Slashdot Mirror
Congress Moving On E-Signatures
Silas writes: "Well folks, Congress is moving along with attempts to make digital signatures legally binding for online transactions, public and private." Many pros and cons if this goes through, but I'm definitely looking forward to reducing my mail.
The article tells us that the senate is moving for digital signatures that are as legally binding as a pen and paper signature. Does that mean that current internet documents that are "digitally signed + legally binding" are, in fact, NOT legally binding? (Case in point: the Napster-getting-unbanned-by-Metallica declaration?)
Does this mean that, in it's current state, a legally-binding, digitally-signed document does NOT exist?
.- CitizenC (User Info)
1) Create a key in PGP or GPG.
2) Put the public key on a floppy and take it down to the Post office.
3) Show them your passport or your drivers license and Social Security card and give them the floppy and $5.
4) They put it on their LDAP keyserver, accessable at ldap.usps.gov.
5) Anyone wanting to authenticate your identity would check there.
You could offer some really neat features in a system like this, such as the possibility of creating arbitrairly anonymous keys for use in handle based fora or Hotmail accounts. If your key is compromised, you'd just go to the Post Office and issue a cancel certificate. Ideally there'd be limitations of liability similar to what you get with credit cards if you issue a cancel certificate in a timely fashion after discovering your keys have been potentially compromised. Especially since most computers on the net are insecure.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Keep in mind that, even with current 'legaly binding' signatures, you can potentialy always go to court and say "I diddnt sign that".
Because of this, important contracts require a witness (who could also potentialy say "I diddnt see him sign that, and someone forged my name too!"), and realy important contracts need to be signed and notarized by something like a Notary Public, a Comissioner of Oathes, or even a judge.
When I say "require" I dont mean "legaly necessary" but "expected" and/or "required" by the other entity involved in the contract to do business with you. IANAL (and working on lay Canadians idea of the law (but this is all prety basic, and basied on English Common Law anyway)) but since there is always the "I diddnt do it" escape, important contracts will always require a third party.
This is one of those areas of the law where all we need is a standard to agree upon, and it doesn't matter too much what exactly that standard is. It's no more oppressive than having governments regulate what gauge the railroads use.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Keep up the good work, guys...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
- It's all over if a cracker takes my private key! Well, would he/she not still need a passphrase? Just make sure passwords are not cached (this, I admit, is the weak link). Also, you can issue revocation certificates; even if someone else knows the passphrase and has your key, they cannot revoke a revocation certificate.
- Then the government/corporation/slashdot-satan-for-today will know who I am! Yes, just like with your handwritten signature on any official document, esp. those requiring notarization.
- My encrypted stuff can be cracked! This takes an immense amount of computer power, and most people are simply not that important. How would you encrypt things at all without computer cryptography? You could be like Richard Feynman, and create codes with your spouse to send encrypted hand-written love letters, but I personally don't have the time or mischievious inclination for that.
- When I get a signed email from some beautiful celebrity who wants to go out with me, how do I know it's her? That's why all public keys that matter are themselves signed by authentication services, like VeriSign. For personal keys, use these services or maybe the notaries at your local banks will catch on to another money-making opportunity.
Any disagreements? Am I missing any critical factors?*** Proven iconoclast, aspiring epicurean ***
Let's face it -- 99% of the populace, whether they use Windows (and I'm sure Microsoft will be so kind as to provide a VBScript hook for signing documents or at least publishing private keys, so that virus writers will have a new source of fun), or whether they use Linux (how many desktop-role Linux boxen do you know of that you would consider 100% secure?) is operating insecurely. And that insecurity is going to spell trouble if digital signatures are legally binding, because it opens up a whole new class of forgeries.
:)
*I* would not consider *any* box, regardless of operating system, platform, etc., to be 100% secure. The main issue with security, aside from the fact that -any- security system can be cracked, has to do with the loose nut behind the mouse. Sorry, but when a security system relies on human intervention, well, humans just aren't very secure.
Yes, a written signature requires human intervention, but there is certainly less vulnerable than password-based security. With digital signatures, anyone who can physically access your private key, which usually means anyone who can get into your box (i.e., type yoru login and password in somewhere), can get to your digital signature. At least with written signatures, your actual human presence is required (excluding of course forgeries which are another matter entirely, that's why for certain legal documents we require them to be notarized or otherwise certified by a third party).
My journal has hot
. . . these electronic signature laws are wildly overhyped.
There is a vast amount of authority (citations available upon request) strongly suggesting that legal formalities for a signed writing (the so-called statute of frauds) are satisfied by an electronic communication annotated or logically associated with a character or characters manifesting an intent to authenticate (legally, not technically).
In other words, the e-mail:
"Dear bill.
I will buy 1000 Model K frobozinators at $600 per frobozinator to be delivered FOB Tampa no later than thursday. Terms: 2% 10/net 30.
Love, Maria"
would very likely be enforceable under the common law and the UCC -- even if no encryption or other technical encryption was used. Requirements for signature under the common law are amazingly lax. An X, a fold or tear made in the paper, another's name, a shaving on a cow or even a footprint can constitute a signature.
The reason for an e-commerce statute is to make any question clear beyond cavil, so to clear the way for lawyers to permit BIG deals to be done without a signed writing. Imagine a few dozen lawyers at a $100M closing. The boss for the buyer smiles and signs "Minnie Mouse," or an "X," citing the case law suggesting that the signature is binding. Maybe so, you would say if you represented the other side, you would nevertheless ask a literate counterpart on the other side to sign the document "properly."
Its about eggs in baskets. The law should get out of the way of the technology used for signatures, and ratify any actual manifestation of an intent to sign. (electronic documents raise interesting proof issues, but so do traditional physical documents) The risk of misauthentication and the like is a different question to be decided by those who would USE the signature technology, not by those who enforce the agreements into which the parties otherwise clearly entered.
Making digital signatures legally binding scares the shit out of me.
Let's face it -- 99% of the populace, whether they use Windows (and I'm sure Microsoft will be so kind as to provide a VBScript hook for signing documents or at least publishing private keys, so that virus writers will have a new source of fun), or whether they use Linux (how many desktop-role Linux boxen do you know of that you would consider 100% secure?) is operating insecurely. And that insecurity is going to spell trouble if digital signatures are legally binding, because it opens up a whole new class of forgeries.
Let's pretend, for a moment, that most programmers are good at implementing cryptography and would never, ever write a program that allowed a key to be compromised by its use. (Hell, I don't trust any programs I write with my private keys.) Even if you've got good cryptography software, where you store your keys is probably going to be compromisable by an enterprising cracker.
Before anyone even considers making digital signatures legally binding, how about requiring this binding to only take effect if the document was signed by an approved smart card? Make it a parameter of the signature, and make it illegal to write software or create unapproved smart cards that set that parameter.
Please digitally sign here in order to install the software that you have already opened and can no longer return. Oh, this means you have already read the 50 pages of draconian fine print with your lawyer present.
Craig
When you listen to PKI companies give their shtick about how wonderful PKI is and how it will save the universe, apply some simple common sense.
1. Who holds your private key (besides you)? - If you use the VeriSign solution for digital certs (the one where they manage the CA for you), in addition to your users having their keys, so does VeriSign. If you roll your own, your users have their private keys, and probably also the administrator who gen'd it for them (for when the user accidently deletes their keys). How will users store their private keys? On their hard drives? Poor security, easily obtained by a ruthless 3rd party. Floppy? Unreliable medium, more susceptible to theft. Smart Card? Susceptible to theft.
2. Remember when 128 bit keys was way too big to be factored? I do, and I'm all of 28 years old. Even with using 1024 bit keys, it's only a matter of a couple of years before many keys are useless. For the uninitiated, I've got your public key, and can find the prime factorization for a number that is your public key and your private key (for all intents and purposes, it's a bit more involved, but not THAT much more). If I compromise your private key in this way, you have no knowledge that I've done so (unless I'm a big moron about doing it), and I can freely digitally sign documents as if I were you. The signatures will even validate properly. Fun, huh? Maybe I'll buy some stuff over the net with your keys, and have it drop-shipped to a Mailboxes, etc. or some other such place.
3. Complexity of the system - I don't know about everyone else, but my mother barely grasps the concepts behind sending email and pulling up a web page. How's she ever going to understand the how and why it's not only safe, but legally binding to use PKI technologies to enter into agreements?
--
The unsig!
What I don't even see mentioned in the article is the verification process used to insure that the keyholder really is the person they claim to be.
Anyone can create a key claiming to be someone else - the only way you know that the key really does represent the person it claims to be representing is if: a) the person gave you their public key in person, or b) there is an authority that "signs" the key, confirming that it is in fact from that person.
Now, this is really no differant than the way things are today - anyone can sign a check as "Bill Gates," this is why Notaries exist. Are we going to extend the Notary system to have them sign public keys as well?
All operating systems suck. Some just suck less than others. (and some are virtual black holes)
Is that feasible? Technically? Legally?
Want to work at Transmeta? MicronPC? Hedgefund.net? AT&T?
Can your IM do this?