William Geiger III wrote:
Has there been any concideration for the difference between a digital signature that is used only for authentication and one that is legally binding??
I would hate for these Digital Signature Laws make every e-mail message I sent a legally binding document. :(
I realize I'm in danger of sounding like Tim here, but I remember writing a long message about this some months ago - perhaps it's available through the archives. "Legally binding" isn't a useful way to think about this sort of thing. Signatures serve at least two different purposes; sometimes they're required to form a contract (say, for the transfer of an interest in real estate, or a contract which cannot be performed in less than a year, or for the sale of goods worth more than $500) and sometimes they serve as evidence that a person has had access to or contact with a physical thing (like a paper copy of an agreement). Contract law does not revolve around signatures, it revolves around agreements. If you don't have an agreement with someone (and haven't acted in a way which would have led a reasonable person to think you had an agreement) then you don't have a contract with them. A signature can be evidence of an agreement, and it may be required to form certain agreements; but a signature is not an agreement. It's a pattern made with ink or with bits; an agreement is a legal relationship. The map is not the territory. If your e-mail doesn't seem to be proposing an agreement, or accepting an agreement, I don't think you need to worry that you're going to accidentally form a contract with someone. Other concerns (like, say, that a digitally signed message could be introduced as evidence in a criminal or civil trial) seem to stem from the assumption that unsigned messages won't be admissible .. and I think that assumption will prove to be false. Courts admit evidence whose origin is disputed or uncertain all of the time, and trust the jury to decide who they'll believe. There's no reason to assume that electronic evidence (as opposed to eyewitness accounts, or photographic evidence, or other falsifiable evidence) will be excluded because it's potentially suspect. The addition of a digital signature makes the spurious "But how do you know *I* sent that messsage?" argument less plausible - but I think that argument's a loser anyway, at least in most cases. If you're really worried about it, you could add "THIS KEY WILL NOT BE USED TO SIGN OR FORM CONTRACTS" to your ID string for your public key - but I'm not sure it really makes much difference. -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto.