Rich Freeman on 21 Feb 2014 12:01:07 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Signing contracts digitally?


On Fri, Feb 21, 2014 at 12:35 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
> However, what is the status of this in the US? Are digital signatures
> (e.g. done via PGP/openPGP[GnuPG/GPG]) considered valid and legally
> binding?

I'm not an expert on e-sig law in general, but I do deal with e-sigs
insofar as they are regulated by the US FDA.

In general I'd warn you that what makes sense to a
programmer/cryptographer and what is legal are VERY different things.
A cryptographer is going to be concerned with whether an e-sig can be
easily forged.  The US government is mainly concerned with whether
life is easy for businesses that want to use e-sigs.

I've never seen a system that actually uses anything that most of us
would consider secure for e-sigs.  Typically they're implemented by
asking somebody if it is OK to sign something, authenticating them,
and then setting a field in a table somewhere to indicate that it was
signed.  More often than not there is no security beyond UPDATE data
SET data.signer='fred' WHERE data.id=123;

Sometimes they'll actually put some kind of hash in a table to
"secure" e-sigs, but all secrets necessary to generate the hash are
embedded in the application, so just about anybody who could stick the
hash in the database could probably reverse-engineer and generate the
hash.

Generally those who regulate such matters are more concerned with your
processes and paperwork documenting that the system works than with
whether it actually works.  So, make sure you have some paperwork
showing that you tried to forge a signature for somebody else, that
you entered the wrong password, and that the application gave you an
error.  No, no hacker would actually do it that way, but it is an
exercise in paperwork.

I do know that there are Federal laws regulating e-sigs, so as long as
you comply with those laws you should be fine in the US.  Just don't
expect the laws to make sense, any more than the concept that somebody
who is arrested can show the police a bill with your name on it and be
let go with you getting the arrest record, or just about anything
having to do with how our credit card and banking systems work.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug