Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
United States

Proposed Law:Electronic Signatures == Pen and Ink 85

Salgak1 writes wrote in to send us Washington Times Article about Rep. Tom Bliley (R-VA) introducing a bill to make an electronic signature legally equivalent to one done on paper. Here is The Bill. Seems Sen. Abraham (R-Mich) introduced a similar bill in the Senate. (Full Text
This discussion has been archived. No new comments can be posted.

Proposed Law:Electronic Signatures == Pen and Ink

Comments Filter:
  • by Anonymous Coward
    cut and paste from some silly brits
    Myths about digital signatures
    Edward Felten
    Wed, 19 Feb 1997 17:12:43 -0500

    There has been a lot of public discussion lately about digital signatures on
    mobile code. Several myths permeate this discussion. I'd like to puncture
    three of them.

    * Myth 1: Digital signatures let you know who wrote a program, or where it
    came from.

    Reality: Anybody can remove the author's signature or add their own
    signature. At best, a signature tells you that the signer endorsed the
    program recently. Endorsement is more useful than authorship anyway; most
    people care more about whether their corporate MIS department has endorsed a
    program than about who wrote the program.

    * Myth 2: If X has signed a program, and I trust X, then it is safe for me
    to download the program.

    Reality: There have been plenty of incidents of reputable and well-meaning
    organizations spreading viruses or serving as the base for security
    attacks. Before accepting a download from X, it's not enough to ask "Do I
    trust X?" One must also ask questions like "How carefully has X managed
    his cryptographic keys?" and "What is the probability that X's security has
    been penetrated?"

    * Myth 3: Digital signatures provide accountability; if a program signed by
    X is malicious, the victim can sue X.

    Reality: Suppose I accept a download signed by X. A few seconds later
    there is some mysterious network traffic and then my disk gets wiped clean.
    X could be the culprit. Or X could be innocent --- that code I downloaded
    from Y three days ago could have waited a while before detonating. Or
    somebody could have exploited a bug somewhere else in my system. I have *no
    evidence* to distinguish these cases --- all the evidence disappeared when
    my disk was erased. (We can assume the attacker is smart enough to remove
    the hostile code from his site immediately after the attack.)

    If the attacker doesn't erase my disk, I can't trust the apparent evidence
    anyway. After all, the attacker had free run of my system and could have
    planted whatever "evidence" he liked. The evidence, whether real or not,
    will collapse in the first cross-examination.

    Signatures can provide accountability, but only with much more rigorous
    logging and auditing than today's consumer software provides.

  • Who needs to 'crack' PGP? There are loads of stupid users runnint insecure OSes with default sharing of everything, downloading and executing software from unknown sources. Your private key is probably 2K is length? You surely don't memorize it. It's stored on your hard drive. A trojan horse program could easily send it off to who knows where and now someone else can sign messages as sure as you had done it yourself. No one can tell the difference anymore.

    If you have a cable modem, do a 'net view', or run smbclient -L on your ISPs subnet. You'd be surprised what's out there for the reading.
  • by Anonymous Coward

    quoted from the article:
    "The law is intended to boost electronic commerce by giving businesses and consumers more assurance that on-line transactions are secure."

    Notice the goal is not to make on-line transactions more secure, but to give more assurance that they are secure. In other words, this would basically dupe the consumer into thinking their digital signature is secure, while simultaneously the government is in actuality undermining the strong crypto that is required to make it so.

    'Don't look over there, there's nothing to see over there, look over here! Look over here!' Smoke and mirrors, that's what it is.
  • That's not the point. Assuming a PGP-like program, anyone who can hack into my computer can get my encrypted private key. And anyone who can do that can probably set up something to capture me typing my password. With those two pieces of information, anyone could forge my signature. My private key could easily be posted to a newsgroup and it could cause me some serious problems.

    I don't know of many people who are careful enough about system security to have digital signatures that are as secure as real ones.
  • by Anonymous Coward
    Take a look at for the Digital Signature Standard (FIPS 186-1) Its the US governments public-private key signing standard for authentication purposes. PGP also supports it, its exportable, its reviews show no backdoors. So if the government already has a signature standard they should use it in any laws giving d-sigs legal strength.

    As for matching identities between people & keys, key signing is pretty effective. Only trust keys you've signed or someone you strongly trust has signed.
  • by Anonymous Coward on Friday May 07, 1999 @03:58PM (#1900159)
    It's a nifty concept, and ideally would make sense; to be able to show, with very high confidence, that somebody *did* agree to a deal on, say, E-bay, could give consumers a leg up. Such could inspire confidence in e-commerce, and also serve to promote widespread use of cryptographic software in even daily messaging -- although it makes me wonder if elements in the DoJ would ever consider *requiring* cryptographic signatures...

