electronic signature, it must be uniquely linked to the signer, capable of identifying the signer, and any subsequent changes to the signed data must be detectable.
- Qualified Electronic Signature (QES): The qualified electronic signature is the highest level of signature according to eIDAS and has the same legal validity as a handwritten signature. To be considered qualified, the electronic signature must meet certain standards and be backed by a qualified electronic signature creation device. Additionally, it must be based on a qualified electronic signature certificate issued by a qualified trust service provider.
It is important to note that the Qualified Electronic Signature, although the most restrictive, only makes sense in highly secure environments. In fact, the regulation itself states in Article 25:
"Legal effects and admissibility as evidence in legal proceedings shall not be denied to an electronic signature solely on the grounds that it is an electronic signature or that it does not meet the requirements for qualified electronic signatures."
Therefore, in most cases, we can use these types of advanced signatures.
Advanced electronic signature: requirements
For an electronic signature to be considered advanced, it must meet the following:
- Be uniquely linked to the signer.
- Allow the identification of the signer.
- Be created using electronic signature creation data that the signer can use, with a high level of trust, under their exclusive control.
- Be linked to the signed data in such a way that any subsequent modification of the data is detectable.
In summary, we must be able to ensure that the person signing is the one who signs, that they have some control over the tool to prevent impersonation or hiding information, and that the signed information cannot be modified.
Odoo and the advanced electronic signature
In its enterprise version, Odoo offers a system for sending documents for signature. We will now break down each of the points to see exactly how it works.
- Unique identification of the signer: Initially, Odoo proposes a system to add a handwritten signature, but this signature is stored as an image and does not store the minimum data to be considered biometric. It also requests geolocation, but this information does not have to be accurate. In any case, we could ensure user identification using a one-time password (OTP) system.
- Tool control: Allowing it to be done from a computer or mobile phone opens up this functionality.
- No subsequent modification: Odoo captures all changes and creates a hashing system in which if we alter the data, all the data will be marked. Additionally, by sending timestamps to the user, we ensure that we cannot tamper with previous data.
Therefore, Odoo Enterprise's signature is valid as long as we use an OTP system. That is, sending the user an SMS with a code that they will then enter into the system. This form of identification only works in countries where obtaining a SIM card requires personal identification, as we are transferring identification to the phone number.
OCA and the advanced electronic signature
Over the past few months, the OCA has been working on creating modules alternative to Odoo Enterprise that could also be considered Advanced Electronic Signatures. Initially, it did not meet all the requirements and should be considered a Simple Electronic Signature, although in recent times, they have been working on substantial improvements that could allow us to say they are advanced electronic signatures. In upcoming posts, we will try to delve into the solution proposed by the OCA.