- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 03 Nov 2011 01:37:45 -0400
- To: Web Payments <public-webpayments@w3.org>
Cutting out all the points on which we agree. :)
On 11/02/2011 01:24 PM, Pelle Braendgaard wrote:
> * Legally Enforceable via Legislation
>
> Sorry, digital signatures don't really help here and might harm. Most
> countries have legislation similar to the E-Sign act, that protect
> what is called electronic signatures. These are a lot more low tech
> than say digital signatures and include just hitting the accept
> button on a web form. Server logs and emails are what currently count
> as proof here.
Yes, but we're not talking about getting rid of server logs and e-mails.
We are talking about providing digital signatures /in addition to/
server logs and e-mails. In some cases, server logs and e-mail is not
enough. Server logs contain IP addresses, which may be firewalled or
NAT'd. IP addresses also change frequently if one is on a residential
connection. E-mails can be forged quite easily. Denying the authenticity
of both is quite easy in a court of law (and is why many of the lawsuits
in the Napster-era days failed to achieve a legal victory for the
prosecutors).
While an electronic signature /may/ be construed as a
click-through-agreement on a website - that's not what we're talking
about here. We're talking about digital signatures, which are provably
more authoritative than a log message saying that somebody clicked on a
button. It is far more difficult to forge a digital signature than it is
a server log or e-mail. It is also far more difficult to deny that a
digital signature belongs to you since the only person that can
reasonably create the signature is the person in control of the private key.
server logs + e-mail == okay
server logs + e-mail + digital signatures == stronger evidence
The definitions from the ESIGN Act of 2000:
"""
(4) Electronic record.--The term ``electronic record'' means
a contract or other record created, generated, sent,
communicated, received, or stored by electronic means.
(5) Electronic signature.--The term ``electronic signature''
means an electronic sound, symbol, or process, attached to or
logically associated with a contract or other record and
executed or adopted by a person with the intent to sign the
record.
"""
This paragraph from the ESIGN Act of 2000 is also pertinent:
"""
(h) Electronic Agents.--A contract or other record relating to a
transaction in or affecting interstate or foreign commerce may not be
denied legal effect, validity, or enforceability solely because its
formation, creation, or delivery involved the action of one or more
electronic agents so long as the action of any such electronic agent is
legally attributable to the person to be bound.
"""
The important part is the "intent to sign" - but few things are more
clear about an "intent to sign" than a digital signature. So, while the
law is broad... it certainly doesn't hurt to be more specific, and in
this case, it is greatly beneficial to the strength of the contract to
use a digital signature.
> In the EU and many other countries there is specific support for
> Digital Signatures, but most of them build up a complex requirement
> for a licensed public key infrastructure, that just hasn't been built
> up even now more than 10 years after the approval of the laws. There
> is an argument that for places like the EU a traditional Electronic
> Signature is safer that making up your own PKI.
Could you point to the legislation that asserts this?
> At the very least traditional proof should be stored as well until
> the judiciary branch becomes sophisticated enough to deal with
> digital signatures.
The judiciary branch in the US and around the world is already
well-versed in digital signatures and have been using digital
certificates and signatures in the court system for years. Here is just
one example from 2008 where the Nebraska courts adopt digital signatures
and certificates for internal use:
http://court.nol.org/rules/pdf/Ch1Art3.pdf
"traditional proof" was never in question. This is /in addition to/, not
/in place of/. However, I hope that I have clearly explained how all
that is necessary is a digital signature. You could throw out the logs
and the e-mails and still have a solid case with just a digital
signature... and the courts would understand the usage of the technology
because it is an integral part to how many of the electronic court IT
systems operate today.
> * Secrecy
>
> This we don't get for free with Digital Signatures, it introduces
> even more complexity into it.
I didn't make myself clear. Let me try again:
We need secrecy - that comes first. Since we need secrecy, and thus all
of the math that comes along with that... the exact same math can be
applied to digital signatures. PKI is used for both secrecy and digital
signatures. We need PKI for secrecy first... and because we need PKI for
secrecy, we get digital signatures for "free".
That is, the second you import the OpenSSL library, you get both
encryption and digital signatures in the same package.
> It also means that a receipt can't be verified if the user looses
> his key.
Receipts are not stored in encrypted form... receipts are encrypted when
traveling across insecure communication channels. That is the message is
encrypted, but only while it is in-flight across the network. Receipts
can always be verified because PaySwarm Authorities are required to keep
public keys indefinitely. PaySwarm Authorities are also coaxed to
crawl/backup each others public keys on a regular basis. So, even if
somebody loses their private key, one can still verify the authenticity
of the receipt.
I'll follow up to the rest of your "Digital Signatures Usability"
response in a separate thread.
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Standardizing Payment Links - Why Online Tipping has Failed
http://manu.sporny.org/2011/payment-links/
Received on Thursday, 3 November 2011 05:38:41 UTC