Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proposed Law:Electronic Signatures == Pen and Ink

Posted by ryuzaki0 on from the isn't-that-interesting dept.

Salgak1 writes wrote in to send us Washington Times Article about Rep. Tom Bliley (R-VA) introducing a bill to make an electronic signature legally equivalent to one done on paper. Here is The Bill. Seems Sen. Abraham (R-Mich) introduced a similar bill in the Senate. (Full Text

4 of 85 comments (clear)

  1. What about stolen signatures? by Anonymous Coward · · Score: 4

    Hand-written signatures have the advantage of
    being a biometric measure: You can't steal
    someones handwriting. (You can fake it, but that
    is something different from stealing it.)

    But I can get someones PGP key, or someone could
    allow me access to his/her key for convenience
    (so I can sign things for him/her). Thus,
    I don't think a judge would be convinced
    that a letter signed by a digital signature
    must have been written by the person owning
    the signature or the key with which the signature
    has been made.

    If I post my private PGP key on Usenet, I have
    effectively taken any legal binding from my
    digital signatures. Something that I can't do
    with my real-world signature.

    Therefore, for some things these digital signatures just won't work. For other
    applications, they are already working,
    because parties have agreed to accept them
    as a means of authentication, and having
    them "stolen" is negligence, making the
    negligent party accountable for the damages.

    Another interesting point is that you can't have
    key escrow with those keys. (Sometimes, you just have to proove things, and not just rely on the honesty of the NSA.)

    And having strong signatures, you can effectively
    use this to create strong encryption (a process
    called "chaffing" IIRC).

    Thus, a law that makes digital signatures legally
    binding automatically allows everyone to own
    strong encryption software.

  2. Clues for the clueless by Anonymous Coward · · Score: 5
    1. The keys used by signatures tend to be really, really big. Yeah, maybe someone will crack one in our lifetime, but it's going to be something on the order of the EFF DES machine, not a 5Kr1p7 K1dd33.
    2. There are no export restrictions or controls of any kind of encryption used for authentication. Get that through your thick, knee-jerking skulls.
    3. The essential element of signature security is your private key. You are the only person who should ever have access to this value. In fact, some of the most important aspects of digital signatures are voided if a second party (like key escrow) ever has access to this key.
    4. Crackers are clever, but they don't have magical powers. Private keys can be guarded successfully.
    5. If someone steals your private key, it can be revoked and you can get a new one. Try that with a written signature.
    6. Your private key can expire forcing you to get an entirely new one. Again, try that with a written signature.
    7. Many, many, states allow faxed signatures to be binding while a written signature is in transit. In the insurance industry, "digital signature" usually referes to a scanned image. Wouldn't you rather migrate to something that's a little secure?
    8. Signatures are issued under the auspices of a Certification Practice Statement. This policy not only controls who gets a signature, but how they get it and what is does and does not "prove" when it's presented.

      Think of a school ID, a driver's license and a passport. They're all photo ID's, but with different requirements for obtaining one. As a result, they provide differing levels of authentication and authorization.

  3. Not new . . . by werdna · · Score: 5

    In recent years, many states have been addressing Digital and Electronic signatures; and there are solid legal arguments that a digital signature would be legally enforceable even in the absence of such legislation.

    Florida's, for example, is among the clearest and most consistent with the common law, defining a "writing" to include "information which is created or stored in any electronic medium and is retrievable in perceptable form," an "electronic signature" to mean "any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with intent to authenticate a writing," and further providing that a writing is electronically signed if an electronic signature is logically associated with the writing.

    With those definitions, it provides simply that "Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature."

    Other states, such as Utah and Washington, have required that to receive the benefit of the statute, the signature must be made by use of asymmetric encryption, with varying definitions and limitations.

    Accordingly, this bill isn't really all that new. However, the defintion of a signature is one of those things that has been traditionally determined by state law -- it may be unclear whether a Federal law purporting to preempt State law in this regard would be unconstitutional.

  4. Purpose of a Signature by werdna · · Score: 5

    Various folks have written, expressing concern that permitting electronic signatures would be too easily forged or spoofed. There are several responses to this:

    (1) At common law, the typing of your initials at the end of an e-mail with intent to authenticate is probably a signature anyway (mileage may vary state to state);

    (2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another? In comparison, digital signatures are checksummed to the documents they sign, and are very difficult to forge without human engineering;

    (3) In practice, disputes over signatures are not really ever resolved by comparing testimony of signature experts (except in extraordinary cases). The two experts cancel each other out trivially, and the jury judges based upon the demeanor of the parties and the overall circumstances of the transaction. In a recent case, where a party denied signing a written agreement to sell some goods, the other side simply asked on the stand whether he routinely sent goods of the type to the other side -- "no"; whether he did after the date of the disputed document -- "yes"; whether he did in accordance with the schedule set forth in the disputed document -- "yes." It was all over, notwithstanding the conflicting expert testimony. (Ironically, the argument was that the signature was "too good," too close to a specimen the other party was known to have and therefor copied. Yeah, right.)

    The real deal is this: signatures are not there (for legal reasons) for the purpose of authentication -- they are a mechanism to formally "close" a deal, to distinguish those deals that aren't done from those that are, and in some cases to seal certain types of agreements that require a signed writing.

    The authentication purposes are an issue of "risk management," not legal effectiveness. The law only raises the question of whether the act, if it took place, was legally effective to seal the deal, and not whether the act took place.

    On the other hand, a businessperson might want to be able to prove a signature was real more readily than usual. This is why when a multi-zillion dollar deal is being closed, a lawyer will not accept from the other side to sign "Minnie Mouse," or "X" (if literate), even though doing so is legally effective for any statute of frauds purposes. Likewise, I would never accept for a meaningful transaction an e-mail stating:

    "Yeah, I accept your offer to sell Blackacre for 100,000 lucre. Sure.

    Love, Mandy."

    Even though it would be enforceable under Florida law for the purpose of the statute of frauds.

    Its all about eggs in baskets. How much comfort do you need, and how much certainty do you want to avoid being spoofed. If you make it a personal policy never to sign electronic signatures, it will be hard for the other side to prove that you actually did when you didn't, no matter how good the forgery. On the other hand, if you do, make sure you do a good job of making it difficult for others to forge or spoof you.

    Agreed that certification authorities are an important part of making use of signatures safe and commercially sensible. Disagreed in the strongest terms that they are necessary for the law to give effect to an instrument.

    In my view, the less the law tells us about how we do business, the better. Leave it to the marketplace to decide what technology and form of signature they want to use. Whether they rely on EDI agreements, e-mail typewritten messages or elaborate cryptographical structure using state-authorized or state-licensed "trusted parties," should be decided by those doing the signing, not those pretending to be high-tech-aware and make some press in Washington.

    The law SHOULD make clear that electronic signatures should be used and useful, just so folks don't feel they need to see a case before using the technology. After that, legislators should get out of the way.