Slashdot Mirror

← Back to Stories (view on slashdot.org)

House Nixes Digital Signature Bill

Posted by Roblimo on from the politics-and-the-digital-world dept.

Seth Scali writes "The Electronic Signature in Global and National Commerce Act was nixed by the House of Representatives on Monday. According to the article over at ZD Net, the vote was 234 to 122-- or about 1/2 of what would be needed to pass." It needed a 2/3 majority. Most Congressmen seem to agree that we need some sort of legally binding digital signature capability, but say they don't think the current proposal offered enough security or consumer protection. Oh, well. Maybe next time.

14 of 32 comments (clear)

  1. Good Thing by GaspodeTheWonderDog · · Score: 2

    This is a very good thing, it is bad enough that somebody could steal my credit card or other personal information. Think of what damage could be done when somebody could have that much more credit to masquerade as you...

    Just like Microsoft, the government can't be wrong *all* the time.

    --
    This space for sale
  2. I hope so... by Yeshua · · Score: 3

    I would hope that such a bill would be rejected. While there does need to be at some point some form of legally binding electronic signature, I don't think we're at the point where we have the technology to really support this. A normal signature and its individuality is based on the indiosyncrasies and mannerism of each human being and their fine motor systems, and requires a lot of practise if you ever hope to copy it, an electronic signature however, is merely a piece of data, which at this point is far too easily replicated and misused. The current technology just has too many security holes to allow it to be a viable alternative as an individual authentication device.

    1. Re:I hope so... by Brian+Knotts · · Score: 2

      -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Easy to duplicate? I think not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.8 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVyQ+ DNiYollQCfZ8vP pqUx8DUPME1AjzB1bqdDD08= =rvgZ -----END PGP SIGNATURE-----
      --
      Interested in XFMail? New XFMail home page

    2. Re:I hope so... by Brian+Knotts · · Score: 2


      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Easy to duplicate? I think not.

      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v0.9.8 (GNU/Linux)
      Comment: For info see http://www.gnupg.org

      iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVy Q+DNiYollQCfZ8vP
      pqUx8DUPME1AjzB1bqdDD08=
      =rvgZ
      -----END PGP SIGNATURE-----
      --
      Interested in XFMail? New XFMail home page

    3. Re:I hope so... by Seth+Scali · · Score: 2

      No, a digital signature is *not* just "piece of data". You seem to be confusing the idea of regular signatures with digital signatures.

      A regular signature is static-- you put it on one document the same way you put it on another (well, with minor variations, but the overall whole of the thing stays the same). It is difficult for somebody else to imitate it, due to those idiosynchrasies.

      However, a digital signature is *not* static. If you digitally sign a document, I cannot create another document and simply "cut and paste" the signature of the other document onto mine-- it would be immediately recognizable as bogus. The reason is that a digital signature *changes* with the contents of the document being signed and with the person signing it. If you and I sign the same document, the signatures are different and unique to each of us. If you sign two different documents, the signatures are different-- and unique to *you*.

      If you want to learn more, I'd recommend the original RSA paper, at http://theory.lcs.mit.edu/~rivest/rsapaper.ps , as well as a copy of the DSS (Digital Signature Standard), available from NIST at http://csrc.nist.gov/fips/fips1861.pdf , as well as Bruce Schneier's "Applied Cryptography".

    4. Re:I hope so... by um...+Lucas · · Score: 2

      Well, it's useless until someone funds a national or global PKI. Until that point, it seems incredibly easy to corrupt it. Say i make 20 false signatures, then make 20 more and sign them all with the first 20, then make one genuine one, get it signed by someone widely regarded as "trusted" and then use my signed key to sign the first 20... I now have 20 signatures that are "signed" by a trusted party and are at the same time two steps away from me... Add a few more people to the scheme to get more signatures from other "trusted" people and you've got slews of false signing keys out there...

      Both the good and the bad thing about realworld signatures is that you can't revoke them. It also takes a HUGE amount of skill to replicate them infront of someone else. It's one thing to sit at home and try over and over until you get a reasonable facsimile, it's entirely another to be able to do it on the fly.

