Congress Moving On E-Signatures 158
Silas writes: "Well folks, Congress is moving along with attempts to make digital signatures legally binding for online transactions, public and private." Many pros and cons if this goes through, but I'm definitely looking forward to reducing my mail.
History in the making ... (Score:1)
Wait a sec.. (Score:3)
Does this mean that, in it's current state, a legally-binding, digitally-signed document does NOT exist?
.- CitizenC (User Info [slashdot.org])
Re:Are digital signatures that authentic? (Score:1)
Twins and DNA (Score:1)
Actually the DNA in Identicle twins starts diverging rather early on. Viruses are the main culprit.
Re:SPELLING IT OUT FOR THE SIMPLE MINDED 0000 (Score:1)
have given it alot of of thought, & no
my knee usually jerks in favor of new
technologies. After extensive experiences
with the possible consequences of liability
accruing due to accidents & whatnot.
I envision a magnetic strip card which
empowers a $pay$ key. A decent attorney
could probably make a complete fool of any
victim who claims they accidentally left
the card in the machine.
On a world wide basis, most people
prefer NOT to type in pass phrases, most
kids know their parents *pin numbers*
& in all likelihood the the machines
will be confiquired to ALLOW accidents.
I go beyond Murphy's Law to Masonic
Conspiracy.
I think the first time a dirty toilet
AUTOMATICALLY flushes your butt with filth
you will begin to see some things ought to
be under the explicit control of mortal men.
You can make many new friends
& rid yourself of strange maladies
by shouting out in public places;
"Damn Free Mason, female, fascist,
freaks [O.E.S.]are burning my [insert
correct body part here]
with MICOWAVE LASERS"
SPELLING IT OUT FOR THE SIMPLE MINDED 0000 (Score:1)
'electronic key legislation' the moderator
who got my post couldn't understand that a child
who accidentally activated a numerical key
[probably several pages in length & therefore residing on the hard drive] might cause
problems.[like kids who run up phone bills].
So maybe I should spell it out with a paint
roller for these Wunderkinde. Once them
shysters smell money they'll probably have a
[cash] button like [web] buttons etc sitting
in the middle of your keyboard. If you think
that Windows is a cheap piece of cr*p, try
programming a pc that has been DELIBERATELY
screwed up to avoid monetary tampering.
When computers came out one men could
put together a a neat program. Now with the
**** fhat's been added it takes weeks for several
guys to put together a program of any
reasonable complexity. Wait til you need a
4 year degree to run windows. This E key
legislation is one big step toward creating
a machine too important to be handled by
unauthorized, non proffesionally trained personell. Does mring the picture into
focus for ya. These free Mason technocrats bury
everything in cr*p so deep they take
the fun out of programming. [& money out of the
pockets of thode not privy to the
undocumented code that seems to make every
thing work.]
Does that put it more in focus for you.
This legislation lies to casting a chill
over a major area of productive power in the
hands of the people of the World.
Ok You Free Mason cupcakes want to play
stupid?
Perhaps this explains things in greater
particularity for you. Howse Adolph?
Since Geo. Washington, the officers of
the Armed Forces have all been
Free Masons, which may be why
their Russian Brothers had our
troop movements before our men did.
VA doctors have found either
chemical or biological
justification for Desert Storm
Syndrome. Perhaps our officers
are punishing our men for what they
did under orders. Done with a
MICROWAVE LASER.
Re:This *is* a good idea (Score:1)
Re:Oh Joy (Score:1)
- Steeltoe
Re:My rot13 beats your scrawl (Score:2)
Handwrighting expercts maintain that signatures are unique, and they may be. The problem is, that signatures can be forged.
Actual fingerprints would not be a bad idea, nor would face, ear lobe, or retina scans, preferably with a combination of two or more of the above, in addition to a password.
Post office would be perfect for this (Score:5)
1) Create a key in PGP or GPG.
2) Put the public key on a floppy and take it down to the Post office.
3) Show them your passport or your drivers license and Social Security card and give them the floppy and $5.
4) They put it on their LDAP keyserver, accessable at ldap.usps.gov.
5) Anyone wanting to authenticate your identity would check there.
You could offer some really neat features in a system like this, such as the possibility of creating arbitrairly anonymous keys for use in handle based fora or Hotmail accounts. If your key is compromised, you'd just go to the Post Office and issue a cancel certificate. Ideally there'd be limitations of liability similar to what you get with credit cards if you issue a cancel certificate in a timely fashion after discovering your keys have been potentially compromised. Especially since most computers on the net are insecure.
Re:Verisign and NSI (Score:1)
Re:This *is* a good idea (Score:1)
*** Proven iconoclast, aspiring epicurean ***
Re:Forging signatures (Score:1)
How many programs will 'intergrate' the ability to 'sign' a document with the push of a button?
If someone else sits at your computer, the software wont know.
I suspect some clever person will find away to eMail someone an eMail that signs itself, then replies to the sender, without the sighner knowing.
The ways to abuse this is staggering.