    However, for cryptographic signatures, how does one confirm that the original key came from that person? There's not much right now, beyond paranoia in dealing with unsigned keys, that prevents somebody from pre-emptively and maliciously creating PGP keys for random individuals. This suggests that we need reliable key authorities, the equivalent of electronic notaries ala Verisign; for full accountability, somebody would need to be able to trace the key to a physical contact address.
  • by Anonymous Coward on Friday May 07, 1999 @04:53PM (#1900160)
    Hand-written signatures have the advantage of
    being a biometric measure: You can't steal
    someones handwriting. (You can fake it, but that
    is something different from stealing it.)

    But I can get someones PGP key, or someone could
    allow me access to his/her key for convenience
    (so I can sign things for him/her). Thus,
    I don't think a judge would be convinced
    that a letter signed by a digital signature
    must have been written by the person owning
    the signature or the key with which the signature
    has been made.

    If I post my private PGP key on Usenet, I have
    effectively taken any legal binding from my
    digital signatures. Something that I can't do
    with my real-world signature.

    Therefore, for some things these digital signatures just won't work. For other
    applications, they are already working,
    because parties have agreed to accept them
    as a means of authentication, and having
    them "stolen" is negligence, making the
    negligent party accountable for the damages.

    Another interesting point is that you can't have
    key escrow with those keys. (Sometimes, you just have to proove things, and not just rely on the honesty of the NSA.)

    And having strong signatures, you can effectively
    use this to create strong encryption (a process
    called "chaffing" IIRC).

    Thus, a law that makes digital signatures legally
    binding automatically allows everyone to own
    strong encryption software.
  • by Anonymous Coward on Friday May 07, 1999 @04:42PM (#1900161)
    1. The keys used by signatures tend to be really, really big. Yeah, maybe someone will crack one in our lifetime, but it's going to be something on the order of the EFF DES machine, not a 5Kr1p7 K1dd33.
    2. There are no export restrictions or controls of any kind of encryption used for authentication. Get that through your thick, knee-jerking skulls.
    3. The essential element of signature security is your private key. You are the only person who should ever have access to this value. In fact, some of the most important aspects of digital signatures are voided if a second party (like key escrow) ever has access to this key.
    4. Crackers are clever, but they don't have magical powers. Private keys can be guarded successfully.
    5. If someone steals your private key, it can be revoked and you can get a new one. Try that with a written signature.
    6. Your private key can expire forcing you to get an entirely new one. Again, try that with a written signature.
    7. Many, many, states allow faxed signatures to be binding while a written signature is in transit. In the insurance industry, "digital signature" usually referes to a scanned image. Wouldn't you rather migrate to something that's a little secure?
    8. Signatures are issued under the auspices of a Certification Practice Statement. This policy not only controls who gets a signature, but how they get it and what is does and does not "prove" when it's presented.

      Think of a school ID, a driver's license and a passport. They're all photo ID's, but with different requirements for obtaining one. As a result, they provide differing levels of authentication and authorization.

  • by BOredAtWork ( 36 ) on Friday May 07, 1999 @03:51PM (#1900162)
    Hang on a sec. A pen and ink sig can be verified by a handwriting expert. An electronic sig would have to be gauranteed by strong cryptography, most likely in the form of a PGP-ish key of some kind. Whoops... my bad... the same government that wants to use electronic sigs is also actively trying to stomp strong crypto...

    Until we have legal, government-encouraged, secure (Ex: no key escrow repository) crypto, the electronic signiature is worth no more than a name pecked out on an old typewriter. No if's and's or but's about it, electronic sigs would be great, but until the strong crypto to ensure their validity is in place legally and widely, they're not going to happen, unless in some insecure half-assed form that would be bad news for everyone.


  • I you use a suitably strong public key algorithm and a cryptographically strong hash function (both of which are very easily available) you can generate a digital signature which can't be manipulated. See the README distributed with PGP for details.
  • The Washington Times article implies that simply typing your name at the bottom of a document or affixing an image of a fingerprint could be considered an electronic signature. This makes cut&paste forgeries easy for anyone :) . The Senate bill [] dosen't clarify if this would be so. I assume that any court would rule that only a cryptographic signature (like PGP) that isn't vulerable to cut&paste is valid, but I'd like to see it written into the bill anyway.

    Oh - the link for the text of the House bill (it's HR1714) dosen't work, and says that the text of HR1714 has not been entered into the database yet.
  • Much safer than pen and ink; They're not at all easy to manipulate. Read Applied Cryptography.
  • Cryptographers have been attacking the protocols and technologies behind this stuff for years. If there are any serious holes left to find, the only folks who know 'bout them are the NSA.

    And how do folks use e-signatures to read your data? HOW could they use this to know what you "buy or do or pay"?

    Relax. This law is a Very Good Thing.
  • They're much more secure than standard signatures, in fact, because they prevent tampering not only of the signature but the document itself.

    Read Applied Cryptography; It talks about lots of other Neat Stuff (like e-cash). You'll find it interesting.
  • Posted by Big Brother:

    Very well said. Have to love two-faced politicians that will push for this one day, then a 56 bit max on crypto the next.


  • There's nothing secure about a pen and ink signature. Yes, a handwriting expert can make a careful examination, and express a professional opinion, but it's still an opinion. Also, the value of the document better be high since handwriting experts don't work for minimum wage.

    When you sign a check, and give it to the cashier, how does he/she know it's your signature? If it isn't, but it's sort of close, how do you dis-prove it to your bank? $100 check, $200 for handwriting analysis...

    The best way to secure the secret key is a smart card, and a 'wallet' where you enter the passphrase (so you don't have to trust someone else's card reader to not log your input).

  • A proper digital signature is not an arbitrary set of bits. It is an MD5 of the document which is encrypted with your secret key. Only your public key can decrypt it, and only that document will have that the MD5 that was decrypted.

    Had the checks been signed digitally, you wouldn't have had to contest them at all, they wouldn't have matched your public key.

  • Having personally gone through the process of contesting checks with forged signatures I am much more confident of written signatures than any other form of signature that is little more than an arbitrary string of bits or at best a trivially duplicated image.

    The technology is simply too immature at this early point to apply to such a fundemental sort of legal construct.

  • They open-source the code for digitally notarizing my digital signature. . .
  • At least, I hope not. There are several major things which need to be done first.

    The biggest, of course, if getting rid of these silly export laws. It'll take the Supreme Court to do that; the appeals court was a major victory for our side but the fight's not over yet.

    Second, SSL needs to become more and more widespread. It's getting there, certainly. I'm hoping that the end to these export restrictions, couple with the freeing of RSA (which I believe is coming soon; doesn't the patent expire sometime next year?) should do that one. Of course, the ultimate goal is to have all servers use SSL, but that'll take time.

    Once those two are in place, then we'll be ready for something like this. But not before. There are simply too many poential problems to do this just yet. I'd like to see this as much as anyone, but the Net is not yet ready.
  • telos wrote:

    The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.

    I think you're a little unclear on what constitutes a digital signature. We're not talking about that little block of text that goes after your e-mail. We're talking about a digest or hash function that takes a private key block, hashes it against a transaction message (which can be anything -- e-mail, news posting, audio data...), thus generating a "signature" which can be verified using a public key.

    You can't duplicate or "steal" a signature because the signature is different for every document. As long as your private key is secure, your digital signature is secure.

  • You are correct; there are plenty of existing precedents to indicate that "digital signatures" are as good as pen-and-ink.

    While electronic manifestation of assent would have some positive attributes, it is also currently (mis)used to get you to agree to shrinkwrap or clickwrap license "agreements." These are ususally onerous, extremely imbalanced instruments that basically abscond with your money and your liberty, and leave you holding a piece of buggy software. I wrote an essay [] on this subject some time ago.

    Finally, it would be interesting to see how this proposed legislation would affect Uniform Commercial Code 2B [] (a sweeping re-write of contract law to effectively legalize all shrinkwrap "agreements"). It's beginning to look like UCC-2B may not fly because of myriad legal and ethical flaws; I wonder if this legislation is in response to that.


  • One, paper signatures are trivial to forge and just about impossible to disprove.

    Two, digital signatures ahve no export limits; they are strictly one way hash functions of the document in question. There is no encrypted information as such. There are explicit allowances for digital signatures.

  • Well, that's all fine and dandy, but we all know how slow our legislators move, and how much slower than THAT it takes to get a law changed. My question is.. what if the encryption schema is cracked? What if tomorrow somebody found out how to factor all those numbers? You think I want THEM, on mere account of mathematics, to *legally take on my identity* ??

    Talk about stupidity! And what will the NSA say about this? Can we only use 56 bit keys for our "signature" ?


  • "When you sign a check, and give it to the cashier, how does he/she know it's your signature? If it isn't, but it's sort of close, how do you
    dis-prove it to your bank? $100 check, $200 for handwriting analysis..."

    They take my thumbprint...

  • Neither can a digital signature. The content of the signature depends not only on your private key, but also on the content of the message. A signature that signs a specific document WILL NOT (statistically, anyhow) sign any other document.

