help wanted: Clojure CA by email
486 views
Skip to first unread message
Stuart Halloway
Oct 28, 2012, 8:30:24 AM10/28/12
to cloju...@googlegroups.com
I believe Andy Fingerhut asked a question about this, but can't
remember where, so starting a new thread. It seems that many serious
open source efforts have found ways to be comfortable with electronic
signatures on CAs. I would like to implement the same for Clojure.
If anybody is interested in putting together a proposal, that would be
welcome. Some questions I have are:
(1) What different approaches are in use? E.g. are project simply
trusting unsigned emails, or is some sort of digital signature in
place?
(2) Has someone done the legal research for us? E.g. in a perfect
world we might find an announcement from a major vendor saying "we
have adopted electronic CAs, here are the implementation details and
why we (and you) should trust this process."
Thanks,
Stu
remember where, so starting a new thread. It seems that many serious
open source efforts have found ways to be comfortable with electronic
signatures on CAs. I would like to implement the same for Clojure.
If anybody is interested in putting together a proposal, that would be
welcome. Some questions I have are:
(1) What different approaches are in use? E.g. are project simply
trusting unsigned emails, or is some sort of digital signature in
place?
(2) Has someone done the legal research for us? E.g. in a perfect
world we might find an announcement from a major vendor saying "we
have adopted electronic CAs, here are the implementation details and
why we (and you) should trust this process."
Thanks,
Stu
Clinton Dreisbach
Oct 28, 2012, 8:47:35 AM10/28/12
to cloju...@googlegroups.com
OpenStack (http://wiki.openstack.org/CLA) uses Adobe EchoSign, which is really nice. Unfortunately, the pricing to have the nice widget that they have is very high ($300/month). I suppose one could contact Adobe and see if they offer a free/discounted version for open-source projects.
-- Clinton
--
You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
To post to this group, send email to cloju...@googlegroups.com.
To unsubscribe from this group, send email to clojure-dev...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/clojure-dev?hl=en.
Robert Pitts
Oct 28, 2012, 11:59:39 AM10/28/12
to cloju...@googlegroups.com
I've both used personally and have worked at companies that have used https://rightsignature.com/ to handle this sort of thing and been happy with the result.
Chris Granger
Oct 28, 2012, 2:06:39 PM10/28/12
to cloju...@googlegroups.com
I'll be using https://www.hellosign.com/ for Light Table.
Cheers,
Chris.
Cheers,
Chris.
--
You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
To view this discussion on the web visit https://groups.google.com/d/msg/clojure-dev/-/udEzzTzzb8YJ.
Paul Stadig
Oct 28, 2012, 3:15:14 PM10/28/12
to cloju...@googlegroups.com
Like Stu, I'd be interested in the rationale for why other open source projects are doing what they are doing. It seems to me that the signed document is the important part.
People are not sending CAs by certified mail. Why should they have to cryptographically sign an e-mail? But IANAL.
Softaddicts
Oct 28, 2012, 3:30:01 PM10/28/12
to cloju...@googlegroups.com
Lawyers insists on having a piece of paper... I searched for related ligation cases and did
not find any yet.
Luc
--
Softaddicts<lprefo...@softaddicts.ca> sent by ibisMail from my ipad!
not find any yet.
Luc
Softaddicts<lprefo...@softaddicts.ca> sent by ibisMail from my ipad!
Colin Jones
Oct 28, 2012, 3:55:50 PM10/28/12
to cloju...@googlegroups.com
Luc,
That may be the case for specific values of "lawyers", but a glance through the links from the Wikipedia page suggests that's not the case in general.
Softaddicts
Oct 28, 2012, 4:19:15 PM10/28/12
to cloju...@googlegroups.com
You may not have read carefully the two paragraphs titled
"Controversial assumptions of electronic signature" and "By legal system".
Europeans are more advanced than the US so you have to be careful about
what you read and the source it refers to.
"Lawyers" are the people dealing with litigations and sometimes are even creating
them (like in the US). I would not toss away their opinions lightly,
However, I found this document:
http://www.sans.org/reading_room/whitepapers/compliance/requirements-record-keeping-document-destruction-digital-world_2063
This paragraph is interesting
"The distinction between correct and circumstantial evidence is that direct evidence categorically establishes the fact. Circumstantial evidence on the other hand is only suggestive of the fact. Authentication logs are generally accepted as direct evidence short of proof that another party used the access account."
This would suggest that getting CAs managed by an established third party service
would be a viable alternative assuming that they keep all the authentication stuff
handy. This would push back forgery arguments a bit out of the scope of a litigation
process.