Re:Issues of security (Score:1)
"give me your wallet" "ok" snick "now give me your thumb..."
Re:Oh Joy (Score:2)
Any good promising candidates around?
Re:Not until we have secure operating systems (Score:1)
Pardon my ignorance, but how in the world would you prevent people from creating illegal smart cards to forge digital signatures? Seems to me that this solution just creates new avenues of digital fraud.
John
Re:Oh Joy (Score:2)
I'm sure that this was not the point of your post, but unless the actual algorithm is broken (which means discovering the true nature of primes, or at the very least a solution to factoring numbers easily, which is closely related) there is no real danger here.
If the computers are that fast, then they will also be fast enough to compute larger keys at a usable speed.
-Tommy
Re:Legal yes, but is is feasable? (Score:2)
Re:Hehehe... (Score:1)
> Hey, we still consider encryption "munitions."
That's so stupid! I know there is also lots of bullshit in french cryptography laws, but I believe it was recently fixed. Not sure, however. But I've no time now to search documentation about this.
> I wonder if it's legal for a US e-signature to be used in a non-US country?
I'm afraid it depends mainly of your congressmen.
Slightly off-topic, but I want this [osslaw.org] to be voted.
Re:Great, I Can See It Now... (Score:1)
Ask for the verification.
Even if a luser was stupid to sign an "opt-out decision", that alone couldn't verify the so-called "original" request for the spam. I'd be more worried if the spammer asked instead for the luser's private key... and the luser actually handed it to them!
Re:Not until we have secure operating systems (Score:1)
Re:Wait a sec.. (Score:1)
Re:Not until we have secure operating systems (Score:3)
Keep in mind that, even with current 'legaly binding' signatures, you can potentialy always go to court and say "I diddnt sign that".
Because of this, important contracts require a witness (who could also potentialy say "I diddnt see him sign that, and someone forged my name too!"), and realy important contracts need to be signed and notarized by something like a Notary Public, a Comissioner of Oathes, or even a judge.
When I say "require" I dont mean "legaly necessary" but "expected" and/or "required" by the other entity involved in the contract to do business with you. IANAL (and working on lay Canadians idea of the law (but this is all prety basic, and basied on English Common Law anyway)) but since there is always the "I diddnt do it" escape, important contracts will always require a third party.
Congress is moving? (Score:2)
Re:My rot13 beats your scrawl (Score:1)
A goverment database? I'm out.
A private corp? I'm out.
RSA as a digital signature? Only secure for a subset of messages (see IEEE press's Contemp Cryptography(?) for that attack).
If you're responsible for your own digital sig, how do you change it if/when a pratical attack comes out for your algorithm/protocol?
Just a thought. Please kick my ass if I'm wrong.
Re:This *is* a good idea (Score:1)
PLus when 'convience' addons begin appearing,and they will, anytime a system is unattended, someone could enter that computers owner into a legally binding contract.
Imagine the exploits for that?
finally! (Score:1)
Jaeger
http://334.se2600.org
http://jump.to/jaeger
Privacy and Online Stalking (Score:2)
On a side note, social security numbers are not required to be a US citizen, in fact as long as you don't work for the government and don't keep money in any institution regulated or associated with the FDIC there is no need. On a side note the same goes for paying taxes. If this regulation goes through then in essense what is said by requiring a social security number for internet access is that it is a privledge and not a right for a citizen to possess. Scary thought to think that we may not have a right to communicate. Just some things to think about.
great (Score:1)
------
www.chowda.net [chowda.net]
------
Idiot. Everybody has root on your system. (Score:2)
Wrong. Everybody has root on your system, in fact you have no way to prevent people from having root on your system. If a Linux application gives a local user unrestricted access to the computer, it's a horrible security bug that causes frantic warning emails to fill inboxes and newsgroups worldwide. If a Windows application manages to restrict a local user's access to the computer, it's a technological marvel built on a shaky foundation.
That is because I don't run a time-sharing system,
Unless you're really using DOS, this is untrue. BeOS and Windows9x are both multitasking systems, and Windows at least provides better mechanisms than Linux for allowing malicious processes to *hide* themselves from the user.
where the whole system is structured so that multiple users can wait poised to do things I don't approve of.
What, you've never heard of Back Orifice, NetBus, BO2K, or even the trojan "movie file" that's been bouncing around the net this morning?
My single-user operating system (BeOS, Windows 9x, DOS, whatever OS you choose to hate, Slashdotters) doesn't have a root account.
Yes it does. Root is the *only* account it has.
The only way to get that power on it is to sit down at it.
Or to get you to run a trojan Word document, VBscript, or executable (like millions of people have, for multiple different trojans), or to get you to run a malicious ActiveX applet, or to exploit a buffer overflow in any of a number of old versions of IE, NetMeeting, various FTP daemons...
You're not going to be allowed to do that, by the way.
Oh, you've never let anyone else sit down at your computer? You've never even left your computer alone while you weren't in the room? You're not a common case, you realize that?
