Re: Legal entities who sign

["Ing. Raffaello Galli" <r.galli@xxxxxxxxxxx>]

Anders,
The solution to this is quite easy.

The key is stored in a locked server-room (or better in a tamper proof/evident
machine).
The CEO cannot access to this room or to the phisical key stored.
Let call this delegated Key Holder.

The CEO (only him) can use through a new secure protocol his/her own key.
Let call her/him the Key Owner.

The other interesting thing about this protocol is that it can bypass
the untrusted terminal that the CEO can find on his way (hotel, banks,
airports etc.).
Let call this terminal untrusted terminal.

CEO and not only them are seeking for a mobile digital signature solution.

This is the way we work it out.

The law require the subject to own the Key.
The law require the subject to use his/her own Key.
The law doens't specify any requirements about untrusted terminal or application.
  
Raffaello Galli
C&A



Anders Rundgren wrote:
> According to "e-lawyers", legal entities cannot sign as even
> a delegated signer must be physical person.  This creates
> huge practical problems and is also quite ridiculous, here
> thinking of a CEO-certificate/key stored in a locked server-
> room that not even the CEO may have a key to, and used by
> business-systems, often completely out of the CEO's control.
>
> Question: Would it be completely unthinkable that a
> certificate policy stated that the owner of this certificate
> (which only identifies a legal entity) has through its
> management approved that the legal entity is to be held
> legally responsible for all documents signed by this
> certificate and associated key?'
>
> This solution seems a bit related to Alexander the great
> and the Gordian knot...
>
> cheers,
> Anders Rundgren

--

Raffaello Galli
Chief Executive Officer
C&A  - Improving Your Security -

( Voice:   +39 02.24791823 
( Mobile: +39 348.2877460

+ E-mail:   r.galli@xxxxxxxxxxx
& Web:    www.com-and.com