      I can't really see how we could as a country or world create a sufficiently secure system of key management. It's got to be a lot better than the current notary system, but that would tend to leave the handling of it in the hands of the government, which would probably be the NSA, FBI, or Secret Service...

  3. President Nixes Digital Signature Bill by El+Peligroso · · Score: 3

    The House passed the bill in question (It only takes 218 votes for a majority in the House, and this bill got 234). It won't become law because the President will veto it, thus the need for a 2/3rds majority to override. It's misleading to say that the House killed the bill.

    BTW, I really hate it when articles quote blatant spin as if it were actually newsworthy.

    --
    Anything worth doing is worth doing badly.
    1. Re:President Nixes Digital Signature Bill by bright+moments · · Score: 2


      um, not quite cowboy. The managers of the bill brought it to the floor under suspension of the (House) rules, meaning it didn't go through the rules committee, which is a normal course of action. Bills that are brought up under suspension of the rules require 2/3rds majority to pass. Because of this, it will never make it to Clinton for him to veto. The fact that Clinton said he would veto it is irrelevant and shouldn't be taken as a given (he said he'd veto the welfare reform act a few years ago and then signed it). Clinton's lackeys in the Commerce department were close to saying okay to this bill, and most likely could have gotten what they wanted in a conference committee, leading to a presidential signature.

  4. Re:Even laymen can understand the concept of secur by Chandon+Seldon · · Score: 2

    Well, unless there is a -close- to 100% foolproof way of authenticating a digital signature, we're just going to run into the same old hastles we're having now, where signatures are forged or copied, or transactions deliberately tampered with or fabricated.

    A GPG digital signature is currently nearly 100% authenticatable.

    A digital signature used to sign a document is both specific to that document and specific to that sender. If it was sent by the wrong person, the signature will be invalid. If the data changes between the time of signing and the time of verifying, the signature becomes invalid.

    Try playing with GPG [http://www.gnupg.org] for yourself. It's an extremely neat app.

    --
    -- The act of censorship is always worse than whatever is being censored. Always.
  5. It's a good thing (for now) by substrate · · Score: 3

    I think there is a need for legally binding digital signatures, but its something I wouldn't want to see rushed through the legislature to make some withered old republicans look digitally saavy. This could have disastorous effects.

    Any legislation has to be written realizing that protocol or key length requirements need to change with time. A given protocol and keylength may be fine for early November 1999 but may be cryptographically weak in early November 2009. This brings up another point. The protocol and key length requirements need to be strict enough that the chances of them being compromised before the signature on the document no longer protects anything is vanishingly small. In other words the strength behind the signature is directly proportional to the lifetime of the document.

    Consider an earnings report for a company for a given quarter. It only requires a years worth of strength in its digital signature. If a third party were to release an October 1998 earnings report in an attempt to manipulate the stock price it would be quickly caught and discredited.

    Consider an individual taking out a 30 year mortgage on their home. If the digital signature can be forged in under 30 years this puts the consumer who took out the mortgage at risk. A malignant mortgage company could change interest rates or terms of the agreement to profit at the expense of the consumer. Things like this happen now with pen and paper signatures.

    The security requirements for taking out a second thirty year mortgage after the first could be different than those for the first. Technology has increased, computers are faster and maybe new hiccups like quantum computation are a reality.

    Digital signatures have the capability of being many orders of magnitude safer than pen and ink signatures if and only if people aren't legistated into weak signatures.

    1. Re:It's a good thing (for now) by MikeBabcock · · Score: 2

      What is needed is for digital signtures to get more prevalence in companies and have a legal challenge so that a body of case-law can be built to support digital signatures. More software that's well marketed and publicized will get us to that point.

      - Michael T. Babcock <homepage>

      --
      - Michael T. Babcock (Yes, I blog)
  6. Even laymen can understand the concept of security by jd · · Score: 3
    In England, there are good reasons to be wary of ATM machines. There have been numerous cases of "phantom withdrawls", where money has gone missing and the bank has denied any responsibility, on account of the fact that the person "could" have used an ATM machine to take the money themselves.

