Digital Signature Architecture
When choosing an architecture for implementing digital signatures on PDF documents, there are three major configurations to consider. These configurations vary depending on where the application runs and how digital signatures are applied.
In a client-side architecture, the signing application runs entirely on the client’s computer. This is suitable for offline standalone desktop or mobile applications that allow users to sign PDF documents. The digital signature can be created either on a hardware device like a USB token or a smart card (based on the PKCS#11 standard), which offers higher security, or by using a software certificate, which is less secure, as software certificates can be more easily compromised. In addition, there are some security limitations — like the same-origin policy — that can complicate the implementation of some digital signature features such as timestamping, or certificate revocation checks.
Our digital signatures web sample project is the best example on how to implement this particular architecture with PSPDFKit.
Server-side architecture is employed when building a signature server, which is ideal for signing documents on behalf of companies rather than individual users. This architecture is commonly used for contracts, official government documents, and more. Signature servers should be secured with IP restrictions and credentials to access them, and documents are typically archived on the server for record keeping.
Client-Server Architecture with Signatures on the Server
This architecture is useful in intranet scenarios, such as when an organization has a secured server with a hardware security module (HSM) that signs messages. The application on the client side sends messages to the server for signing. One benefit of this kind of architecture is that the server doesn’t receive the entire document, but rather only a hash of it, which is good for privacy. The downside is that the server won’t be able to archive the full document that was signed.
It’s crucial to select the appropriate architecture for your digital signature solution with great care, considering the security, user experience, and use case requirements.