EngineeringID Staff
Your Seal Image Is Already Public. Act Accordingly.
Treating your seal graphic as a secret is a category error. The property that matters is not whether someone can copy it — they can — but whether a reviewer can tell your seal from a copy.
In most jurisdictions, drawings sealed and submitted to a building department become part of a record the public can request. Your seal image — name, license number, discipline, state, the whole rendered thing — went out the door the first time you stamped a set, and it has been retrievable ever since.
This is not a leak. It is the design. Sealing is a public act of attestation, and the records that carry it are public in most jurisdictions. The seal is meant to be seen. It is how a plan reviewer, a contractor, or a homeowner three owners from now identifies who took responsible charge of the work.
Which makes the way most licensees treat the seal file — emailed only to trusted staff, buried in a folder nobody else can open, occasionally watermarked "DO NOT DISTRIBUTE" — a category error. You are guarding the one artifact whose entire purpose is distribution.
Secrecy was never the security property
What is a seal supposed to prove? Not "this image is hard to obtain." It proves that a specific licensed professional took responsible charge of a specific document.
That claim has two operands: a person and a document. A seal image carries one of them, weakly. It says something about who, and nothing about which document it belongs on. Copy the image onto a different set of drawings and it makes the same visual claim just as convincingly. Nothing about the pixels resists that.
Boards have always known this, which is why the seal never stood alone. The reason both the stamp and the signature are required is that the signature is the part meant to be personally applied and hard to reproduce. The stamp identifies. The signature commits. If you have been treating the two as a decorative pair, you have been carrying the wrong mental model of your own liability.
So: your seal image has always been copyable, and the profession has always relied on something else to catch the copies. The argument worth having is about what that something else should be now.
The graphic is not the credential
Seal graphics are, by regulation, constrained and predictable. Colorado specifies a circular seal between 1.5 and 2 inches under Colo. Rev. Stat. § 12-25-217. Ohio specifies the same circular form and size range under Ohio Rev. Code § 4733.14. California fixes a 1.5-inch diameter under Cal. Code Regs. tit. 16, § 411; New York specifies 1.75 inches under 8 NYCRR § 68.13; Texas allows 1.5 to 2 inches under 22 TAC § 137.31. Across all 51 US jurisdictions there are only ten distinct diameter specifications.
A regulator has published the exact dimensions, the required text fields, and often the layout. Washington's board specification for professional stamps and seals is typical: it spells out that the stamp must carry "State of Washington", the professional title, the license number, and the name exactly as it appears on the wall certificate — a complete description of the artifact, published for anyone to read. The state-by-state seal requirements are public precisely so licensees can comply with them. Anyone holding your name, license number, and state can reconstruct a compliant seal graphic in an afternoon — and the license lookup systems every board operates hand out exactly those three fields to anyone who searches. That is a feature. Public verification is how a client confirms you are current before hiring you.
You cannot want a public license registry, public permit records, and a regulator-published seal specification — all of which the profession correctly wants — and also want the resulting graphic to be secret. The profession already picked, decades ago.
Our own product reflects that. Generating a board-compliant stamp file is a formatting problem, not a security problem, which is why the stamp preview tool requires no signup. Reproducing the graphic was never the hard part for anyone. Pretending otherwise would be theater.
What a reviewer is actually trying to do
Put yourself on the other side of the submission. A plan reviewer opens a PDF with a seal on sheet after sheet. What is the available move?
Visually, almost nothing. They can check that the seal matches the right form for their state, that the license number is well-formed, that renewal information is consistent. They can look the number up in the registry the licensing board runs — the Texas Board of Professional Engineers and Land Surveyors, say — and confirm the license is active — worth doing, and why we run a public license lookup alongside the directory. But every one of those checks passes just as cleanly for a stolen seal as for a legitimate one, because every input to them is public. That is the same gap that makes seal-based document fraud hard to catch by eye.
The reviewer's real question is unanswerable from the image: did this licensee apply this seal to this document? That gap grows, not shrinks, as submittal workflows go fully electronic. A wet seal at least required physical proximity to the paper. When the deliverable is a PDF, the room disappears, and if the only integrity mechanism is an image, there is no integrity mechanism.
Cryptographic signatures answer the question the image can't
A digital signature does not sign a picture. It computes a cryptographic hash — a fixed-length fingerprint — of the document's actual bytes, then encrypts that fingerprint with a private key only the signer holds. The result rides along inside the PDF with a certificate identifying the key's holder.
Verification runs it backward. The verifier recomputes the hash of the document in front of them, decrypts the attached signature with the signer's public key, and compares. Two things must hold: the document must be byte-identical to what was signed, and the signature must have come from that specific private key. The full walkthrough of that machinery is now a professional competency, not an IT topic.
Run the attack. Someone lifts your seal graphic from a permit record, drops it onto their own drawings, submits. The image is pixel-perfect. The license number is correct. It fails verification instantly, because they cannot produce a signature over their document using your private key. The forgery is not caught by noticing something looks off. It is caught arithmetically.
Flip it. Someone takes a set you legitimately sealed and edits one dimension, one note, one detail. The bytes change, the recomputed hash no longer matches, the signature breaks. This is the distinction between an electronic signature and a digital one, and it is not pedantry — one is a picture of a commitment, the other is a verifiable commitment.
The seal image, in that world, becomes what it always should have been: the human-readable label on a machine-verifiable claim. It tells the reviewer who to look for. The signature proves it.
The strongest objection, and why it doesn't hold
The serious counter-argument is this: verification only helps if someone verifies. If a reviewer prints your sealed PDF, or flattens it, or opens it in a viewer that ignores signatures, the cryptography evaporates and all that survives is the picture. Plenty of jurisdictions still receive submissions that way. Demanding verifiability can sound like demanding a lock on a door nobody closes.
Correct about today. Wrong about what follows.
It does not rehabilitate secrecy. Even where nobody checks a signature, hoarding your seal image buys you nothing, because the copy an attacker uses came from a public permit file, not from your hard drive. The failure of verification to be universal is an argument for nothing, because there is no alternative on offer.
The asymmetry also runs in your favor. Disputes are when this matters, not routine review — and in a dispute the signature is either there to be checked or it is not. A licensee who signed cryptographically can demonstrate, years later, exactly which bytes they committed to. A licensee who only pasted an image is reduced to asserting their own memory against someone else's. You are not signing for the reviewer who might not check. You are signing for the deposition where someone definitely will.
And the direction is one-way. All 51 US jurisdictions now permit digital or electronic seals in some form; Colorado, Ohio, California, New York, and Texas all allow them under the provisions cited above. Regulators did not authorize electronic sealing because they wanted prettier images. Compared on the integrity axis, electronic and wet sealing are no longer close.
Assume compromise, and design for it
Security engineering has a mature answer for assets that cannot be kept secret: stop trying, and move the secret. Your house number is public; your key is not. Your account number is printed on every check; your password is not.
Apply it. Public: your name, license number, discipline, jurisdiction, seal graphic, and every document you have ever sealed into a public record. Secret: your signing key, and nothing else.
That reframing changes practice in three concrete ways.
- Stop treating seal-file distribution as a security control. Emailing your seal PNG to a drafter is not a breach, because the graphic was never the boundary. Emailing your signing key or its passphrase absolutely is.
- Stop letting anyone else apply your seal on your behalf. This was always the real exposure. Delegated sealing is a problem regardless of technology, and a cryptographic signature makes it worse in a useful way: whatever gets signed with your key is unambiguously attributed to you.
- Start asking what the recipient can verify. When a client or agency requests a sealed PDF, ask whether they check signatures. The answer tells you how much of your protection survives the handoff, and enough licensees asking will move agency workflows faster than complaining will.
The transition is smaller than it sounds. Placing a seal on PDF drawings and cryptographically signing the result are one operation in a properly built workflow — you are not adding a step, you are adding a property to the step you already take. State-specific formatting is handled for you: a Texas stamp generator or an Ohio one encodes that jurisdiction's dimensional and content rules so you are not re-reading the regulation each time you cross a state line. If you seal in several jurisdictions, the same logic applies upstream of the graphic: NCEES's Records program keeps transcripts, exam results, employment verification and references in one place so comity licensure in a new state does not mean assembling the packet again from scratch.
What "verifiable" should mean when you buy it
If you are evaluating how to seal electronically, do not lead with "does it make a nice stamp." Everything makes a nice stamp. The stamp is the easy part, and the dimensional specs are published. Lead with these:
- Is the signature bound to the document bytes, or to a row in someone's database? A hash over the actual file is what makes tampering detectable. A log entry saying "user X sealed document Y" proves nothing about the PDF in the reviewer's hands.
- Can a third party verify without an account? If verification requires the reviewer to sign up for something, most reviewers will not verify. Independent checkability is the whole point.
- Who holds the private key, and can you demonstrate it? If you cannot answer that, you cannot say what a signature bearing your name actually attests to.
- Does the sealed output remain a normal PDF? Standards-based signatures are readable by ordinary viewers. Proprietary containers strand your deliverable inside one vendor's software — a business risk wearing a security feature's clothes.
Those criteria hold across disciplines. The mechanism does not care whether the credential behind it is a PE seal, an architect's seal, or a land surveyor's seal — the professions differ in scope and statute, not in what makes an electronic attestation trustworthy.
Do this before your next submittal
Pull a permit record. Not hypothetically — open the portal of a jurisdiction you have submitted to and retrieve a set you sealed. Look at your own seal at whatever resolution the agency stored it. That is the copy an impersonator would start from, and you just obtained it without asking anyone's permission.
Then ask what a stranger could check about that drawing beyond the picture. If the honest answer is "nothing," you now know the size of your exposure, and it has nothing to do with how carefully you store a file on your laptop.
The fix is not tighter custody of a graphic that left your control years ago. It is making sure everything you seal from here carries a proof a copy cannot carry — and telling the people who receive your work that the proof is there and how to check it. The image is public. Let it be. Make the binding private, and make it verifiable.