    Technophobia isn't rampant there, but skeptisism towards large companies who try to worm their way out of accountability is.

    How does this affect digital signatures? Well, unless there is a -close- to 100% foolproof way of authenticating a digital signature, we're just going to run into the same old hastles we're having now, where signatures are forged or copied, or transactions deliberately tampered with or fabricated.

    IMHO, digital signatures =must= be coupled with user input which is simply too complex to forge. Using a random sampling of the retina as a one-time pad would work for this. Then use the pad to encrypt the signature, and any other data.

    But that only gives you a measure of security against outsiders. What about dodgy bank employees? There, encryption is useless, as the bank has to have the decryption key to be able to make use of the data. At -some- point, in the bank, the information has to be in the clear, and all someone has to do is inject false data there.

    Actually, there's a way to solve that, too. If the bank's software is "incomplete", and your signature includes self-decrypting executable code, which is necessary to complete the transaction, it would be necessary to obtain that code before false transactions could be made in your name. However, if this code requires a "ping" or "traceroute" to your card, before it will work, it would be beyond most employees to fake a response. It doesn't make it impossible, but that's not the point. At present, any bank clerk with an IQ of -5, who can tell the difference between a keyboard and a ham sandwich has 99% of the tools they need to do a phantom withdrawl. Make it hard enough, and the people left who still could would probably be earning so much that they wouldn't bother with such petty cash.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  7. This bill is coming back . . . by bright+moments · · Score: 2


    House Republicans intend on bringing this bill back up for a vote before the end of the current congressional session. When you consider it was rushed to the floor and missed being approved by only 4 votes (where did that "about 1/2 of what would be needed to pass" come from?) you can understand their optimism in trying again. This time, instead of bringing it up on the suspension calendar (with the required a 2/3rds vote) they will try to run it through the rules committee and get a "closed rule" on the bill, meaning no amendments to it on the floor. That way they only need a simple majority to pass it.


    If the House is going to go down this route, look for it to happen by Friday. But with Lott saying the target adjournment date is Nov. 10, you can be fairly certain this bill will expire with the session (unless they manage to get it appended to a year-ending omnibus appropriation bill, then anything goes . . . ).

  8. Waiting until society is ready(not just us)is GOOD by spartan · · Score: 2

    In the news I read, the reasons given for nixing Digital Signatures had to do with creating a second class of enforceable, legally binding contracts. I wholeheartedly agree with this. There is no sense in rushing into a new use of technology and forcing it down the throats of consumers who will not understand the message they are receiving. Contract law is one area that is clear enough for a great many people to understand. It is well thought out and well documented in the Uniform Commercial Code and a great many state laws.

    This applies to a whole huge list of transaction types and contract law situations.

    • A company may distribute a recall notice to connected consumers. The consumer thinks it is junk mail and deletes it. Who is responsible for a future situation where the product defect caused an accident? The consumer could be asked to digitally sign the copy they were sent acknowledging reciept of the recall, but was something this basic included in the bill?
    • Data Integrity Issues: What happens when a consumer's data is lost and it contained contracts in electronic form? Can he get a copy from the other party?
    • What happens when the corporation loses their copy? If it's a contract that I have the only copy left, may I say I don't have a copy either and stop taking actions for which the agreement applies if the terms are later found to be unfavorable?
    • We would be forcing the courts to decide the question: Did the consumer sign and when did the consumer sign? Typically, a corporate attorney would make better use of terminology and understand the issues better than the consumers attorney. Would you trust that the outcome in determining such basic facts to be favorable?


      As much as I love technology and all the cool benefits of it in terms of information flow, I think that for something as important as this, it's imperative that the plan be well thought out and understood by even those who do not understand the underlying technology. It was prudent to wait.

      So, who cares about key length? Really. If the consumer will not even understand they are entering a legally binding agreement or receiving information which legally binds them, then we are not ready as a society to take the step. It's really as simple as that, and all the different arguments about the technological merits of one solution vs another can just sit by the wayside until these larger issues are worked out and understood.

      If that doesn't take place first, then passing a digital signature act will be something the goverment does to us, not for us.