Analysis of proposed UK ban on use of non-escrowed crypto.

Kent Crispin kent at songbird.com
Tue Apr 1 02:06:00 PST 1997 

On Mon, Mar 31, 1997 at 01:20:02PM -0500, Ray Arachelian wrote:
> On Thu, 27 Mar 1997, Kent Crispin wrote:
[...]
> > > 	The only legal support needed for digital signatures
> > > 	is for the courts to recognize that digital signatures
> > > 	are equivalent to their analog counterparts.
> > 
> > The *only* legal support?  This is a *big* deal, and the issues are 
> > very complicated.  Handwritten signatures and digital signatures are 
> > really quite different.
> 
> I claimeth not lawyerhood, but IMHO, it can stand up in court if both 
> parties agree to it by analog signatures infront of a notray.

I can comment, and I am not a lawyer -- I in fact know of one such 
case, where one large organization signed a MoU with another one that 
agreed that PGP signatures would be valid authorization for work 
orders and selected other transactions.  This can be useful where the 
organizations in question have a long term relationship, and they are 
willing to go to the expense of drafting such a contract.

> > >	This could
> > > 	be binding if the two parties sign something that says
> > > 	"If I use PGP to sign a document I agree to allow that
> > > 	document to be treated as if I signed it." (IMHO)
> > 
> > Sure.  It's been done, in fact.  However, pairwise contracts with
> > everyone you do business with is not going to cut it.  You need laws
> > for this. 
> 
> Not if it is agreed by all parties involved and their lawyers to honor 
> such signatures. (IMHO)

Suppose I offer to sell you my car for $1000.  We are not going to 
manually sign a contract to accept our pgp keys on a contract to sell 
the car, we will just do the total deal with manual signatures.  Title 
will be transferred at the Department of Motor Vehicles with manual 
signatures.  Smog certificates will be signed with manual signatures.
It isn't worth the time and trouble to set up any kind of a special 
arrangement for digital signature for one time or sporadic, low 
volume transactions.  Not until there is a legal infrastructure in 
place will we be able to do that.

> 
> > [...]
> > > 
> > > > 	4) Businesses, especially large businesses, will (and do)
> > > > 	want common standards for key and DS management.

> > > 	Yeah, and they also want standards for software.
[...]
> > 
> > This is pair-wise contracting again.  Note, incidentally, that 
> > standards concerning signatures are of a different order than 
> > standards concerning office software.  There far more pressing 
> > liability issues with digital signature.
> 
> Really? you must not have been gotten infected by the slew of Word and 
> Excel viruses out there.  Might be a very good lawsuit against Micro$oft 
> that they allowed such things to happen.

Not a chance.

> Standards for a company are standards for a company.  Which standard has 
> more weight or importance is up to that company.  Sure, it is on a bigger 
> scale that installing XYZ OfficeWare and getting your ass fired, but it 
> is still a standard.

We're not talking about standards for a company, we are talking about 
standards between companies, and government agencies.

> Is there any reason that a specific company CAN'T decide to use PGP? (or 
> PEM, or some other scheme) if it so choses?

All kinds of reasons.  A Title Insurance company isn't going to be 
able to use digital signatures on Deeds of Trust without court 
approval, to just pick an example out of the air.  

[...]

> > These are company signature 
> > keys, also used for encrypting email, so the company escrows all the 
> > secret halves of the keypairs.  (There is no privacy issue here -- 
> > these are all company keys used for company business, all the 
> > encrypted documents are company documents.)
> 
> So what's the problem?  You hire people to keep track of assigning, 
> escrowing, and signing keys for your employees.  You have IS staff and 
> security staff to watch for breeches.  You can automate tons of this with 
> good written scripts that automatically scan all email for valid 
> signatures and raise alarms when signatures don't match.

So what's the problem?  Your answer is the problem:  "You hire 
people...You have IS staff...You can automate etc"

> Where is this not useful?  For a small company a locked safe is plenty.  
> For a large company, you hire HR/Security folks to be your "Key Agents" 
> or whatever.

This costs *money*.  There is no reason to use digital signature
unless it saves you *money*.  A business isn't going to invest in DS
infrastructure, especially of the scale you describe, just
because they think it's fun.

[...]
> > 
> > Many commercial "standards" are legal standards, supplied by the
> > government.  In fact, the whole legal infrastructure of business law
> > is really, when you get right down to it, a set of legally mandated
> > standards.  Standards are all over the map, when it comes to legal 
> > status.
> 
> Because there are laws that force such standards on the company.

This is a terribly simplistic view of things.  Businesses also
make good use of the level playing field that is provided by laws.

-- 
Kent Crispin				"No reason to get excited",
kent at songbird.com			the thief he kindly spoke...
PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html

More information about the cypherpunks-legacy mailing list