Types of Electronic Signatures and Their Use in E-Learning

Summary: There are several types of electronic signatures, each suitable for a different signing purpose. This article describes the types of electronic signatures, which are most commonly used in e-learning and why, what a digital certificate is, what a certification authority is, what a digital signature is, and explains the principle of digital signatures.

Types of Electronic Signatures

To begin with, it should be noted that there is some confusion in the terminology of the types of electronic signatures, and you may find different names for the same types in various articles, regulations, and descriptions. Here, one of the commonly used terminologies is chosen, but you may encounter others. The important thing is not what a particular type of signature is called, but the fundamental characteristics described below, which determine its legal and evidential weight.

We distinguish the following types of electronic signatures, ordered from the lowest legal weight to the highest.

Simple Electronic Signature

Sometimes also called a simple electronic signature. This type of signature does not have to use digital signature technology with a digital certificate issued by a certification authority. For those unfamiliar with the terms digital signature, digital certificate, and certification authority, these are briefly explained, including the principle of the digital signature, in the chapter Digital Signature.

A simple electronic signature is any electronic form of data that is logically connected so that it expresses the will of the signatory to sign the attached electronic information and the signatory is somehow identified. It does not have to be a single electronic document with an embedded signature—usually, it is not. Rather, it is a system and process of signing within it, which is reflected in the stored data in the system. There is no specific regulation, directive, or law that defines how such a signature should proceed or look.

It can be, for example, clicking an I Agree button or ticking a consent checkbox on a displayed document or other electronic information, which the signer signs and is identified by, for example, a system login or just by providing their name or email. It can also be a scanned document with a handwritten signature, or an email where the sender simply writes their name at the end. From this absolutely free definition, you can imagine dozens of other examples that can be considered a simple electronic signature.

A simple electronic signature has a certain legal weight, the lowest of all types of electronic signatures, and also the most problematic evidential value. In case of a dispute, it is more difficult to prove authenticity, i.e., that the stated signatory actually signed. Therefore, even though it is not required by any standard, law, or directive, it is often technically implemented with, for example, 2FA verification of the signatory, such as sending a PIN to the signatory's email or mobile number, which must be entered simultaneously with the act of signing. This increases the evidential value of such a basic signature. Similarly, it may be difficult in case of a dispute to prove that what the signatory signed is the same as what one party to the dispute now presents. For example, thanks to 2FA, we may have more convincing evidence that a particular person expressed the will to sign, for example, consent to terms and conditions, but it is still necessary to prove what those terms and conditions looked like at the time of signing and whether they were different from what one party now claims. There are many methods to increase this evidential value, most of which involve storing data in the system where the signing takes place; however, this does not increase the legal weight of the simple electronic signature, only its evidential value.

Recognized Electronic Signature

From a typological point of view, this is actually a subtype of the simple electronic signature, which better addresses the evidential value of the signatory's authenticity and the authenticity of the signed materials. Unlike the simple electronic signature, where you can sign almost any way, a recognized electronic signature is implemented using a digital signature. The digital certificate used in it does not have to meet any requirements. It can be issued by any certification authority; for example, these certificates can be issued by the company itself, or the signatory can issue it themselves. For internal company use, it provides higher assurance in the area of signatory authentication and document integrity than the simple electronic signature (see the explanation of the digital signature principle in the chapter Digital Signature). Any evidential materials have higher weight if the company has a properly established process for issuing digital certificates. However, it does not have significantly higher legal weight than the simple electronic signature.

Guaranteed Electronic Signature

This signature must meet the following criteria:

• It is uniquely linked to the signatory.
• It allows identification of the signatory.
• It is created under the exclusive control of the signatory.
• It is designed so that any change to the signed data can be detected.

In practice, it is implemented using the digital signature described at the end of the article, where the digital certificate is issued to the signatory by a qualified certification authority. In the Czech Republic, qualified certification authorities include, for example, První certifikační autorita, a.s., Česká pošta, s.p. (PostSignum), or eIdentity.

