Are documents truly "signed" by DocuSign?
A signature is, ultimately, a legal concept. When you sign a document, you are really producing a legal gun aimed at your own head (so you usually want other people to sign things, not sign them yourself). The value of a signature comes from its legal power, i.e. how much it will allow to apply responsibility and blame on the signer. The cryptographic elements (RSA and so on) are only tools that can help build the technical side of things, but that cannot suffice. Ultimately, there must be some kind of legal framework that defines signatures.
Of course, this will depend on jurisdiction. Nevertheless, countries/states that are currently defining laws for electronic signatures tend to go along the same lines:
A signature is binding as long as it was really signed by the alleged signer. This looks tautological, but it is an important definition: it really says that the signature legal value is not intrinsic to any specific technology. Writing your name at the end of an email is a signature.
What matters is the burden of proof. Legal frameworks will normally segregate systems into two categories: those for which signatures are reputed good, and it is the party who denies having signed who must make all the proofing work; and those for which signatures are reputed worthless unless a positive proof of attribution to the alleged signer is shown. "Name at the end of an email" belongs to the latter category; a positive proof may be simply a witness who saw the signer type the email.
The reference for signatures is handwritten signatures, which are, technically speaking, absolutely terrible. They are hard to validate, and can be faked. Handwritten signatures are still used thanks to a legal framework that severely punishes anybody who denies his own signature. Since handwritten signatures occur in the physical world, the very act of signing (with a pen) leaves a lot of traces (witnesses and so on) so many people ultimately find that repudiating their own signatures is too risky.
A further complication is that legal systems of the "Common Law" tradition tend to rely on jurisprudence to iron out the fine details, so countries like USA and UK will likely have legal frameworks for signatures that boil down to "wait and see" ("see you in court", I mean).
In France (which has a very "Latin" law system that really likes pre-established rigorous definitions, Descartes-style), the legal framework defines systems which are qualifiés, by which they mean that they went through independent audits and an administrative process that has all the simplicity that can be expected from French bureaucracy, to the effect that for this systems, the burden of proof lies on whoever claims that the signature is not binding. The list of the systèmes qualifiés is published and I see no DocuSign there [edit - as of July 21, 2017, DocuSign France is now listed].
DocuSign has a page dedicated to the legality side of things -- which is in fact a lot more important than the technology. In particular, they say this:
While DocuSign has a successful history of providing customers with all the evidence they need to defend their documents against repudiation, DocuSign is available to assist our customers with legal challenges by testifying in court to support the validity of DocuSigned documents.
which implicitly admits that their system tends to be of the "must prove validity" kind, i.e. not the one you would like -- but they claim to have had good results in some courts, and that they will help you. At that point, I'd say that if you want to use DocuSign for making your customers / business partners sign things, you'd better make sure that there are appropriate clauses in your contract that ensure a strong level of help from DocuSign, with insurance and so on. Your lawyer team should be involved.
See https://crypto.stackexchange.com/questions/29501/how-can-cryptographic-signatures-be-somehow-linked-to-a-physical-signature for an outstanding explanation of how DocuSign actually works - including their use or cryptography (or lack thereof). In short, DocuSign basically functions as a 'witness' to attest that someone with access to a particular user's account agreed to the terms of a particular document. Although DocuSign touts the use of cryptography in their marketing materials, cryptography actually does not play an integral role in the actual 'signing' process.
1: You encrypt it with your public key, and you decrypt it with your private key. You sign with your private key which is verified with your public key. NOTE: Never send your private key anywhere!
I see no way to get DS's public key, which makes no sense. There's no reason to hide these.
2: It doesn't require verification of the signer's identity. DocuSign's page at https://www.docusign.com/how-it-works/security#enforceability sounds strong, but a knowledgeable attorney would destroy it in short order. Specifically, they claim "court-admissable" non-repudiation for: Signing parties’ names Digital signatures Email addresses Public IP addresses Signing location (if provided) Chain of custody (sent, viewed, signed, etc.) Timestamps The problem is, all of these can easily be spoofed with the exception of timestamps, which without the rest is worthless.
3:You are right. Notice they don't validate your identity, nor sign your key. They don't use your public key nor allow you to sign with your private key. It's all their's apparently, which isn't any good.
4: I don't like that either. I refuse to allow my written signature to attached to an insecure email.
You really are on top of this. It's a bit of a sham for people who don't know better. Is it legitimate? It's a legitimate business, performing what seems to be high-quality digital signature services. Granted, it's much better than those solutions that rely on a graphical signature only. It IS a step in the right direction. But there's a lot to be wary of, and I hope they fix it soon (unlikely).