brent timothy saner on 21 Feb 2014 13:18:58 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Signing contracts digitally?

Hash: SHA1

On 02/21/2014 03:01 PM, Rich Freeman wrote:
> On Fri, Feb 21, 2014 at 12:35 PM, brent timothy saner 
> <> wrote:
>> However, what is the status of this in the US? Are digital
>> signatures (e.g. done via PGP/openPGP[GnuPG/GPG]) considered
>> valid and legally binding?
> I'm not an expert on e-sig law in general, but I do deal with
> e-sigs insofar as they are regulated by the US FDA.
> In general I'd warn you that what makes sense to a 
> programmer/cryptographer and what is legal are VERY different
> things. A cryptographer is going to be concerned with whether an
> e-sig can be easily forged.  The US government is mainly concerned
> with whether life is easy for businesses that want to use e-sigs.
> I've never seen a system that actually uses anything that most of
> us would consider secure for e-sigs.  Typically they're implemented
> by asking somebody if it is OK to sign something, authenticating
> them, and then setting a field in a table somewhere to indicate
> that it was signed.  More often than not there is no security
> beyond UPDATE data SET data.signer='fred' WHERE;
> Sometimes they'll actually put some kind of hash in a table to 
> "secure" e-sigs, but all secrets necessary to generate the hash
> are embedded in the application, so just about anybody who could
> stick the hash in the database could probably reverse-engineer and
> generate the hash.
> Generally those who regulate such matters are more concerned with
> your processes and paperwork documenting that the system works than
> with whether it actually works.  So, make sure you have some
> paperwork showing that you tried to forge a signature for somebody
> else, that you entered the wrong password, and that the application
> gave you an error.  No, no hacker would actually do it that way,
> but it is an exercise in paperwork.
> I do know that there are Federal laws regulating e-sigs, so as long
> as you comply with those laws you should be fine in the US.  Just
> don't expect the laws to make sense, any more than the concept that
> somebody who is arrested can show the police a bill with your name
> on it and be let go with you getting the arrest record, or just
> about anything having to do with how our credit card and banking
> systems work.
> Rich 
> ___________________________________________________________________________
Philadelphia Linux Users Group         --
> Announcements -
> General
> Discussion  --

also relevant, for those interested, there's a prototyped
implementation spec for this:
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --