[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio

To: "Anders Rundgren" <anders.rundgren@xxxxxxxxxx>, "Stephen Kent" <kent@xxxxxxx>
Subject: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio
From: Stefan Santesson <stefan@xxxxxxxxxxx>
Date: Thu, 08 Apr 1999 16:52:27 +0200
Cc: <ietf-pkix@xxxxxxx>, "'SEIS-List'" <list@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Anders,

First of all - I'm not a lawyer. All I'm saying is just my opinion.

Second. The person responsible for a signature, regardless of type, is the
person who created it and whose intent it expresses.

I.e. You are ALWAYS responsible for signatures created by YOU and you are
NEVER responsible for signatures created by someone else.

Who owns the techiqe, keys, system, infrastructure etc. are totally
irrelevant to this fact.

So, last, what remains is the problem of providing strong evidence if the
above fact is repudiated. I.e. if you deny that a signature was created as
e result of your consious act, representing your intent.

This however WILL be dependent on technique, keys, system, infrastructure etc.

So when we are talking about law and technique, we are ONLY talking about
factors which effect the EVIDENCE VALUE. Not factors that decide whether a
signature is legal or not.

ALL SIGNATURES ARE LEGAL. It's only the fact that some of them are harder
to prove in court than others.

/Stefan

P.s. Th above should not be mixed with the fact that some authorities may
require a minimum security level for signatures in order to accept them
(e.g. for a signature to be in hand writing). This is an option open to all
relying parties, i.e. to say - It has to be at least this good or I will
reject it.

At 07:14 AM 4/8/99 +0100, Anders Rundgren wrote:
>Hi Stefan + Steve,
>
>May I ask a question regarding signature laws which I am pretty ignorant of?
>
>If a company runs a SET Wallet Server for their employees to use, is not
the company
>responsible for signatures produced by the certificate and keys stored on
that server?
>
>Legally as well as technically. 
>
>Now to the users (with their CyberPhones) that initiates transactions:
They are responsible to
>their company that as a minimum records all transations with user
identity.  Or
>it could require a sign op as well.
>
>Looks OK to me.
>
>So what is so fundamentally flawed in the CyberPhone concept with respect
to digital
>signature laws?
>
>Regards
>Anders
>http://www.mobilephones-tng.com
>
>
-------------------------------------------------------------------
Stefan Santesson                <stefan@accurata.se>
Accurata Systemsäkerhet AB      http://www.accurata.se
Slagthuset                      Tel. +46-40 108588              
211 20  Malmö                   Fax. +46-40 150790              
Sweden                        Mobile +46-70 5247799

PGP fingerprint: 89BC 6C79 5B3D 591B 8547  1512 7D11 DBF4 528F 29A0
-------------------------------------------------------------------

Follow-Ups:
- Re: SEIS: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio
  - From: Patrik Fältström

Prev by Date: RE: Time Stamping: comments on nonce field
Next by Date: RE: Time Stamp: tsa field in TSTInfo
Previous by thread: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio
Next by thread: Re: SEIS: Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio
Index(es):
- Date
- Thread