Luc
"Controversial assumptions of electronic signature" and "By legal system".
Europeans are more advanced than the US so you have to be careful about
what you read and the source it refers to.
"Lawyers" are the people dealing with litigations and sometimes are even creating
them (like in the US). I would not toss away their opinions lightly,
However, I found this document:
http://www.sans.org/reading_room/whitepapers/compliance/requirements-record-keeping-document-destruction-digital-world_2063
This paragraph is interesting
"The distinction between correct and circumstantial evidence is that direct evidence categorically establishes the fact. Circumstantial evidence on the other hand is only suggestive of the fact. Authentication logs are generally accepted as direct evidence short of proof that another party used the access account."
This would suggest that getting CAs managed by an established third party service
would be a viable alternative assuming that they keep all the authentication stuff
handy. This would push back forgery arguments a bit out of the scope of a litigation
process.
Luc
Paul deGrandis
Oct 28, 2012, 8:34:44 PM10/28/12
to cloju...@googlegroups.com
First and foremost - thanks Stu (and everyone else involved) for helping to evolve Clojure.
- - -
It appears that both Scala and Python evolved their CA processes based on trends/works from Apache (http://www.apache.org/licenses/ see the CLA and CCLA sections)
A longer conversation about Python's CA and licensing can be found in various email threads from 2010-2011 as well as the PSF board meeting minutes. The concerns for Python have been a little different historically - Guido has had corporate lawyers generate the CA protections and has adapted the CA over time based on those interactions. [1] Their community has most recently struggled around small patches vs bigger changes, accepting fully-digital signatures [2][3], and unifying the CA across Python related projects (Jython, etc).
Regardless, it appears they have always accepted CAs by mail, fax, or photo of the signed document.
It would appear that internationally, these three methods are all well established (http://wiki.civiccommons.org/Contributor_Agreements#How_to_Accept_Code_and_Documentation_Contributions_Legally - I can dig up more references).
Scala has accepted scans of the CA document since version 1.0 [4]
And it would appear that they rely upon legal advice provided at EPFL - so it's my assumption this method is also acceptable outside of the US.
- - - -
I'm of the opinion we don't need a third-party signature service, as there definitely seems to be ways to accept electronically sent CAs while still ensuring the same amount of legal protection.
I hope this helps. I'm more than happy to dig some more to pull up relevant history.
Regards,
Paul
[1] - http://docs.python.org/2/license.html
[2] - http://www.python.org/psf/records/board/minutes/2011-03-21/#contributor-agreements-in-python-bug-tracker
[3] - http://www.mail-archive.com/python-c...@python.org/msg01529.html (Caution, this grueling to get through)
[4] - http://www.scala-lang.org/sites/default/files/contributor_agreement.pdf
- - -
It appears that both Scala and Python evolved their CA processes based on trends/works from Apache (http://www.apache.org/licenses/ see the CLA and CCLA sections)
A longer conversation about Python's CA and licensing can be found in various email threads from 2010-2011 as well as the PSF board meeting minutes. The concerns for Python have been a little different historically - Guido has had corporate lawyers generate the CA protections and has adapted the CA over time based on those interactions. [1] Their community has most recently struggled around small patches vs bigger changes, accepting fully-digital signatures [2][3], and unifying the CA across Python related projects (Jython, etc).
Regardless, it appears they have always accepted CAs by mail, fax, or photo of the signed document.
It would appear that internationally, these three methods are all well established (http://wiki.civiccommons.org/Contributor_Agreements#How_to_Accept_Code_and_Documentation_Contributions_Legally - I can dig up more references).
Scala has accepted scans of the CA document since version 1.0 [4]
And it would appear that they rely upon legal advice provided at EPFL - so it's my assumption this method is also acceptable outside of the US.
- - - -
I'm of the opinion we don't need a third-party signature service, as there definitely seems to be ways to accept electronically sent CAs while still ensuring the same amount of legal protection.
I hope this helps. I'm more than happy to dig some more to pull up relevant history.
Regards,
Paul
[1] - http://docs.python.org/2/license.html
[2] - http://www.python.org/psf/records/board/minutes/2011-03-21/#contributor-agreements-in-python-bug-tracker
[3] - http://www.mail-archive.com/python-c...@python.org/msg01529.html (Caution, this grueling to get through)
[4] - http://www.scala-lang.org/sites/default/files/contributor_agreement.pdf
Softaddicts
Oct 28, 2012, 9:30:14 PM10/28/12
to cloju...@googlegroups.com
It maybe because of my business oriented approach but when I see
formulations like this one:
"CLAs can generally be submitted electronically, at least in the U.S. (apparently because they do not transfer ownership of any copyrights). Many open source projects accept CLAs by email or web form."