    There are some great articles that explain how all this works... Look to for their URL's, as I don't remember them off the top of my head.
  • >anyone who can hack into my computer can get my encrypted private key.

    And anyone who can break into your house/office can get your paper signature. QED
  • Another bill of the same sort is the "Digital Signature Act of 1999," [] HR 1572. (The "Millenium Digital Commerce Act," [] which is the second bill referred to by Slashdot, is HR 1320.)

    Does anyone know the bill number for the Bliley bill? Slashdot's link seems to be broken, and I can't find any digital signature bill by Bliley on Thomas [].

    It should be noted that none of these bills specify a particular digital signature technology. The Digital Signature Act directs the appropriate government agencies to draft guidelines within 6 months (for use in transactions with the government). The Millennium act just says that "the parties to an interstate transaction may establish by contract" the technologies they want to use (one wonders how you are supposed to sign the contract).

  • If they're legal, the government will have to lighten up on strong crypto. This is a win for us.

    It should also boost the smart card market.
  • I'm all for this as long as the bill requires the use of strong signitures - nothing worse than people thinking it is secure when it might not be.

    My only concern is this - How would public keys be managed. This seems to be the achilies heel of PGP/RSA (and other public key systems). For example, lets say I sign a credit transaction with my secret key. They, when Visa comes a knocken' I could just say "That's not my sig. Someone must have created their private key using my name." What could they do about it? probably nothing. Unless...lets say you were required to register your public key with a trusted third party (the gov, bank, etc) and they varified you id first (via SSN/Mother's maden name/Address/etc) before your public key was added to the repo. At this point, others can trust that your sig/public key (which were generated by your private key) really came from you (and not just anyone that may have generated a private key using your name).

    sorry for the horrid spelling - its friday :)

  • Contracts written with lipstick on cocktail napkins have been ruled to be enforceable. In most states a verbal contract is 100% valid. Why make an expection for an electronic signature, when a non-signed e-mail message may legally be considered enforceable?

    Think about it -- Right now you can call someone on the phone and give them your credit card number and verbal authorization, and that's an enforceable contract. Likewise with the Submit button on, or even an eBay auction.

    Wouldn't a digital signature system actually be less "immature" than these relatively crude (and easily fradulent) ways of doing business now?

  • I would strongly reject this kind of signature. First of all, crackers would soon be able to be whoever they want :-( by overpassing some security hole. Secondly it's another step towards the end of privacy. Another way to sneak up in our computers, another way to look how we behave on the Internet, without our permission. Yes, because if we you electronic signatures, everything we buy or do or pay would be easely known in a seconde.
  • I agree with you man, but consider the source. This guy is a pro-business republican in an area where a huge percentage of the population makes their $$$ off of technology. Only Silicon Valley is bigger than No. Virginia for technology jobs/companies/dollars. Politicians are motivated by money and power. It's in this guys best interest to cater to UUNet/AOL/PSI/NSI/CyberCash/Sprint/MCI and the rest of the 1000's of internet companies in his constituency. Besides, it happens to be a good idea for a change. ;)
  • That's why you don't keep the key on a computer that is connected to the network... you could keep it on a floppy for example and only insert the floppy when you need the key.
  • You're protected from stolen signatures in a number of ways.

    1. The signature isn't just your name or some arbitrary key. The signature is effectively the entire encrypted document or more importantly the fact that when the document decrypts using the sister key (public/private depending on the implementation) it proves that you wrote it for that person.

    2. In theory impossible (well technically improbable) to crack an arbitrary private key. (theory==The mathematics are more advanced than anything I could probably hope to understand. But as I hear it factoring 200+digit numbers to primes isn't something computers like to do, or people for that matter.)
  • Of course, sometimes it the people "enforcing" the security who are clueless. My university decided it needed accountability for electronic transactions, so they required everyone to go in for an "upgrade" to their electronic ID, and they made you sign a statement recognizing that your electronic transactions would be treated just like a signed document.

    I saw enough on their screens to see that they had implemented some kind of ssh-based system. Plenty secure, right? A couple of problems though...

    o The way you upgraded was to write your passphrase on a piece of paper and turn it in to the staff so they could enter it for you... and keep the paper. I wonder who has access to the written copy of my passphrase?

    o Your passphrase could be as much as 20 characters long... or as short as 4.

    o But none of that really mattered anyway, because they had just built a new backend using ssh. Any time you wanted to do anything electronically, you still used your old 8-chars-max password low security password, and something on their backend used it to look up and invoke your ssh passphrase.

    I thought about pointing out the problems with this supposedly iron-clad accountability scheme, but I didn't figure the people I was talking to would understand.

