If the idea is that the third party can be confident that end user A has indeed signed the document, then the end result could be something that:
- identifies that end user (e.g. email address) and the date they signed
- identifies the document they signed (e.g via its checksum)
e.g.: a JWT like this, signed (overloaded terminology) with your private key:
{
"signedOn": "1994-11-05T08:15:30-05:00",
"documentChecksum": "53e5dac0551205ea"
}
You could then safely (say) email the JWT to the third party, who can verify it against your public key. They can then be confident the user has signed the document.
Notes
0: you might also encrypt the JWT if you want to protect from someone eavesdropping on the third party's email
1: checksum is not idea for this purpose, perhaps the entire document content should be used instead
2: perhaps you also actually need the user's digital signature, e.g. a png of their chicken scratchings, that could be added to the JWT as well