Besides, who needs to sit down at your computer? I just need to burn my trojan backdoor to a CD-R and stick it in your drive, if you're one of the 99% of users who hasn't disabled autorun.
Or hell, I just need to sell you some nice closed source software or give you some shareware with a proprietary internet protocol, and upload whatever I want in the data stream. How many different companies wrote software that's installed on your computer? Do you realize that every one of those companies have "root" access? Do you trust all of them?
Re:This *is* a good idea (Score:1)
this is why where possible (e.g. G?PGP etc) it is better to use passphrases mine are all at least 4 words +, with numbers and non \w chars, easier to remember as well.
and yeah i know, most people aren't going to do this . . .
means you are going to have to be damn sure about anyone you let near your pc as well (repair persons/tech support/consultants etc), it's a fairly trivial matter to put in a keyboard logger and they might just doing this job for a couple of weeks and then off to a nice mansion in the country. right now the greatest protection you have is that most of the stuff on your (private) pc just isn't worth the hassle.
and a higher level of security on the majority os will be essential, take for e.g. the trojan mentioned on a previous thread, now it just sends your ip and dun details, maybe the next version will just stay quiet for a day or 2 waiting for some real juice.
do we really need this? it makes things more conveniant, but how conveniant do we want life anyway, just imagine in the future when your most important descision is choosing baby's new chair, with inbuilt massage to prevent muscle atrophy and drip lines for food and caffeine.
Re:Wait a sec.. (Score:2)
In my mind, an online shrink-wrap licenses carry very little weight and I have no problem clicking "Yes, I agree" without reading an agreement. It's simply to easy to argue that another user posed as you. Web-crawler's can easily SUBMIT whatever is expected and a computer program cannot legally enter into such an agreement.
It's kind of scary to think that online sites may move to legally binding cryptographic signatures. Imagine a feature built into the tag that allows a user to digitally sign the POST data... Then you may end up having to read more legal agreements than actual online content. Slashdot may require you to use this feature or you automatically become "Anonymous coward." etc, etc. The possibilities are endless and many are not very encouraging.
This is an exception (Score:4)
Re:Oh Joy (Score:1)
has a long history of cracks. Look it up.
Oh Joy (Score:3)
Keep up the good work, guys...
Re:Issues of security (Score:1)
CONGRESS MOVES ME...TO TEARS 0000 (Score:1)
book report & winds up with a toyota &
a date with a $1000 hooker.
The moral of this story is don't
type your homework on a cash register.
Accursed Scum
You can be played like a puppet by
stimulating your internal organs with
the effects of a MICROWAVE LASER
Re:e-sigs for EULAs? (Score:1)
The Benefits of Digital Signatures (Score:1)
Whenever you purchase something online: a cd, a book, software, etc.. you are entering into a contract with the person/company selling you that item. If you purchase an item in a store, you must either provide cash or credit card with a signature. This adds validity to these contracts which protects both the merchants and the consumer in the case of fraud/bad merchandise/insert other *bad thing* here.
This also enable more sophisticated business to transpire online as well. Opening up stock trading accounts. Purchasing real estate. Leasing cars. All things that require specific contracts, and which involve mail delays if the persons involved are not physically close to each other.
Yes forgery and privacy issues will be found here, but Guess what? Cases of forgery and violation of privacy occur with written contracts too.
I think this a necessary thing, which like all other things, must be used carefully and with both eyes open.
Re:Are digital signatures that authentic? (Score:1)
So, even if they GET your private key, they still have to crack THAT - now if you picked a GOOD password, that'll be HARD
a REAL good password might be something like
ad;i^#klh354oh534)(*&^vefg!@!168TR$%
but that's kinda hard to remember
a BAD password would be "Clinton"
and OK Password might be
This,## Is a\\ someWhat678OK,.Passwrd
Re:Not until we have secure operating systems (Score:1)
Why is that any more scary than signatures made from scraping ink across paper? Don't you know children are taught how to do that? Why, a clever person could use that ink scraping knowledge to forge a signature.
Re:Forging signatures (Score:1)
How do you sign the messages with John Doe's private key without his passphrase? If J.D. was stupid to have a simple or easily guessable passphrase that's his fault, or if he were stupid to store the passphrase on the same computer as the private key.
Re:security (Score:1)
Re:Oh Joy (Score:2)
Re:Beware signed EULA (Score:1)
--Fesh
Click-Wrap Software Licenses (Score:2)
Congress spanks (Score:1)
Heh. Everybody has root on my system, too. (Score:2)
Re:Bad idea (Score:1)
Re:biometrics verification systems (Score:2)
Certificate Authorities (Score:1)
After that, it's just a matter of legislating that to provide certain services or present certain content you need a government certificate or you can't do business.
Issues of security (Score:1)
Perhaps the best way to implement this would be to use your thumb print as your private key. That way replicating your private key is virtually impossible.
Of course if you were to disfigure/lose your thumb I guess you couldn't enter any more contracts electronically.
Re:Hehehe... (Score:1)
I seem to remember that you can disable most of the *cough* security features in Windows NT by simply setting your location to France in the Date/Time control panel.
--
Re:Hehehe... (Score:1)
Re:SPELLING IT OUT FOR THE SIMPLE MINDED 0000 (Score:1)
Ssssssh, quiet! You might scare people saying stuff like that...
Re:My rot13 beats your scrawl (Score:2)
Okay, so much for the pro-anonyminity
I for one, do not want any company whose purpose is profit, to have access to MY DNA. It's really that simple.
And until the effectiveness and security of the digital signature is proven, I won't be filing too many mortgages over the net.
Re:e-sigs for EULAs? (Score:1)
I'm not even supposed to BE here today!"
LOL! Clerks! I use this line at work all the time and no one gets it.
question (Score:1)
I have a question... although these may not be exactly the same thing as what we're dealing with in the post...
I know that some chain retail stores require you to sign a digital touch-screen of some sort with a stylus as a way to verify a credit-card transaction. And I believe some shipping companies (UPS, etc) also do the same thing to confirm package receipt.
Are these technically legally binding or are they only intended to suit the needs of the entity in question?
Who determines the signatures? (Score:2)
IF this is to be implimented properly, I would think it'd have to go on this methodology.. You have a public and private half of your digital signature. The public half is not just two static halves of the same key, like PGP is, but rather your signature plus the timestamp of when it was signed. That way anyone using it would have to act almost immediately to get the signature done right and keep it as valid. Using a static public key would be plain insane to prove without a certainty of a doubt that it was you and not someone who happened to see your key or hack your harddrive.
Another question.. what software would do the signatures? Would it be multiplatform, or Windows only? Would the software be even something the user would need? The very NATURE of the Web is anonymity, to change it and say that doing a transaction over an anonymous webpage now has your signature on it had better be really darn good, else any script kiddie with a few public tools could sign your soul to the devil (as it were). This goes doubly true if you're now going to be held legally bound to the contract in hand.
I, for one, want to see this implimentation before I would ever consider using it. Mearly stating that e-signatures are now legally binding is like saying your neighbor is now married to your wife. Unless you have a good way to prove it, I see this as a situation of the government attempting to quell fears while not grasping the whole implication and practicality of it all.
Re:This *is* a good idea (Score:1)
Maybe I'm thinking about this in the wrong perspective. When I think of 'e-signature', I'm thinking an electronic version of your signature, ie: something you already possess and will uniquely identify you (within a small margin of error). Are E-Signatures going to be something that most people will have, or are they going to have to register with a signature company in order to get one? I tried browsing over to the named congressional links page from this one, but didn't quite find out what the definition of this term was to be.
premature (Score:2)
Even in the area of credit and charge cards, where billions of dollars are lost to fraud, companies still use completely unsecure systems.
I have also had several experiences where companies have duplicated electronic records, swapped electronically stored signatures, etc. With paper, fraud is quite possible, but with electronic signatures, both fraud and programming accidents are possible.
And, should there be a dispute, the situation in court is also disadvantageous for the consumer with electronic signatures. With paper, you can always ask them to produce the record. With electronic signatures, it ends up being your security expert against theirs, and they can afford to pay a lot more for their experts.
digital signiture=digital id... mark of the beast? (Score:1)
there will be
no buying or selling without the mark.
so where is the churches on this ?
i consider government a religion minus prayer.
Its easy to fore see the future
you will have a unique signiture (identifier)
you will sign and post your taxes with it
you will do all transaction with it
you will be tracked by it
Implementation? (Score:1)
Who issues the keys? Can we make them up ourselves with a random key generator? How do you ensure each person gets exactly one key? Who signs the keys - a web of trust, or some government agency? What happens if that key is compromised?
If the government wants us to use a certain standard, will they release source code for all to work from? I personally would not trust most companies' implementations of digital signature schemes. I would not trust software that implemented digital signatures unless it was open-source, AND thoroughly peer-reviewed. It's far to easy to create security loopholes.
And if we don't watch out, companies could use it to make us sign EULAs, or register software. I'd be wary of any kind of "automatic" signing software. I want to be there at the keyboard verifying it each time with a pass phrase or some such. And I need to be sure that what I'm signing is actually what the computer tells me I'm signing - it would be easy for some software to pull the bait-and-switch.
These issues need to be worked out before the law can be put into effect.
This *is* a good idea (Score:5)
- It's all over if a cracker takes my private key! Well, would he/she not still need a passphrase? Just make sure passwords are not cached (this, I admit, is the weak link). Also, you can issue revocation certificates; even if someone else knows the passphrase and has your key, they cannot revoke a revocation certificate.
- Then the government/corporation/slashdot-satan-for-today will know who I am! Yes, just like with your handwritten signature on any official document, esp. those requiring notarization.
- My encrypted stuff can be cracked! This takes an immense amount of computer power, and most people are simply not that important. How would you encrypt things at all without computer cryptography? You could be like Richard Feynman, and create codes with your spouse to send encrypted hand-written love letters, but I personally don't have the time or mischievious inclination for that.
