Re: Analysis of proposed UK ban on use of non-escrowed crypto.
On Mon, Mar 31, 1997 at 01:20:02PM -0500, Ray Arachelian wrote:
On Thu, 27 Mar 1997, Kent Crispin wrote: [...]
The only legal support needed for digital signatures is for the courts to recognize that digital signatures are equivalent to their analog counterparts.
The *only* legal support? This is a *big* deal, and the issues are very complicated. Handwritten signatures and digital signatures are really quite different.
I claimeth not lawyerhood, but IMHO, it can stand up in court if both parties agree to it by analog signatures infront of a notray.
I can comment, and I am not a lawyer -- I in fact know of one such case, where one large organization signed a MoU with another one that agreed that PGP signatures would be valid authorization for work orders and selected other transactions. This can be useful where the organizations in question have a long term relationship, and they are willing to go to the expense of drafting such a contract.
This could be binding if the two parties sign something that says "If I use PGP to sign a document I agree to allow that document to be treated as if I signed it." (IMHO)
Sure. It's been done, in fact. However, pairwise contracts with everyone you do business with is not going to cut it. You need laws for this.
Not if it is agreed by all parties involved and their lawyers to honor such signatures. (IMHO)
Suppose I offer to sell you my car for $1000. We are not going to manually sign a contract to accept our pgp keys on a contract to sell the car, we will just do the total deal with manual signatures. Title will be transferred at the Department of Motor Vehicles with manual signatures. Smog certificates will be signed with manual signatures. It isn't worth the time and trouble to set up any kind of a special arrangement for digital signature for one time or sporadic, low volume transactions. Not until there is a legal infrastructure in place will we be able to do that.
[...]
4) Businesses, especially large businesses, will (and do) want common standards for key and DS management.
Yeah, and they also want standards for software. [...]
This is pair-wise contracting again. Note, incidentally, that standards concerning signatures are of a different order than standards concerning office software. There far more pressing liability issues with digital signature.
Really? you must not have been gotten infected by the slew of Word and Excel viruses out there. Might be a very good lawsuit against Micro$oft that they allowed such things to happen.
Not a chance.
Standards for a company are standards for a company. Which standard has more weight or importance is up to that company. Sure, it is on a bigger scale that installing XYZ OfficeWare and getting your ass fired, but it is still a standard.
We're not talking about standards for a company, we are talking about standards between companies, and government agencies.
Is there any reason that a specific company CAN'T decide to use PGP? (or PEM, or some other scheme) if it so choses?
All kinds of reasons. A Title Insurance company isn't going to be able to use digital signatures on Deeds of Trust without court approval, to just pick an example out of the air. [...]
These are company signature keys, also used for encrypting email, so the company escrows all the secret halves of the keypairs. (There is no privacy issue here -- these are all company keys used for company business, all the encrypted documents are company documents.)
So what's the problem? You hire people to keep track of assigning, escrowing, and signing keys for your employees. You have IS staff and security staff to watch for breeches. You can automate tons of this with good written scripts that automatically scan all email for valid signatures and raise alarms when signatures don't match.
So what's the problem? Your answer is the problem: "You hire people...You have IS staff...You can automate etc"
Where is this not useful? For a small company a locked safe is plenty. For a large company, you hire HR/Security folks to be your "Key Agents" or whatever.
This costs *money*. There is no reason to use digital signature unless it saves you *money*. A business isn't going to invest in DS infrastructure, especially of the scale you describe, just because they think it's fun. [...]
Many commercial "standards" are legal standards, supplied by the government. In fact, the whole legal infrastructure of business law is really, when you get right down to it, a set of legally mandated standards. Standards are all over the map, when it comes to legal status.
Because there are laws that force such standards on the company.
This is a terribly simplistic view of things. Businesses also make good use of the level playing field that is provided by laws. -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
participants (1)
-
Kent Crispin