Is there any country in the world where electronic signature can be legal proof of the agreement?
Markus Kuhn
Dmitriy wrote:
[legaly valid digital signatures]
> And if it is legal somewhere, I would like to know also what are the
> requirements the software should meet to make legal signatures.
Yes, Germany has a new digital signature law. The technical
requirements are currently being worked on by the German
Information Security Agency. All relevant information is
openly available on
http://www.bsi.bund.de/aktuell/digsig/index.htm
but so far only in German.
Markus
--
Markus G. Kuhn, Security Group, Computer Lab, Cambridge University, UK
Internet mail: mkuhn at acm.org, Web: <http://www.cl.cam.ac.uk/~mgk25>
Oronzo Berlen (Ronnie)
This is a multi-part message in MIME format.
--------------13F1C23E515077107126EB24
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dmitriy wrote:
> And if it is legal somewhere, I would like to know also what are the
> requirements the software should meet to make legal signatures.
>
In Italy electronic documents figned with electronic signatures are
going to become legally valid at the same level of paper signed ones.
The law already published and valid refers to a technical paper which
will be issued by AIPA (Italian IT Authority) which should be issued by
april '98. Anyway the laws already states that E-signatures,
Certification Authorities, secure E-mail will be the base for such a big
change. Technically I don't think very particular requirements will be
required beyond actual technical state of art (1024 bit RSA or DH for
asimmetric keys), theese requirement will be updated every 2 years.
--------------13F1C23E515077107126EB24
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Oronzo (Ronnie) Berlen
Content-Disposition: attachment; filename="vcard.vcf"
begin: vcard
fn: Oronzo (Ronnie) Berlen
n: Berlen;Oronzo (Ronnie)
org: Olivetti Ricerca SCpA
adr: SS 271, KM 8 ;;Contrada La Marchesa;Bitritto;;50020;Italy
email;internet: ber...@olivettiricerca.it
title: Electronic Commerce Laboratory
tel;work: +39-80-6352112
tel;fax: +39-80-6352089
x-mozilla-cpt: ;0
x-mozilla-html: FALSE
version: 2.1
end: vcard
--------------13F1C23E515077107126EB24--
Moritz Farbstein
US Representative Anna Eshoo (D-CA) introduced a bill this week called
The Electronic Commerce Enhancement Act to instruct Federal agencies to
make versions of all government forms available online and to allow
people to sign forms with digital signitures.
Write your Congressperson about this if you have an opinion.
Ray Whitmer
Dmitriy wrote:
> And if it is legal somewhere, I would like to know also what are the
> requirements the software should meet to make legal signatures.
Highly-touted legislation was passed in the state of Utah. A number of
other states have followed. It will be a while before it becomes a
general reality, although Utah and others have been developing a program
whereby legal documents may be filed with the court electronically.
IANAL, and have some possibly-grossly-uninformed opinions on the matter,
but:
One of the biggest uses of digital signatures today is for
infrastructure/network security rather than a real legal signature.
This is because the companies who have the great licenses to RSA
technology are infrastructure companies rather than content companies.
You have standards like S/MIME and SHTTP (or was it HTTPS, I can never
remember which one is content based) which apply a signature to content
rather than merely using it to secure the communications channel.
But, IMHO, these standards all lack critical characteristics of
hand-written signatures. A hand-written signature is applied to a
particular site within the document with specific legal ramifications.
In addition to multiple parts, on a complex document, you may have
dozens of signatures on the same document in completely different roles
including buyer, seller, witness, notary, broker, etc. While each
signature needs to checksum the entire document (and potentially certain
other signatures), so that the siggnature site or paragraph cannot be
cut and pasted out of context, they also need to have been verifiably
applied to the exact site/relationship so that the witness does not
become liable for payment, and the buyer and seller responsibilities are
clearly applied to the appropriate entities. And new signatures must
not modify the validity of existing signatures, so it must all be done
by external wrapper, etc.
The law in Utah as I understand it spends most of its time dwelling on
the requirements for CAs and the likes, and ignores the technical
details I describe here, which I think are critical before anyone will
take digital signatures seriously. Yet I was not satisfied that even
their CA requirements were really adequate, although they spent a lot of
time working on it.
You also need good legal precedent before such signatures can be
generally taken seriously, although in limited areas such as the Utah
court submission process, it can be successfully employed by agreement
and specific established practices.
But there are other issues to worry about. Do you trust the contract
computer in the car dealership to apply your digital signature
correctly, or will it abuse the signature apparatus at signature time
and apply the signature to some modified or completely-unrelated
contract? How does the dealer prove that it was not abused? A smart
card is not enough, then. The whole computer holding the document and
requesting the signature must be trusted, etc.
I have yet to find anyone else discussing these matters in the depth I
think is necessary to make digital signatures credible, so take
everything I say with a grain of salt, too. I think it is a very
solvable problem, but the problems and standards must be clearly set
forth before solutions will be forthcoming. The RSA or DSA technology
of digital signature checking is as far from a credible workable
implementation as the technology of rendering a character is from
functional word processing.
Ray Whitmer