- When I get a signed email from some beautiful celebrity who wants to go out with me, how do I know it's her? That's why all public keys that matter are themselves signed by authentication services, like VeriSign. For personal keys, use these services or maybe the notaries at your local banks will catch on to another money-making opportunity.
Any disagreements? Am I missing any critical factors?*** Proven iconoclast, aspiring epicurean ***
What else does this bill provide? (Score:2)
The risks of that should be obvious. I already get enough crap from companies insisting that they gave me plenty of notification of rate changes/fee changes/etc in the 5-point print on the bottom of a statement bundled with "valuable information" on return address labels, travel clubs, $10 'CD' players!, and similar junk. Now they can just eliminate even that step and just mail it to me at "friend@public.com" and it's totally my fault that the message is dropped as spam by either my ISP or myself. *sheesh*
I must remember. No email is ever misdirected. No email is ever lost. All mail I received should be carefully reviewed, in its entirety, for important information. I must always run attached Office and VBS documents - it might contain a self-extracting signed document concerning some critical financial issue such as my long distance charges (which average less than $20/month). And in a totally unprovoked dig, MS Exchange only has problems because of all of those unconfigurable sendmail servers.
Bad idea (Score:2)
So let's say that someone intercepts a digital signature on a Non-Disclosure Agreement or somesuch and then types up an agreement saying that they've already given you $X in cash and in exchange you agree to give up your house and then tacks that intercepted sig onto the bottom. You'd actually have to spend money on a lawyer to keep your house.
Until we have universal standards for STRONG crypto, I think that this is a BAD idea.
LK
Two laws that won't play well together (Score:2)
It's a good thing for some of us... (Score:2)
Re:Not until we have secure operating systems (Score:3)
*I* would not consider *any* box, regardless of operating system, platform, etc., to be 100% secure. The main issue with security, aside from the fact that -any- security system can be cracked, has to do with the loose nut behind the mouse. Sorry, but when a security system relies on human intervention, well, humans just aren't very secure.
Yes, a written signature requires human intervention, but there is certainly less vulnerable than password-based security. With digital signatures, anyone who can physically access your private key, which usually means anyone who can get into your box (i.e., type yoru login and password in somewhere), can get to your digital signature. At least with written signatures, your actual human presence is required (excluding of course forgeries which are another matter entirely, that's why for certain legal documents we require them to be notarized or otherwise certified by a third party).
Re:This *is* a good idea (Score:2)
If your private key is stolen then it's a matter of decrypting your password. Ever tried L0phtcrack? It can brute force crack passwords on my P2 450 pretty damn quickly. You cannot guarantee that people will have hard passwords. As time goes by, computational power will make any of todays cryptography obscelete (sp?).
For a revocation to work, surely you would need to know when your keys were stolen? It's not going to be acceptable that you can revoke all existing documents that you've signed.
Yes, but unless the hand written document is scanned and annotated, a computer-based search will not turn it up. Of course, this is the biggest problem doing anything on the internet. Records of people's postings to the Usenet will be available for the rest of their life, forming a profile that might incorrect of where they are at that point in time.
That's assuming that there is a failproof validation method when issuing the keys. What's to stop somebody creating a false profile in the same way we have domian name squatters registering internet domains in advance?
I scanned my signature in so that I could attach to faxes from my computer. I've been very careful not to email documents to people with signature though. Of course... it could still get stolen now.
Re:Not until we have secure operating systems (Score:2)
2 reasons why it doesn't scare the shit out of me...
1. Here in the UK we have had binding 'digital signatures' for a while - a faxed signature (digitally transmitted, remember) is legally equivalent to an original signed document here.
2. Surely forging a digital signature carries the same penalties as forging a written one - so we are gaining, not losing security here (as all those anti-forging laws will now apply).
- Andy R.
sig... Y2K, only 47.5 years left to fix those bugs!
My rot13 beats your scrawl (Score:2)
Hopefully they will make this concept legal while not requiring a specific implementation - that way folks who care to can keep the implementation up to date. I trust folks like Visa, etc, to stay on top of this. It is in their best interest (by a long shot) to make this kind of thing work well.
Re:Not until we have secure operating systems (Score:2)
as with most things technological . . . (Score:3)
There is a vast amount of authority (citations available upon request) strongly suggesting that legal formalities for a signed writing (the so-called statute of frauds) are satisfied by an electronic communication annotated or logically associated with a character or characters manifesting an intent to authenticate (legally, not technically).
In other words, the e-mail:
"Dear bill.
I will buy 1000 Model K frobozinators at $600 per frobozinator to be delivered FOB Tampa no later than thursday. Terms: 2% 10/net 30.
Love, Maria"
would very likely be enforceable under the common law and the UCC -- even if no encryption or other technical encryption was used. Requirements for signature under the common law are amazingly lax. An X, a fold or tear made in the paper, another's name, a shaving on a cow or even a footprint can constitute a signature.