    And besides, I might get the opportunity to appear as an expert (read "paid") witness the first time someone gets busted for something they didn't do.

    Honestly, I think the whole thing was a sop for the pointy-haired bosses/lawyers who reasonably want to do something about security, but are clueless about the implications of their schemes.

  • Well and good... but just because some people are smart enough to do it right, are our legislators, judges, and juries going to be smart enough to know that not everyone is? -- to know which cases hold water and which don't?

    I don't give them that much credit.

  • In public key crypto you have two keys, a public and a private. The public key you give out, and the private key you keep hidden. Messages can be encrypted with one key, and then are only decodable with the other key.

    If someone sends you a message they encrypt the whole thing with your public key, and you decrypt it with the private key.

    If you sign a message you usually want it to be world readable so you post the message in plain text, along with an MD5 hash of the message body that you encrypt with your private key. This lets anyone reas the message, and anyone with your public key decrypt the 'signature' and read the hash. They then perform the same hash on the message they read, and compare the values. If it's the same, they can be very sure the message hasn't been tampered with. (It's a 'hard' problem to find a message that has the same MD5 hash as a given message. And a 'very hard' problem to find one that makes sense (ie, not random characters.))

    The private key is all that's needed to sign a message! Some programs like PGP use another layer on encryption to hide your private key from casual tampering, making you enter a password to decode your private key. This is not a part of the public-key signature process, but instead a PGP feature. This means that all someone needs to have is your private key and they can masquerade as you.

    How do they capture it? Trojan horses. There are many ways, some of them include. 1) Rewrite PGP to send a 'plaintext' of the private key to the attacker. 2) PGP can be used in batch mode. Write a front-end that pretends to be PGP, then sends the data to the real PGP to do the work. Then emails your passcode and private key to the attacker. 3) Watch for PGP to be run and scan through its memory space to read the private key. Mail it off the the attacker.

    Of the above methods, #2 is easiest, followed by #1, and then #3. #2 could be hacked together in an hour by anyone who can code in perl.

    With your private key, anyone can post messages and sign them as you. Such messages will be identical to messages you have written and signed yourself.

    It is true that the Signature can't just be stuck on any old message, but with the private key, you can create a signature for any old message.

    PGP could be based on a provably uncrackable code, resistant to quantum computer of unimaginable power, and your signature would still only be as strong as your OS.

    The same goes for smart cards. It's just that we can assume a smartcard designed explicitly for security would be more secure than Win95. Maybe not much more, but some. The problem with smart cards is that it's all security by obscurity. The companies *know* that anyone dedicated enough, who knows the chip details, can crack them. Thus you'll never see the details, and will have to trust a big corp telling you that you're safe. Dunno about you, but I'm not the trusting sort.

    Even if you can trust the smart-card, what's to stop a simple pickpocket from stealing it, cracking the simple code, and signing things before the card is revoked? You doubt the code would be simple? How many consumers can remember more than a six digit code? Fingerprints would be no more secure unless everyone used windex on the sensor after each use.

    The digital signature is a great idea, but remains very easy to forge.

    What can we use? How about recording a 640x480@30fps video w/ 16b 44khz audio of yourself reading the document outloud, then signing physically. It'd be a lot harder to fake. And as long as the document you read matched the other, it shouldn't matter if you fax it, because someone could just download the signature video and see if it looked real... This is just a moderately silly suggestion, but it's also the most secure thing I can think of, at least until virtual actors get to the point someone can fake this.
  • Yuh Huh.

    And those $200/hr consultant are going to have a solution for keeping private keys private? This either requires everyone to use certifiably secure computers to sign messages, or some sort of smart-card implementation which is only as trustworthy as the company that made it, etc.

    Bussiness types get fightened easily, and throw a lot of money around to get solutions, but I'd hardly call them astute when it comes to judging the professionals they hire, the solutions they are given, or following the directions they're given. (Witness y2k and two digit dates... Good idea at the time, but the programmers back then all said "Oh, and replace this before 1999..." Did these "frighteningly astute" million-dollar-men listen? Nope. They had tossed around the big bucks, so their job was done.)

    Digital signatures are fine, assuming everyone involved is trustworthy, intelligent, and not gullible. It'll never happen.
  • One, paper-based obstacles to electronic transactions must be eliminated.
    Two, parties to an electronic transaction should choose the electronic authentication technology.
    Third, parties to a transaction should have the opportunity to prove in court that their authentication approach and transactions are valid.
    Fourth, the international approach to electronic signatures should take a non-discriminatory approach to electronic signature. This will
    allow the free market -- not a government -- to determine the type of authentication technologies used in international commerce.
  • Not to mention just how encrypted would it be? I mean sure your signature can be forged when it comes to pen and ink, but it is really a pain in the rear, plus you have to be present to sign the thing.