I am not really convinced :) Terms like apprently make me uneasy plus the
vague geographic restriction.
It's not because someone else does it that it makes it legal or an efficient umbrella to
potential litigations.
As for a using a third party service, may you be a bit more specific why it's not relevant ?
When you submit a CA to Oracle, I would bet that it has all this authentication
tracking done. I would also bet that they store this stuff in a safe place if it needs
to be presented later.
Of course the legal thing might be a nice to have feature rather than a requirement.
Then the approach you describe may be perfectly appropriate and we can drop
this thread here :)
Luc P.
formulations like this one:
"CLAs can generally be submitted electronically, at least in the U.S. (apparently because they do not transfer ownership of any copyrights). Many open source projects accept CLAs by email or web form."
I am not really convinced :) Terms like apprently make me uneasy plus the
vague geographic restriction.
It's not because someone else does it that it makes it legal or an efficient umbrella to
potential litigations.
As for a using a third party service, may you be a bit more specific why it's not relevant ?
When you submit a CA to Oracle, I would bet that it has all this authentication
tracking done. I would also bet that they store this stuff in a safe place if it needs
to be presented later.
Of course the legal thing might be a nice to have feature rather than a requirement.
Then the approach you describe may be perfectly appropriate and we can drop
this thread here :)
Luc P.
> --
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/clojure-dev/-/gRgk64VT4u0J.
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
Paul deGrandis
Oct 28, 2012, 11:17:13 PM10/28/12
to cloju...@googlegroups.com
Hi Luc,
The quote you're citing is in regards to completely digital CAs (like those I don't think we need to investigate). The legal works regarding completely digital CAs seems fuzzy to me (regardless that others have adopted them - Apache and Python Software Foundation for example).
What does seem solid is electronic submission of a non-electronic CA. A quick survey on Google (and a quick search through legal document stores) shows an established history.
I completely agree that we shouldn't do something just because someone else does it (this exact point is made in the threads I linked to).
I think we should follow the examples of similar organizations, after we work through and vet the history and process of their decision.
I don't think we should optimize for a situation (completely electronic CAs) which doesn't seem relevant to our current needs. This of course is only my opinion and I'm more than happy to dig through any information for a process that is of interest to our community.
Regards,
Paul
The quote you're citing is in regards to completely digital CAs (like those I don't think we need to investigate). The legal works regarding completely digital CAs seems fuzzy to me (regardless that others have adopted them - Apache and Python Software Foundation for example).
What does seem solid is electronic submission of a non-electronic CA. A quick survey on Google (and a quick search through legal document stores) shows an established history.
I completely agree that we shouldn't do something just because someone else does it (this exact point is made in the threads I linked to).
I think we should follow the examples of similar organizations, after we work through and vet the history and process of their decision.
I don't think we should optimize for a situation (completely electronic CAs) which doesn't seem relevant to our current needs. This of course is only my opinion and I'm more than happy to dig through any information for a process that is of interest to our community.
Regards,
Paul
Softaddicts
Oct 29, 2012, 4:37:31 AM10/29/12
to cloju...@googlegroups.com
Ah ! Ok now I follow you. In another thread someone was citing Oracle as an
example and they capture the information using a web form, it's all electronic,
there's no paper involved. The comparison between an open source
and Oracle was a bit far fetched. Oracle has the $$$ to defend their rights.
Yep, faxes and other fac-similes of hand written documents will have a better value.
That's more inline with the technology level handled by legal systems as of today.
However there has to be some context around these, aside from some countries
in Europe were these things are accepted as equivalents without further
discussions, in others you may have to demonstrate that they are not forgery
and are close as possible to the original.
Keeping a record of how it has been transferred is probably a necessary complement. (Emails, fax transfer log...)
I live in a country were you cannot win millions of dollars by suing McDonald because
you burn yourself while driving with a cup of coffee between your thighs.
Being allowed to sue an rv manufacturer because you ditched it by leaving the weel
to serve yourself a cup of coffee in the back is also scary :)
I understand the concerns driving the paper CA process.
Luc
example and they capture the information using a web form, it's all electronic,
there's no paper involved. The comparison between an open source
and Oracle was a bit far fetched. Oracle has the $$$ to defend their rights.
Yep, faxes and other fac-similes of hand written documents will have a better value.
That's more inline with the technology level handled by legal systems as of today.
However there has to be some context around these, aside from some countries
in Europe were these things are accepted as equivalents without further
discussions, in others you may have to demonstrate that they are not forgery
and are close as possible to the original.
Keeping a record of how it has been transferred is probably a necessary complement. (Emails, fax transfer log...)
I live in a country were you cannot win millions of dollars by suing McDonald because
you burn yourself while driving with a cup of coffee between your thighs.
Being allowed to sue an rv manufacturer because you ditched it by leaving the weel
to serve yourself a cup of coffee in the back is also scary :)
I understand the concerns driving the paper CA process.
Luc
> --
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/clojure-dev/-/fAz3ZiKSieMJ.
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
cldwalker
Jan 21, 2013, 10:57:33 AM1/21/13
to cloju...@googlegroups.com
In case anyone hadn't seen this, here's a possible electronic solution, http://www.clahub.com/ . The code is open source, https://github.com/jasonm/clahub, and Jason is definitely open to feedback and pull requests.
Andy Fingerhut
Jan 28, 2013, 3:58:35 AM1/28/13
to cloju...@googlegroups.com
We could go really low tech, but just enough to make it easier to submit CAs electronically.
Require that people print out the CA, sign it, scan the signed document, and email the scans to some published email address. Someone (e.g. me) could print out the scans on paper, mail them to the address listed on http://clojure.org/contributing, and from then on they go through the existing process.
Potential contributors would still need to have a printer and scanner, but would not need to mail anything physical.
Andy
Require that people print out the CA, sign it, scan the signed document, and email the scans to some published email address. Someone (e.g. me) could print out the scans on paper, mail them to the address listed on http://clojure.org/contributing, and from then on they go through the existing process.
Potential contributors would still need to have a printer and scanner, but would not need to mail anything physical.
Andy
Sean Corfield
Jan 28, 2013, 4:18:42 AM1/28/13
to cloju...@googlegroups.com
Some systems allow you to "sign" a PDF with a digital imprint of your
signature so you don't need to print & scan documents. For example
Preview on Mac can capture a written signature using the built-in
camera and then insert that into PDFs.
So allowing this potentially low-tech route would probably makes
things much easier for a lot of developers, as long as someone doesn't
mind printing and mailing the hard copies stateside.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- http://corfield.org/
World Singles, LLC. -- http://worldsingles.com/
"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)
signature so you don't need to print & scan documents. For example
Preview on Mac can capture a written signature using the built-in
camera and then insert that into PDFs.
So allowing this potentially low-tech route would probably makes
things much easier for a lot of developers, as long as someone doesn't
mind printing and mailing the hard copies stateside.
> --
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to clojure-dev...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Clojure Dev" group.
> To post to this group, send email to cloju...@googlegroups.com.
> Visit this group at http://groups.google.com/group/clojure-dev?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- http://corfield.org/
World Singles, LLC. -- http://worldsingles.com/
"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)
Tim McCormack
Feb 20, 2013, 6:20:29 PM2/20/13
to cloju...@googlegroups.com
On Monday, January 28, 2013 3:58:35 AM UTC-5, Andy Fingerhut wrote:
Require that people print out the CA, sign it, scan the signed document, and email the scans to some published email address. Someone (e.g. me) could print out the scans on paper, mail them to the address listed on http://clojure.org/contributing, and from then on they go through the existing process.
As long as the CA is only a single page, this is pretty easy. I'm a little concerned about the availability of scanners, however (do public libraries have them?), and this is still a multi-day process.
In the end, though, it *would* open up a path for contributors who have unreliable postal service.
I just went through this exact process to submit an NDA and employment contract to a public corporation, so this is apparently a legit way of signing contracts. The most painful part of the process was scanning in all the pages and then combining them into a PDF, although ImageMagick came through for me on the latter step: `convert *.jpg contract.pdf`
- Tim McCormack
Aaron Cohen
Mar 7, 2013, 6:55:18 PM3/7/13
to cloju...@googlegroups.com
It seemed like an appropriate time to revive this thread.
Python has just switched over to allowing an electronic CA. http://blog.python.org/2013/03/introducing-electronic-contributor.html
Perhaps this might pave the way to help Clojure use electronic submission.
One sticking point is that the Python foundation has money to pay for the Adobe echosign service. Who would pay for this for Clojure?
--Aaron
--
Anthony Grimes
Mar 7, 2013, 6:57:12 PM3/7/13
to cloju...@googlegroups.com
That page states that they were using electronic CA submission before this. This merely made the process easier.
Reply all
Reply to author
Forward
0 new messages