The reason for an e-commerce statute is to make any question clear beyond cavil, so to clear the way for lawyers to permit BIG deals to be done without a signed writing. Imagine a few dozen lawyers at a $100M closing. The boss for the buyer smiles and signs "Minnie Mouse," or an "X," citing the case law suggesting that the signature is binding. Maybe so, you would say if you represented the other side, you would nevertheless ask a literate counterpart on the other side to sign the document "properly."
Its about eggs in baskets. The law should get out of the way of the technology used for signatures, and ratify any actual manifestation of an intent to sign. (electronic documents raise interesting proof issues, but so do traditional physical documents) The risk of misauthentication and the like is a different question to be decided by those who would USE the signature technology, not by those who enforce the agreements into which the parties otherwise clearly entered.
USPTO-- digital sigatures (Score:2)
Re:This *is* a good idea (Score:3)
(1) Most people "for convenience" would store their passphrase (heh, dream on. It's going to be a password, something like 'secret') on their hard drive, right next to the key itself.
(2) Even if by some stange twist passwords would not be stored on the same hard drive, possession of keys gives you the ability to brute-force passwords off-line. This is highly practical and successful (AFAIK >70% passwords cracked in real-life tests)
Then the government/corporation/slashdot-satan-for-today will know who I am!
That's the wrong objection -- mostly they know who you are anyway (a signature from an unknown party is basically worthless). The point is that in the brave new world a record of your actions would be already digitized and stored on a drive/tape somewhere. This makes it os-so-convenient to cross-index and store this stuff for enternity -- just in case, you know...
My encrypted stuff can be cracked!
And what does this have to do with the validity of electronic signatures?
When I get a signed email from some beautiful celebrity who wants to go out with me, how do I know it's her?
You don't. All a public-key system guarantees is that the entity which signed this particular message has been in possession of a certain private key. There is nothing which associates a number (key) with a person. This, of course, makes the whole thing vastly more complicated than most people imagine. What you call "authentication services" help but a lot of problems still remain.
Kaa
Re:Legal yes, but is is feasable? (Score:2)
A real forger has to take significant effort to produce a work that is not easily dismissed. Additionally, the real forger has a significant time investment.
A script kiddy has no significant effort or time investment to produce the same work.
Think about banks. If I wish to close my account, walking away with a $10K cashiers check, the process laboriously checks identification, the signature, and whither it makes sense. Shit, I have the odd problem with my bank calling me because a check I endorsed for deposit while riding in a moving vehicle doesn't seem to match. When the electronic bank provides the same service based on my new DigiSig 2.0, some script kiddy walks away with my savings account.
Re:Law in Italy since 1997 (Score:2)
Public-key cryptograhpic digital signature has now become the main tool, using current technology, of assuring the integrity and the source of electronic documents, therefore replacing the handwritten signature in tradiditonal documents.
bla bla bla
Therefore exchanging public and private electronic documents with the same value as their corresponding paper documents is now a reality.
The document goes on to list that certificate holders must be registered and readily consultable, administered by a central authority.
Pretty cool for a country where its still legal to abuse a woman as long as she's your wife
Re:Certificate Authorities (Score:2)
Really? What happens when someone steals your keys and starts making copies and handing them out as party favors? This isn't any different from a handwritten signature except that it can be less secure if you don't pay attention. The only difference is that you can submit papers with your signature on them digitally.
This could be really nice (Score:2)
It's much easier to send a request to have your car registered through the internet directly to the Registry (guess which New England state I live in :-) then it is to go and stand in line for an hour to pass them a single sheet of paper and then leave.
This could also mean you would now have to "digitally sign" the license agreements for all those computer programs. This could have a down side.
Law in Italy since 1997 (Score:2)
Not until we have secure operating systems (Score:3)
Making digital signatures legally binding scares the shit out of me.
Let's face it -- 99% of the populace, whether they use Windows (and I'm sure Microsoft will be so kind as to provide a VBScript hook for signing documents or at least publishing private keys, so that virus writers will have a new source of fun), or whether they use Linux (how many desktop-role Linux boxen do you know of that you would consider 100% secure?) is operating insecurely. And that insecurity is going to spell trouble if digital signatures are legally binding, because it opens up a whole new class of forgeries.
Let's pretend, for a moment, that most programmers are good at implementing cryptography and would never, ever write a program that allowed a key to be compromised by its use. (Hell, I don't trust any programs I write with my private keys.) Even if you've got good cryptography software, where you store your keys is probably going to be compromisable by an enterprising cracker.
Before anyone even considers making digital signatures legally binding, how about requiring this binding to only take effect if the document was signed by an approved smart card? Make it a parameter of the signature, and make it illegal to write software or create unapproved smart cards that set that parameter.
Signatures are not the issue (Score:2)
You do *NOT* as a matter of course require a signature to enter into a contract. Period. If I offer to sell my rabbit to you for $50 bucks, and you say yes, we have an enforceable contract under the law of 49 states (I am not sure about Louisiana law, but who is?).
A signature is only required, generally, when a specific provision of law or common law (known as the statute of frauds) requires it. The most typical scenarios are:
(1) transfer of rights in land; and
(2) transfer of goods in excess of $500.