    In the case of an electronic signature not only can they be cracked but manipulated pretty easily and it is much harder to prove that you didn't sign something that say... you didn't want to.

    I don't know, I'm all for technology and everything but things like e-money and now e-signatures gives me the creeps. They're too easy to manipulate.
  • My guess is that this bill will not pass. There are several reasons, but the biggy is encryption. As long as an electronic signature requires encryption to be sent, the government will balk. It's too hot of an issue for Congress to openly support. For that matter, even if it does get past Congress, it will probably get a presidential veto.

    Encryption is just one of those things that the government just doesn't want to deal with. Even if the encryption is used for something like digital signatures, it will quickly become an issue of "supporting terrorists" or the like. Most of the people in Congress are too clueless to get the whole picture.

    Further, the signature could be forged perfectly if someone obtained your secret key. While the whole point is to protect your secret key, nothing is perfect. At least most forgeries can be detected with enough time and energy (And a well trained graphologist). A stolen secret key would be almost undetectable.

    The idea of typing your name for a signature isn't going to fly either. There are too many legal problems with this. It can be easily forged for one thing. How do you verifiy the signature? Do you check the IP address in the logs? Does it become part of the signature, too? A dispute of a typed name for a signature would always favor the the signee. Trying to actually prove that someone truly typed their name on a web page would be a total nightmare.

    The idea of using retinal scanning (Or other keys of this sort) is actually not bad. But, the technology for this must be deployed on a grand scale. Perhaps this bill should wait until that has happened.
  • Yeah, like using your pin and bank card at a bank machine is legally binding.
  • Why would the encryption schema be fixed?

    It could be defined to be flexible as to advance as cryptography advances. I don't think it would be wise to state the actual number of bits of the key in a new law.

    In my opinion it would be much better to phrase it along the lines of: "a legal signature is one created with an encryption method that takes at least 256 years to crack using todays (date of signature) largest amount of compute power available to a person or organisation."

    Well, I'm not a lawyer, nor do I speak English natively, but I think you can get the picture.

    Anyways, the weakness of encryption has long passed the era when the encryption algorithms where the weak point in the chain.

    The weak point is you and me. At one stage or an other we have to type a password/phrase or a key or it could be something else, it doesn't matter. I'm sure that this is, even statistically, a much more likely place to hack an encryption system then a (relatively good) encryption method.

    So maybe that's where our worries should be. Maybe there has to be a safer way to identify yourself before you can use your digital signature.

    Finger print recognition? Or a physical signature?
    Ah, no, that's what we are trying to do away with... ;o)

  • (2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another?

    Well, I have to say, maybe I've been watching Discovery Channel a bit too much lately, but this is certainly not true.

    They (as in Big Brother) are very capable of figuring out whether something is an original autograph or not. Carbon copy systems for example often use different 'ink' that can easily be detected. Even if the ink could also be found in pens, then the structure of the copying material leaves marks for example. Obviously you wouldn't be able to see this with bare eyes, and for some of the details they actually use chemicals and special light.

  • Actually, I am very clear on what constitues a signature in both the electronic and real worlds. Now, I think you need to remember that any encoding that man can make, man can break. The real idea in theft prevention is not to make the theft impossible but to make it be so time consuming that it is not worth it. It is still possible to defeat any security measure. The best way is known as the inside job. Do you really want to risk it?
  • by telos ( 34293 ) on Friday May 07, 1999 @11:40PM (#1900204) Homepage

    I hate to tell you this, but werdna is correct about the modern day legalities of signitures.

    First thing in the morning every day at the bank I work for, I check the signitures and account numbers on the dormant account activity checks. This review includes both deposits and withdrawls. It is actually a bit difficult to decern an imposter on one of these tickets. It has been my experience that a good forgery will get by the vast majority of people.

    I would ordinarilly include myself in a generalization like that, but in this case that is not true. A friend of mine introduced me to the mishmash that is hand writting analysis. While the accuracy of hand writting analysis in the field of psychology may be bunk (I have yet to decide), it does teach you to look for certain characteristics in the letters. It is little things like "does the letter "o" have a stroke through it?" that make the difference. You really need at least 10 characteristics in the letters to match before you can be comfortable signing off on the ticket. To the trained eye, these traits are very easy to spot.

    Now, I have to make sure that my bank is doing what it is supposed to in its work with the federal government on a day to day basis. I can tell you right here and now that our Chief Financial Officer would not accept just a signature as the conclusion of a deal. I like our CFO and I like my job, but common sense is the best asset around in any job. It is like you don't breath in Chlorine gas.

    I really don't care for some ecommerce ideas for the simple reason that some things have exorbant shipping costs. This on the other hand, this idea scares me. I like the annonimity of the internet. I can go anywhere under my 4 names and no one can connect that to a face or a business. While people do actually call me telosphilos or telos in the real world out there, they are not the same people that I work with every day. Those people that know me online are not my flesh and blood familly, but they are the best of friends. My boyfriend even calls me by my nickname. Yet, I am very protective of my financial information. I am also very careful to keep any actuall pictures of me off the internet. (There are two out there, but they include facepaint and night Figment hunting (long story).)

    I do not have a lot of money, but I work with large sums each day. As part of the customer services, we try to teach people how to protect themselves from con artists and your basic scams. Some are fairly simple like shielding your pin number from view when you use your atm card or not giving out credit card numbers in chat rooms. Some are vastly more complicated, preventing the real code warriors with a financial hole they want to fill from breaking into banking-on-line systems.

    The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.

    You see, at some time we have to account for human error. It is also very easy to have human error occur on account of fraud. Most financial types really do not know computers or computer security. Computer people generally have better things to do then learn how to make up little slips of paper tracking where all of the money in the bank is. So, what do you get? You get some one that maybe has figured out that a mouse is a periferal authorizing a con job on an account in his first week at the bank. There, your account just went from $5,000.00 to zero.

    Just think about it, it can mess up all sorts of financial deals. Would you like it if your paycheck which more likely then not goes through an automated clearing house was missing about $50.00 in income taxes over the course of six months due to an error on your account and the IRS not only caught it, but chose to audit you and your company? This is the sort of thing that can happen.

    It is food for thought. Anyways, it is getting late and I am tired of ranting. Thank you for your time.


  • For all of the reasons stated in my prior posts, I was quite impressed by the laissez-faire nature of the bill. It leaves the decisions as to particular technologies used in the hands of the users, and makes a credible stab at handling electronic signatures effectively for international transactions.

    There are some technical legal issues arising from the present language, but all in all, it appears on first reading to be an excellent job.

    Yes, it does make "love, andy" at the end of an e-mail into a signature, but for the reasons otherwise stated here, I think this will be far better for commerce than a problem at the end of the day.
  • It is most certainly true that feeble efforts such as copying with carbons won't work. Of course, signatures would not be forged in that manner. (I understand that the weapons of choice relate to using light boards and the like).

    Yes, it is difficult to get away with faking Abraham Lincoln's signature, because the physical evidence (paper and ink) can effectively date the paper out of period.

    But we are talking about contemporaries forging contemporaries; and by using straightforward means of forgery. There was a great article on the subject fairly recently -- let me see if I can't dig it up for you.
  • It may not be so clear.

    The Florida statutes, for example, distinguish between an Electronic Signature, which are the characters set forth at the end of this message, intented to authenticate this message, and a Digital Signature, which is usually the hashed and munged result of some form of asymmetric encryption.

    When I said electronic signatures are probably valid under the common law, I was referring to both types. Surprise.

    John Wayne

    NOTE: The signature above is there to authenticate the message, not to facilitate authentication of the signer of the message. The word "authenticate" is used differently in the preceding sentence, one, a legal term of art referring to the process of "legalizing" a document; the latter, a process for assuring confidence in the identity of the signer. While signatures can serve these dual purposes, the law is only concerned withy the former.
  • As I noted in an earlier post, the legal purpose of a signature is not to identify the signer, but to provide a formal process of validating the document.

    Certain documents do not have legal effect until signed. Upon proving that they were signed properly, a lawyer has proved the legal consequence.

    Accordingly, the signature at the end of this message, which authenticates (in the legal sense) the document, but doesn't give you a clue who I am or any assurance that I signed it, is a perfectly useful legal device that doesn't require any government-encouraged secure crypto. I believe this is a good thing (tm).

    Frankly, I don't want the law dictating and regulating the technology I choose to sign my documents. It is up to ME if I want to bear the risk that someone might deny a signature they genuinely signed, but might be difficult to prove later. Eggs in baskets. That's what this is about.

    Jack the Ripper
  • As noted, the function of a signature is primarily unrelated to security or ability to authenticate the author -- it is merely a formal act to give legal effect to an instrument. Accordingly, the preceding remark is non-sequitur.

    Of course, signatures serve plural non-legal purposes, among which are precisely the issues of identification and non-deniability. Those purposes are served, or are not served, adequately in the eyes of the parties involved in the transaction. If they trust one another, the only issue is the authentication of the instrument (the giving of legal effect). If they do not, or the risks are too great, they will take greater measures.

    But this has nothing to do with the question whether of whether two people who trust one another can engage in the legally effective transfer of title in land by means of an e-mail. The law gives legal effect to the shaving of a mark on the hide of a cow, or the mere writing of a number and an X on a sheet of paper. Why not, then to the following words:

    Love, me.
  • by werdna ( 39029 ) on Friday May 07, 1999 @04:12PM (#1900210) Journal
    In recent years, many states have been addressing Digital and Electronic signatures; and there are solid legal arguments that a digital signature would be legally enforceable even in the absence of such legislation.

    Florida's, for example, is among the clearest and most consistent with the common law, defining a "writing" to include "information which is created or stored in any electronic medium and is retrievable in perceptable form," an "electronic signature" to mean "any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with intent to authenticate a writing," and further providing that a writing is electronically signed if an electronic signature is logically associated with the writing.

    With those definitions, it provides simply that "Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature."

    Other states, such as Utah and Washington, have required that to receive the benefit of the statute, the signature must be made by use of asymmetric encryption, with varying definitions and limitations.

    Accordingly, this bill isn't really all that new. However, the defintion of a signature is one of those things that has been traditionally determined by state law -- it may be unclear whether a Federal law purporting to preempt State law in this regard would be unconstitutional.
  • by werdna ( 39029 ) on Friday May 07, 1999 @04:31PM (#1900211) Journal
    Various folks have written, expressing concern that permitting electronic signatures would be too easily forged or spoofed. There are several responses to this:

    (1) At common law, the typing of your initials at the end of an e-mail with intent to authenticate is probably a signature anyway (mileage may vary state to state);

    (2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another? In comparison, digital signatures are checksummed to the documents they sign, and are very difficult to forge without human engineering;

    (3) In practice, disputes over signatures are not really ever resolved by comparing testimony of signature experts (except in extraordinary cases). The two experts cancel each other out trivially, and the jury judges based upon the demeanor of the parties and the overall circumstances of the transaction. In a recent case, where a party denied signing a written agreement to sell some goods, the other side simply asked on the stand whether he routinely sent goods of the type to the other side -- "no"; whether he did after the date of the disputed document -- "yes"; whether he did in accordance with the schedule set forth in the disputed document -- "yes." It was all over, notwithstanding the conflicting expert testimony. (Ironically, the argument was that the signature was "too good," too close to a specimen the other party was known to have and therefor copied. Yeah, right.)

    The real deal is this: signatures are not there (for legal reasons) for the purpose of authentication -- they are a mechanism to formally "close" a deal, to distinguish those deals that aren't done from those that are, and in some cases to seal certain types of agreements that require a signed writing.

    The authentication purposes are an issue of "risk management," not legal effectiveness. The law only raises the question of whether the act, if it took place, was legally effective to seal the deal, and not whether the act took place.

    On the other hand, a businessperson might want to be able to prove a signature was real more readily than usual. This is why when a multi-zillion dollar deal is being closed, a lawyer will not accept from the other side to sign "Minnie Mouse," or "X" (if literate), even though doing so is legally effective for any statute of frauds purposes. Likewise, I would never accept for a meaningful transaction an e-mail stating:

    "Yeah, I accept your offer to sell Blackacre for 100,000 lucre. Sure.

    Love, Mandy."

    Even though it would be enforceable under Florida law for the purpose of the statute of frauds.

    Its all about eggs in baskets. How much comfort do you need, and how much certainty do you want to avoid being spoofed. If you make it a personal policy never to sign electronic signatures, it will be hard for the other side to prove that you actually did when you didn't, no matter how good the forgery. On the other hand, if you do, make sure you do a good job of making it difficult for others to forge or spoof you.

    Agreed that certification authorities are an important part of making use of signatures safe and commercially sensible. Disagreed in the strongest terms that they are necessary for the law to give effect to an instrument.

    In my view, the less the law tells us about how we do business, the better. Leave it to the marketplace to decide what technology and form of signature they want to use. Whether they rely on EDI agreements, e-mail typewritten messages or elaborate cryptographical structure using state-authorized or state-licensed "trusted parties," should be decided by those doing the signing, not those pretending to be high-tech-aware and make some press in Washington.

    The law SHOULD make clear that electronic signatures should be used and useful, just so folks don't feel they need to see a case before using the technology. After that, legislators should get out of the way.
  • The law says an electronic signature will have the same force as a regular one; not that they will be taken on blind faith to be Absolute Proof of identity.

    People can forge regular signatures too. Are electronic signatures less secure than regular ones?

Today is a good day for information-gathering. Read someone else's mail file.