I recently had a discussion on a mailing list regarding digital signatures on emails or files. The discussion was with a lawyer.
As usually happens when techies and lawyers discuss something, they approach the issue from very different directions.
From a techie point of view, a signed email is a signed email, and there are levels of security afforded depending on the key size and algorithm, and so on.
From a legal point of view, signing a document has specific meaning, and somehow you have to confirm that the signer had intent to sign the document, and understood that what they were doing was signing it in the same way as signing a paper document. Signatures using a rubber stamp on paper are, in many cases, valid, but if a document was just routinely signed by a clerk or even automatically signed, then that does not have the same meaning.
So, I was thinking about PGP / GPG signatures. A bit of quick googling did not suggest that what I would like exists, so I am thinking an RFC would be a good idea. Of course, what would be better is if someone can say "yes, it already does that, see RFC xxx"...
Basically, when signing with PGP or GPG you are typically asked to enter a passphrase. This is a clear user interaction and equivalent (in my mind) to signing with a pen. You know you are attaching a personal signature to the document.
So what I would like to see is a tag on the signature to flag the level of user interaction that was deployed to access the secret key and create the signature.
E.g. bit fields for :-
1. Some user interaction (pass phrase) was required to access the secret key
2. User interaction required OTP / two factor authentication
3. Secret key is on a physically secure device that cannot be duplicated
4. A recent cache of the key was used (i.e. no user interaction this time)
5. Biometric validation was used to access the key
6. User chose to positively confirm that they wished to legally sign this (checkbox)
7. A duress procedure was used and duress not indicated
This would allow automated signatures to be distinguished from clearly deliberate signatures, and even give additional credibility to the signature.
The signing code would generally know the answers to these questions and be able to indicate these automatically.
I assume it is possible for new fields to be added to the format for signatures and that these can be the "comprehension not required" type.
Does this sound like a good RFC?
Subscribe to:
Post Comments (Atom)
Fencing
Bit of fun... We usually put up some Christmas lights on the house - some fairy lights on the metal fencing at the front, but a pain as mean...
-
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...
-
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
-
It seems there is something of a standard test string for anti virus ( wikipedia has more on this). The idea is that systems that look fo...
While it sounds like a good idea, for legal purposes I imagine it would still be looked upon the same way as most EULAs are - that is, the user doesn't read them, so they're only semi-not-entirely-legal binding agreements.
ReplyDeleteWell, it is not about making it legally binding, it is about recording that this did require an active user interaction, and what level of such interaction. That then goes a long way to confirming the signer knew they were in fact signing it.
DeleteSigning something indicating duress will immediately give away the fact you're flagging duress, because everyone will need to validate your signature.
ReplyDeleteIs that a good idea to give the state of the duress flag away?
Good question - and I have no idea what is best in such cases. Interesting point.
DeleteCan we can’t transfer signature to email or any other document. Digital Signature Templates
ReplyDelete