(Which is why software licenses often expressly provide that they do not involve the SALE of software).
There are a few additional scenarios relevant to copyright license rights -- exclusive licenses or transfer of copyrights itself (as opposed to copies of a work or the sale of a license in the work).
Accordingly, the vast majority of EULAs do not require signatures. (Although this is an argument frequently raised against them by lay audiences). An e-signature provision would not raise new legal issues.
The issue with EULAs is the dual arguments that: (1) I never agreed to the EULA; (2) I only agreed to the EULA after I had already paid for and received my copy of the work, hence there is no consideration for the EULA; and (3) Under the UCC, the timing of the post-sale writing, which materially changes the agreement, violates Section 2-207 (battle of the forms) and is therefore unenforceable.
As a matter of course, by the way, these arguments have failed. The only Circuit Court opinion directly on point is ProCD, which held that the agreements are enforceable at the end of the day. Other appellate opinions held certain provisions unenforceable under other rules of law, but not on the ground that no contract existed.
Finally, note that "digitally signature" under the new law does not require any form of encryption or authentication. A simple typed "Love, Mom" will suffice.
Re:Post office would be perfect for this (Score:2)
Of course, there are sound commercial reasons for wanted to be able to prove authentication in court with the benefit of a PKI, but the law is enabling only (it permits encrypted signatures enforceability, but doesn't require this for enforceability).
Electronic signatures are very insecure... (Score:2)
But even if we assume, that I own a chipcard with embedded unbreakable public key encryption which hides my key from everyone (including myself, so I (or someone stealing my card) cannot store this key on some external media)... How can I be sure, that I'm really signing this contract in exactly the same form I am looking at on the screen right now?
The Chaos Computer Club has demonstrated[1] how you can use someone's chipcard-reader over the net. Banks using chipcards for electronic banking are too miserly to use terminals which include some form of display (which might say: You are now signing a transfer of $1234...) for feedback right from the card.
But I'm sure, when signing a contract of well... let's 20 pages of text, only some form of checksum will actually be transfered to the smartcard...
Will the display then read: "You are signing a document whose md5-sum is 68b329da9893e34099c7d8ad5cb9c940?"...
On the other hand, anyone can read my credit-card-number if he happens to find a copy of a receipt in some store's trash, so electronic signatures surely will improve the security of these transactions...
[1]http://www.heise.de/newsticker/result.xhtml?
biometrics verification systems (Score:2)
The problem of forging or stealing digital signatures is of primary importance and concern (atleast it was back when I was working for a state court system). I don't think encrypted digital signatures are the way to go at all. I see government, in particular, using some sort of biometrics system to verify signatures (captured via pressure sensitive electronic pen and pad), voice, face, fingerprints, or iris and retinal scan.
Here's some more general information for whomever is interested:
www.finger-scan.com [finger-scan.com]
www.facial-scan.com [facial-scan.com]
www.retina-scan.com [retina-scan.com]
www.hand-scan.com [hand-scan.com]
www.voice-scan.com [voice-scan.com]
www.signature-scan.com [signature-scan.com]
- tokengeekgrrl
"The spirit of resistance to government is so valuable on certain occasions
Re: prior signatures (Score:2)
In other words - a verbal contract.
*So*, in many cases if two parties exchanged digital signatures in the expectation that they were binding then they were, in fact, binding. If the contract was covered by the Statue of Frauds and they exchanged traditional documents stating that digital signatures would be considered binding for the purposes of the SoF, then these signatures would be binding. If they tried to use only digital signatures for something covered by the SoF, they were never binding.
Even in the case where one party exchanged digital signatures with the expectation that they would not be binding, if the other party/ies thought they were doing a good-faith negotiation then these signatures would probably be declared binding for the purposes of a criminal complaint for fraud.
The only thing this bill really does is 1) state that digital signatures are acceptable under the SoF, so you can buy real estate and the like with them, and 2) deny shady characters the chance to try claiming that the digital signature "wasn't really valid" in hopes that the other party will give up and walk away from a legitimate claim.
Re:Bad idea (Score:2)
Unless I'm reading you very wrong, it would seem that you are unclear as to how a digital signature system would work. It's not a matter of just attaching some generic signature to the bottom of a file. The signature that is attached is a result of using your private key, which is never transmitted (and hence not intercepted) to encrypt a hash of the document being signed. If you removed the signature and attached it to a different document, if you even correct a spelling error in the document, the hash of the message is thoroughly altered, and thus the signature is no longer valid, since decrypting it does not produce the correct hash. Such a signature can thus not be "cut & pasted" onto any document, each signature has to be produced by a person with the private key and the document being signed.
J.
PS - This is not to say that there aren't problems with such a proposal - the cheif one, to my mind, being that everything rests in the security of the private key. But the argument you provide seems to, unless I am misreading you, be moot, since that is not how digital signatures operate.
Re:Not until we have secure operating systems (Score:2)
Legal yes, but is is feasable? (Score:2)
How can we keep ourselves safe in a time where all but the beefiest encryption schemes are crackable on commodity machines and any determined script kiddy can clone a magstripe?
