Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

["Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>]

On Thu, 11 Jan 2007 11:33:01 -0800
<home_pw@xxxxxxx> wrote:

> I've lost track of the URL, but somewhere on an MSN/Microsoft site it
> once had a click-signature mechanism. "Click the Agree button" to be
> legally bound to something, over the SSL channel. That is not
> particularly remarkable, of course. However, there was specific and
> remarkable legal blurb justifying this as an "electronic signature".
> I recall reading it, wide-eyed.
> 
> One can gauge the trustworthiness of that "https signature" based on
> classical evaluation analysis (a) was the https
> implementation/ciphersuite/CA good enough (b) was the HTML rendered
> in Microsoft's IE product c) Is the browser and OS assured to ensure
> nothing else on the PC could interfere with the rendering of the
> server's-page ...and its dynamic button and event
> generation/communication. Absent an NCSC evaluation report thereto,
> the only party that can argue one way or the other is of course the
> vendor - which just happened to be Microsoft of course.
> 
> So, I think this was an edge case, that only an MSN site can make
> this claim for a click signature, because it has complete control
> over the trusted technology being applied (being an arm of Microsoft,
> the product maker of IE, https, MSN Servers, etc). However, to be an
> electronic signature, there has to be a recordation act. Presumably,
> the MSN audit logs have the details of the ciphersuite used, the
> browser headers, and perhaps even the SSL session pdus for replay.
> 

You've swallowed the "digital" signature Kool-Aid.

What you saw was quite in conformance with the (U.S.) Electronic
Signatures Act of 2000.  See, for example:

	http://www.ftc.gov/os/2001/06/esign7.htm
	http://www.techlawjournal.com/internet/20000703.htm

Briefly, the legal notion of a signature has little relationship to
what computer people call a digital signature.  The (U.S.) courts have
held that computer-printed signatures on pieces of paper are legally
binding.

Sure, such paper -- or such mouse clicks -- can be forged, and there
isn't the technical attribute of non-repudiation.  If it comes to a
court fight, you can make that argument.  You can also make the
argument that a digital signature was forged because your key was
stolen or your machine was hacked.

In any event, your analysis and conclusions are wrong.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls