I concur. The problem is that the most prevalent e-mail program (Outlook) requires no user intervention as a default when signing and/or encrypting a message with S/MIME. One can override the default to "High Security" (requiring password) only while the X.509 certificate is being installed. I also agree that alternative authorization mechanisms (or combination thereof) are entirely appropriate: smartcards, flashcards, biometric readers, magnetic strips, bar codes, etc. Different schemes will work provided the hardware is available and adequate authentication can be assured. Curt --- David Howe <DaveHowe@gmx.co.uk> wrote:
Partially agreed - a user doesn't have to know *how* it works, but must have to take a positive step (eg, type in a password, answer "yes" to a "are you really sure you want to do this" message, that sort of thing) for it to be binding under most e-sig legislation. However, the law of contract assumes every dotted i and crossed t is read and fully understood to the full measure of the law. Enough people get caught out this way each year (they find the contract they signed isn't what they negotiated but (eg) binds them to a full term of service (say, two years) when they wanted a three month trial... There is a balance to be had here. it should be impossible for a random user to walk up to their powered off pc, power it on, then sign a document. It should be extremely difficult
for a random user to walk up to a pc that has been left logged on (but which hasn't been used to sign documents for five minutes or so) and sign a document; it should be easy for the user to sign a large number of documents in rapid succession, without having to type in a complex password every single time. If this involves remembering the password for a specified "idle" time, or using a smartcard to auth (rather than a manual password or in addition) that the user can remove when he takes a coffee break then fine - but whatever you do must almost certainly use no other hardware than is already fitted to the machine, so a usb dongle could be ok for a home user but a credit-card style smartcard almost certainly won't be (although if anyone knows a decent floppy-adaptor for smartcards, I would love to know about it)
===== Curt end eof . Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com