Beware signed EULA (Score:4)
Please digitally sign here in order to install the software that you have already opened and can no longer return. Oh, this means you have already read the 50 pages of draconian fine print with your lawyer present.
Craig
Re:Geeks should work without laws (Score:2)
If only we could. But note the word "legally" in "legally binding". If you and I have a contract signed with non-legally binding signatures, and one of us backs out the other one has no recourse.
--
Wanna hook MAPI clients to your Tru64/AIX/Linux server?
Are digital signatures that authentic? (Score:2)
Of course, this is not to say that traditional signatures aren't that secure. That's even more easy to fake, if you think about it.
So what gives? Are we saying that both signatures are equally valid? One is more valid than the other? Whatever the case, we should recognize that the authenticity of the two are different, and treat with differing degrees of authenticity. Exactly how, I don't know. I would like to hear from the experts though, on how we should handle our digital signatures.
Is the current infrastructure (i.e. none) on the net adequate? Do we need escrow services?
RSA-38 has never been considered secure. (Score:2)
==========
Ref: point 2, "Remember when 128 bit keys was way too big to be factored? I do, and I'm all of 28 years old."
128 bit keys were never considered too large to be factored. Various people were positing RSA-129 as being secure back in the '70s, but that was 129 *decimal digits*, not *binary digits*. (I may be off on the exact 129 figure--it was about that, though.)
To brute-force a 128-bit number requires you check every prime through 2^64. This is not very difficult. Using an intelligent factorization algorithm will make factoring a 128-bit number trivial.
To give a rough comparison, 2^20 is approximately equal to 10^6. 2^20 raised to the sixth power is 2^120, add on another factor of 2^8 (which is approximately 10^2)... you're looking at 10^6 raised to the sixth (10^36) with another factor of 10^2, for a grand total of 10^38.
Factoring a 38-digit number is not very hard. Factoring a few *hundred* digit number is nontrivial.
Re:Privacy and Online Stalking (Score:2)
For further thought, think back to high school government. The Federal government can not make any laws they are not expressly allowed to by the constitution. This is why Federal taxes are not laws, and it is handled through a contract. It's some interesting reading. Take a look at the contracts and Supreme Court rulings around the turn of the century if you don't believe me, or anyone else who is interested can email me at ephraiml@crosswinds.net, I would be estatic to have further discussions.
PKI has too many flaws to be binding. (Score:3)
When you listen to PKI companies give their shtick about how wonderful PKI is and how it will save the universe, apply some simple common sense.
1. Who holds your private key (besides you)? - If you use the VeriSign solution for digital certs (the one where they manage the CA for you), in addition to your users having their keys, so does VeriSign. If you roll your own, your users have their private keys, and probably also the administrator who gen'd it for them (for when the user accidently deletes their keys). How will users store their private keys? On their hard drives? Poor security, easily obtained by a ruthless 3rd party. Floppy? Unreliable medium, more susceptible to theft. Smart Card? Susceptible to theft.
2. Remember when 128 bit keys was way too big to be factored? I do, and I'm all of 28 years old. Even with using 1024 bit keys, it's only a matter of a couple of years before many keys are useless. For the uninitiated, I've got your public key, and can find the prime factorization for a number that is your public key and your private key (for all intents and purposes, it's a bit more involved, but not THAT much more). If I compromise your private key in this way, you have no knowledge that I've done so (unless I'm a big moron about doing it), and I can freely digitally sign documents as if I were you. The signatures will even validate properly. Fun, huh? Maybe I'll buy some stuff over the net with your keys, and have it drop-shipped to a Mailboxes, etc. or some other such place.
3. Complexity of the system - I don't know about everyone else, but my mother barely grasps the concepts behind sending email and pulling up a web page. How's she ever going to understand the how and why it's not only safe, but legally binding to use PKI technologies to enter into agreements?
--
Re:Not until we have secure operating systems (Score:2)
In other words, if a cracker manages to use your signature, it is binding on you even if you can prove that it was a forgery! This is not the case for written signatures AFAIK.
Does the new version have the same problem?
Re:My rot13 beats your scrawl (Score:2)
I wonder how hard it would be to run a DNA test on a strand of hair or something less intrusive and unsanatary. If you could store and use DNA for identity verification, you'd have a good 10 to 15 years of solid authentication after which time the cloning scene will probably render that test useless, too.
An important step not even mentioned (Score:3)
Anyone can create a key claiming to be someone else - the only way you know that the key really does represent the person it claims to be representing is if: a) the person gave you their public key in person, or b) there is an authority that "signs" the key, confirming that it is in fact from that person.
Now, this is really no differant than the way things are today - anyone can sign a check as "Bill Gates," this is why Notaries exist. Are we going to extend the Notary system to have them sign public keys as well?
for all the nay-sayers (Score:4)
Is that feasible? Technically? Legally?
Want to work at Transmeta? MicronPC? Hedgefund.net? AT&T?