Rich Freeman on 21 Feb 2014 12:01:07 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Signing contracts digitally? |
On Fri, Feb 21, 2014 at 12:35 PM, brent timothy saner <brent.saner@gmail.com> wrote: > However, what is the status of this in the US? Are digital signatures > (e.g. done via PGP/openPGP[GnuPG/GPG]) considered valid and legally > binding? I'm not an expert on e-sig law in general, but I do deal with e-sigs insofar as they are regulated by the US FDA. In general I'd warn you that what makes sense to a programmer/cryptographer and what is legal are VERY different things. A cryptographer is going to be concerned with whether an e-sig can be easily forged. The US government is mainly concerned with whether life is easy for businesses that want to use e-sigs. I've never seen a system that actually uses anything that most of us would consider secure for e-sigs. Typically they're implemented by asking somebody if it is OK to sign something, authenticating them, and then setting a field in a table somewhere to indicate that it was signed. More often than not there is no security beyond UPDATE data SET data.signer='fred' WHERE data.id=123; Sometimes they'll actually put some kind of hash in a table to "secure" e-sigs, but all secrets necessary to generate the hash are embedded in the application, so just about anybody who could stick the hash in the database could probably reverse-engineer and generate the hash. Generally those who regulate such matters are more concerned with your processes and paperwork documenting that the system works than with whether it actually works. So, make sure you have some paperwork showing that you tried to forge a signature for somebody else, that you entered the wrong password, and that the application gave you an error. No, no hacker would actually do it that way, but it is an exercise in paperwork. I do know that there are Federal laws regulating e-sigs, so as long as you comply with those laws you should be fine in the US. Just don't expect the laws to make sense, any more than the concept that somebody who is arrested can show the police a bill with your name on it and be let go with you getting the arrest record, or just about anything having to do with how our credit card and banking systems work. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug