Yes, making a mill for supposedly trusted third parties, over having an actual trusted third party, is a more open way.
Edit: I suppose in all except the free self hosted one, OpenSign would be the trusted third party, which I guess is more plausible. Unless the paid customers are given something close to root to administrate them. Still, a trusted third party is generally based on recognition. Even if I really dislike a company I eventually acknowledge they're trusted if it lasts long enough, like with ID.me. I didn't use ID.me until it was required for logging into the IRS and now I grudgingly admit that I think it's an extra security check on logging in. So until you're big like DocuSign I wouldn't view you in quite the same way as a trusted third party.
That does bring a question, are your paid customers prevented from going under the hood in such a way that they would also have to be trusted at such a level along with OpenSign?
--
This to say I'm open to using OpenSign, because there are plenty of uses where I would be open to using something that doesn't have this "trusted third party at the level of DocuSign" feature. The "digital notary public" analogy is apt. I sometimes sign documents with a notary, and other times without.
Great insights. The hosted version functions in a more or less same way as DocuSign with an added advantage of knowing what the code is doing under the hood. We dont intend to provide root/admin privileges as its going to be a multi-tenant system at the end of the day.
Ah, I see. A multi-tenant system makes sense, I was thinking it might be closer to managed hosting. With managed often people have root or close to it. Just make sure people understand that it’s a multi-tenant system where the customers don’t have access to do anything which would make it less secure, unless they’re using the self-hosted version. And when you grow, maybe there will be an enterprise self-hosted and/or managed hosting version where the customer needs to be trusted to provide security. That would be appropriate with some potential customers.
So that leaves the challenge of becoming a well known trusted third party, which is a challenge but doable.
Edit: I suppose in all except the free self hosted one, OpenSign would be the trusted third party, which I guess is more plausible. Unless the paid customers are given something close to root to administrate them. Still, a trusted third party is generally based on recognition. Even if I really dislike a company I eventually acknowledge they're trusted if it lasts long enough, like with ID.me. I didn't use ID.me until it was required for logging into the IRS and now I grudgingly admit that I think it's an extra security check on logging in. So until you're big like DocuSign I wouldn't view you in quite the same way as a trusted third party.
That does bring a question, are your paid customers prevented from going under the hood in such a way that they would also have to be trusted at such a level along with OpenSign?
--
This to say I'm open to using OpenSign, because there are plenty of uses where I would be open to using something that doesn't have this "trusted third party at the level of DocuSign" feature. The "digital notary public" analogy is apt. I sometimes sign documents with a notary, and other times without.