The term qualified certification authority often causes confusion in the names of electronic signature types. A qualified, sometimes also called an accredited, certification authority is defined by the Electronic Signature Act, and the list of accredited certification authorities is published by the Ministry of the Interior of the Czech Republic. These qualified certification authorities issue digital certificates, which are sometimes collectively referred to as qualified digital certificates, and the signatures created from them are then called qualified electronic signatures. However, these authorities often issue several types of digital certificates, mainly for commercial reasons. For example, one is called a qualified commercial certificate, which has lower requirements for signatory verification and a lower price; a signature made with this certificate would fall into the recognized electronic signature category in the typology presented here. They also issue a qualified digital certificate that meets the high legal requirements for signatory verification but without a hardware device for storage and signing. A signature made with this certificate would fall into the guaranteed electronic signature category in the typology presented here, even though it is sometimes called a qualified electronic signature. In the typology presented here, however, the term qualified electronic signature is reserved for the last, "highest" type described below, for which there was no name in this sometimes-used alternative terminology.

A guaranteed electronic signature has higher legal weight than a basic or recognized electronic signature and is sufficient for common electronic legal transactions.

Qualified Electronic Signature

A qualified electronic signature is implemented in the same way as a guaranteed electronic signature, using a digital signature with a digital certificate issued by a qualified certification authority. In addition, the signatory must create it using a qualified electronic signature creation device. It is not enough to have your private key, which was issued to the signatory by the qualified certification authority together with their digital certificate, stored somewhere on a computer disk. The private key must be stored on a hardware device, again certified by an accredited audit company, and the signature must be made on this device.

A qualified electronic signature complies with EU Regulation No. 910/2014 (eIDAS Regulation) for electronic transactions in the EU internal market and can be considered the digital equivalent of a handwritten signature throughout the European market, including the Czech Republic.

Electronic Signatures in E-Learning

Signing Training Certificates

Standard learning management systems (LMS) usually manage users, courses, and the study of these courses. For courses selected by the administrator, these LMSs can issue a certificate or proof of completion if the student successfully completes the course.

For courses dealing with internal company matters, these certificates are legally insignificant and there is no legal reason to sign them electronically, although nothing prevents it.

There are courses that employees in certain positions are required by law to complete, such as occupational safety training, fire protection, first aid, GDPR, AML/CFT, and dozens of other trainings for specific work activities. If employees are trained in these courses via e-learning, it is also possible to sign the training certificate electronically.

As described above, signing a training certificate with a guaranteed electronic signature meets legal requirements and would also successfully resolve any legal disputes. However, in practice, this type of electronic signature is not used for several reasons:

• The price of an digital certificate for a guaranteed electronic signature for one person per year is in the range of several hundred CZK, depending on the specific qualified certification authority. The price for each annual renewal is similar, making it easy to calculate the annual cost, for example, for all employees who must complete occupational safety training.
• Digital signing requires technical equipment and skills on the part of the signatory, which usually cannot be ensured for all employees who need to sign a training certificate.

Therefore, there are still employers who handle legally required e-learning training so that the resulting training certificate, which the LMS automatically issues to the employee after successful course completion, is printed, signed by hand, and the signed document is delivered to the company's paper archive for storage. This process is also administratively and financially quite demanding.

An increasing number of companies therefore use a simple electronic signature for signing training certificates, and there is broad consensus that this is sufficient. This consensus is confirmed by existing general court decisions (e.g., the decision of the Prague Municipal Court in 2024) and opinions (e.g., the opinion of SÚIP), which indicate that a simple electronic signature can be legally binding under the conditions that the identity of the signatory, their will to sign the document, and that the signatory was familiar with the specific information and their knowledge was verified, can be proven.

Usually, this is handled in e-learning so that the relevant e-course includes a knowledge e-test; the electronic training certificate, which is automatically generated by the LMS, lists the course content guarantor and the specific information contained in the course. The signatory then signs with a simple electronic signature, with possible enhancements beyond the definition of a simple electronic signature, as described in the chapter Simple Electronic Signature.

Signature Solutions in the iTutor Platform

At Kontis, we have been developing e-learning systems for the corporate sector for over 25 years, and during that time we have gained a lot of experience with signing training certificates in hundreds of companies operating in various fields such as finance, energy, transport, manufacturing, telco, commerce, healthcare, etc. For example, in the field of transport, our system is used by České dráhy and Železnice Slovenskej Republiky for mandatory training of tens of thousands of employees in professions according to the Railway Act, training their employees in hundreds of specially developed e-courses.

The iTutor platform addresses not only the functionality of a standard LMS, which includes issuing e-certificates and their possible e-signing.

The iTutor platform has a number of add-on modules covering areas such as performance management, talent management, and collaboration. To meet the requirements for electronic signing not only of course certificates but also in the other areas mentioned, the iTutor Signature module is implemented in the iTutor platform. It also supports all the higher types of electronic signatures described in the article, which meet legal requirements for signing employment contracts, which can be used in iTutor, for example, in the onboarding process or for signing any other company documents and contracts.

