Here’s to hoping this doesn’t fall under ‘basic’ or ‘fundamental’ questions.
From my understanding of PKI, asymetric encryption, and the fact that COMODO gives out free certs for securing e-mails, I’m having a counter-intuitive moment with the services like DocuSign.
A subscriber can (and likely) get their own e-mail cert, signed by them and DocuSign as the CA which (presumably, didn’t verify this) is a trusted root CA.
Then a document is sent, to somebody, with a link, to retrieve the doc and ‘digitally sign’ it, adding some signature-make-believe font on the document, though I presume people aren’t paying DocuSign just for some scribbles, so the document has to be digitally signed somehow.
Wouldn’t that then necessitate DocuSign to issue the signer, let’s say it’s me in this case, my own e-mail cert, so I can sign it with my personal key to prove that yes it’s me who’s signing the doc and not someone else who has the public key of DocuSign’s customer who sent the doc?
Wouldn’t the issuance of said certificate requires some sort of validation that I am I who I claim to be? Letsencrypt verifies that the requester owns the domain. CAs offer various tiers of identity validation before they put their own signature on the cert ‘vouching’ for said individual/org. But in the case of DocuSign, I see no verification whatsoever.
So how is the service ensuring that I am who I claim to be and that the documents are admissible in court without issuing a cert to me that also requires validating my identity?
And while at it, I’m considering using a Yubikey to store said cert when I have one, I read about the cert slots that can be used to store X509 certs in there. Say I get one of those free Comodo e-mail cert that expires in a year, I guess I can then get a new cert and overwrite the stored cert on Yubikey? Or not? Or getting a free e-mail/identity cert isn’t worth it? Of course the usage I have in mind is when I need to digitally sign documents that weren’t sent over DocuSign, or personal matters that aren’t worth the subscription to DocuSign but need some identity validation.