[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NR-issues. Was: e-Government uses "Authority-stamp-signatures"

Guys,
 
Before wasting a lot of time and list-space we might as well simply agree on that we disagree on major legal issues. 
 
But maybe we could agree on that digital signature laws were created before a single "violation" had been recorded?
 
As far as I know, this differs widely from past legislation practices which speaks for having a very open mind at this stage.
 
So I can do nothing but declaring my "deviating" views:
 
That is, "non-repudiation" do certainly apply to server/org-signed messages. A company repudiating a purchase order, that can be verified to have been signed with their org-key (under the control of a business system), is likely to find out this the hard way.  Using legal practices that we still haven't seen a single trace of.
 
But why even bother calling in lawyers when the technical proof is as strong as a digital signature? 
 
That the repudiated purchase order may be the result of a security breach does not change much, except for who is going to get the blame internally, in the sending organization.
 
cheers,
Anders R
 
 
----- Original Message -----
From: "Jimi Thompson" <jimit@xxxxxxxxxxxxx>
Cc: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>; <ietf-pkix@xxxxxxx>
Sent: Sunday, December 15, 2002 07:05
Subject: RE: e-Government uses "Authority-stamp-signatures"

<SNIP>
for a legal signature ... as in manual signature, there is concept of
intention ... i.e. demonstrate that person intended to sign what they
signed. it is easier to show that when a person writes thier signature,
they intended to write their signature.

issue in technology with digital signatures ... a piece of computer
equipment may have been programed to apply signatures to messages, aka just
because the technology has been labeled digital signature doesn't make it a
digital equivalent of signatures.
</SNIP>

I mentioned this whole thing again for these very reasons since the overall
impression was that there would be some form of non-repudiation going on for
traffic that was merely flowing between 2 servers.  As Lynn so clearly
illustrates, this is not a valid use of "signatures".

I have a suggestion.  In order to avoid confusing ourselves and others,
let's make a small change in nomenclature instead of lumping everything in
under "signature".   Perhaps "authorizing" and "verifying" or whatever to
distinguish the two.

Thanks,

Ms. Jimi Thompson

Those who are too smart to engage in politics are punished by being governed
by those who are dumber. - Plato