Re: e-Government uses "Authority-stamp-signatures"

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

Jimi,

>In order to establish non-repudiation, won't you need the signature
>of a person and not just proof that the email passed through a specific server?

I hope you can apologize me, but I have a very simplistic way of
looking at repudiation of  signed messages that goes as follows:

- Personal signature: "I haven't sent that message!"
- Organization/server-based signature: "WE haven't sent that message!"

As not a single such event has so far been publicly documented, it
is really all up to pure speculation,  but I can't see that the technical
processes or the rather unlikely legal processes needed to clear up
the two cases above will differ at all.  In spite of the literally "eons"
of time spent on creating digital signature laws.

Well, if there _is_ a difference, I believe that the organization-variant
will prove to be easier to resolve, as archiving, user authorization,
time-stamping, etc. is built-in into the very core of the architecture
of such systems!

There are people who believe that the scheme represented by SHS
is a "Quick and dirty" solution.  I would rather claim that this is a
flexible "Mammal" given its unlimited extensibility with respect
to PKI, while static schemes like the US Federal PKI  seems more
related to "Dinosaurs", just waiting for extinction.

cheers,
Anders