Because iTutor Signature supports digital signature, any type of electronic signature can be used for signing training completion documents:

• qualified electronic signature, however, due to high costs, it is usually not used, see above in the article
• recognised electronic signature. Thanks to the company’s own issuance of digital certificates, the high costs of obtaining digital certificates from a qualified certification authority are eliminated. However, there remain technical requirements and skills for the signers, and the requirement to implement a process for issuing own digital certificates to employees, which is usually similar to the process of issuing digital certificates from a certification authority, described in the chapter Digital certificate and certification authority.
• simple electronic signature, which is most commonly used in practice. iTutor provides technologies here to ensure higher evidential value of signer authenticity, such as 2FA verification of the signer, or embedding the signature not drawn by the signer directly from the course certificate.

Digital Signature

At the end of the article, an explanation of the terminology for those who are not familiar with it in detail. The term electronic signature is used for any electronic signing of an electronic document; the individual methods of such signing are described in the chapter Types of Electronic Signatures.

The term digital signature refers to a technology that allows an electronic document to be signed electronically in such a way that the act cannot be forged, the authenticity of the signatory is guaranteed, and by digitally signing, the content of the signed document is locked; the content can no longer be changed without the change being detectable, which invalidates the digital signature of the document.

The digital signature is based on asymmetric cryptography, the essence of which is that there are always pairs of keys, public and private. The owner of the private key can use it to encrypt any message or document. The owner of the corresponding public key can decrypt this encrypted message. Therefore, "asymmetric" cryptography: with a particular pair of keys, one can only encrypt with one and only decrypt with the other.

Digital Certificate and Certification Authority

In order to digitally sign an electronic document, I need a digital certificate. A digital certificate is a data file containing my identification data and my public key. The certification authority issues the digital certificate. When issuing the certificate, it verifies that "I am me," for example, using an ID card. It generates a pair of public and private keys, creates an electronic data file containing my identification data and the public key generated for me, and signs this data file with its private key. What it means to sign with a private key will be explained later. This process creates my digital certificate. The certification authority also gives me my private key, which I will use to sign documents. I must not give this to anyone else, otherwise, the person possessing this private key could sign documents as if they were me. The public key of the certification authority, whose counterpart in the form of the authority's private key was used to sign my digital certificate, is publicly known. Therefore, anyone can use this public key to verify my digital certificate. Again, how this is verified will be explained later. This is a simplified description for understanding the principle of a digital certificate, omitting, for example, certificate repositories and trust transfers, which are not relevant for the purposes of this article.

Principle of Document Digital Signature

Signing

If I own a digital certificate, I can use it to sign any document, such as MS Word or PDF documents, emails, etc. The document to be signed can be quite long, e.g., a multi-page contract. Encrypting with my private key during signing and then decrypting with the public key during verification would be computationally very demanding, as asymmetric cryptography algorithms are complex. The goal is not to make the document unreadable, but to have it verifiable who signed the document and that the content of the document has not been changed after signing.

From the point of view of a digital signature, each document can be imagined as one "large" number, containing even millions of digits. A so-called hash function is used, which is a mathematically complex function that, for the purposes of this article, can calculate "small" numbers from any numbers, even "large" numbers with millions of digits, e.g., with hundreds of digits. The term "small" here is used as the opposite of "large"—a number with hundreds of digits is not a small number from an ordinary perspective. For the hash function, it holds that from each "large" number, it calculates such a "small" number (hash) that there is no other number from which the same "small" number (hash) would be calculated by the hash function. In other words, the hash function can make a relatively small number (hash) from each document, which is unique.

Digital signing takes place so that a hash is calculated from the document. This hash is encrypted with the signatory's private key and attached to the document, including the signatory's digital certificate, which contains the signatory's identification and their public key.

Verification

Verification of the signed document is done by calculating the hash from the document to be verified. The attached hash is decrypted using the signatory's public key, which is in the digital certificate attached to the document. If the decrypted hash is the same as the calculated hash, it means that the document has not been changed after signing and was signed by the person listed in the attached digital certificate. If the two hashes do not match, the document was changed after signing, or a different key was used to sign than the one in the attached digital certificate. The signature does not match, and it is therefore not a validly signed document. Similarly, the attached digital certificate with the document is also verified.