Are documents truly "signed" by DocuSign?
I've never been happy with the explanation DocuSign gives for themselves in their own marketing material (e.g. https://www.docusign.com/how-it-works/electronic-signature/digital-signature/digital-signature-faq, https://www.docusign.com/products/electronic-signature and https://www.docusign.com/how-it-works/security). I have a number of questions:
For me, if I want a document to be signed, I need to encrypt the hash of the document with my private key, and any recipients can verify the signature by decrypting my signature's hash and comparing it with their own recompute of the hash. On DocuSign I cannot see where or how I can provide my own private key (which would be a huge security issue in itself) nor will it let me keep my private key private (i.e. on my premises, not uploaded to their server). There is also no mention of any public key - in fact there's no way for me to verify the integrity and authorship of any document as DocuSign simply doesn't give that type of metadata to me, I just have to take their word for it that the document hasn't been tampered with.
How does DocuSign verify identity in a meaningful way? So far all I can tell is that they can verify email address ownership (or at least mailbox access), I don't remember ever being required to verify my identity by driving license or passport scan uploads - so how is that legally considered proof-of-identity? How is it a signature in any way if it cannot provably be linked with my real-life identity? Anyone could claim one of my expired Hotmail addresses and create a DocuSign account for me and sign things with it.
I have a problem with DocuSign being simultaneously 1) the verifier of identity, 2) the holder of the documents, and 3) the generator of the signatures - the fact it's a single legal entity means they have the legal, and certainly the technical, means of altering any document, its signature, and claims about that signature; considering recent news events where certain first-world nations governments try to coerce companies to decrypt their data this means I'm not likely to consider DocuSign trustworthy enough to "sign" anything significant. There is also the fact that DocuSign's codebase is proprietary and not accessible - I have to take their word (on their homepage, no less) that they have been independently audited and that the audit means something.
I also don't like how they generate a fake handwritten "signature" image - I thought it has been established that simply having a photo of anyone's handwriting next to some text does not constitute a signature. I'm concerned of the effect this may have on users: a kind of "CSI effect" where the crypto-layperson will think that a picture of their signature is enough and then apply this learned "fact" to other platforms, thus worsening the public's awareness of PKI (after all the progress we've made educating users about SSL).
Given the problems I think found in DocuSign above - if I were involved in a legal case, such as a contractual dispute, and the version on DocuSign is brought as evidence - can either party in the suit legitimately claim that the DocuSign document is bona-fide, conversely how easily could the other party show the "signature" cannot be trusted?
i.e. can anyone sum-up DocuSign's service and categorically say if it's cryptographically, or at least legally, sound?
