- From: Winchel 'Todd' Vincent, III <Winchel@mindspring.com>
- Date: Fri, 25 Jun 1999 17:42:02 -0400
- To: "Joseph M. Reagle Jr." <reagle@w3.org>
- Cc: "IETF/W3C XML-DSig WG" <w3c-ietf-xmldsig@w3.org>
> At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote: > ><new para> > >And given that an electronic signature is still a signature, it should > enjoy all the rights > >and benefits of other signatures. I disagree in two respects: (1) all signatures should not enjoy all the rights and benefits of other signatures. Although this notion is debatable, emerging law supports it (see below) (2) even if all signatures are equal, XML-Signatures, as a technical specification, is not where the "rights and benefitss" of any signature will be determined -- this is a legal question/determination that will be decided in legislaturures and courts. > At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote: ...albeit it is not cryptographically > strong and verification > >is difficult. "Cryptographically strong" vs. "Not Cryptogrphically Strong" has an analogous distinction in the law which is reflected in three definitions: "electronic signature", "secure electronic signature" and "digital signature." Accordingly, we need to define our terms. An "electronic signature" can be just about any mark/symbol or method (an X, email headers, a click, a bitmap signature, credit card verification, etc.) provided there is a requisite "intent to sign" (i.e., mental state + action/mark). http://e-ct-file.gsu.edu/ERSA/Definition-ElectronicSignature-Insecure_1.asp I often call such symbols or methods "insecure" electronic signatures. The following is an example of an electronic record with an "insecure" electronic signature marked up in XML: <ElectronicDocument> <Assertion> I agree to pay $1.00 in exchange for one peppercorn. </Assertion> <Signature> Todd Vincent </Signature> </ElectronicDocument> This is obviously not what this workgroup is trying to accomplish. A "secure electronic signature" is generally defined as: "an electronic method executed or adopted by a party with the intent to be bound by or to authenticate a record, which is (1) unique to the person using it, (2) is capable of verification, (3) is under the sole control of the person using it, (3) and is linked to data in such a manner that if the data are changed the electronic signature is invalidated." http://e-ct-file.gsu.edu/ERSA/Definition-ElectronicSignature-Secure_1.asp A "digital signature" is a "secure electronic signature" that employs an asymmetric cryptosystem. http://e-ct-file.gsu.edu/ERSA/Definition-DigitalSignature_26.asp Clearly, this group is attempting to define standards for using XML with digital signatures. My understanding is that it is important to accomodate symmetric (secret key) signatures as well. John Boyer mentions biometric signatures that employ encryption. Generally, the disctinction between what is "insecure" and "secure" hinges on a technology that uses a cryptographically strong technique to bind a unique thing (which is in the control of a person) to an electronic document. It seems clear to me that this group is not concerned with Xs, typed signatures, email headers, bitmapped signatures or other such "insecure" technology. It is clear that we are concerned with digital signatures. I'm afraid I do not know enough about the technical intracacies of biometric signatures that use encryption or implementations of symmetric cryptosystems, so I'll leave this to others in the group. If I thought this was the issue that Larry raised, above, I would not comment. (Indeed, it seems to me that this _is_ the issue that John Boyer addressed.) However, Larry's comment, above, seems to contemplate signatures that are not cryptographically strong. I do not believe this group needs to concern itself with signatures that do not fit the definition of "secure" above (which, based on my knowledge, means a signature that uses cryptography). > At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote: > ></new para> > > > > Do you think the wording in sections 2.1, 2.2 and 2.3B sufficiently > captures that notion? > >I'm not sure. Accordingly, I think 2, 2.1, and 2.2 are stated very well. [Joseph Reagle] > > I think this is the notion that has been raised in the past, for instance > see [1], and Boyer's response which I think is a fair assesment of people's > thoughts on it. I agree. However, again, it seems to me that John Boyer and Larry are saying two different things. Todd Vincent
Received on Friday, 25 June 1999 17:39:41 UTC