Re: [PLUG] Signing contracts digitally?

brent timothy saner on 21 Feb 2014 13:18:58 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Signing contracts digitally?

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Signing contracts digitally?
Date: Fri, 21 Feb 2014 16:18:51 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:openpgp:content-type:content-transfer-encoding; bh=QSzxAqDhWdtDoWyQZMsRxLDgBZ4PcNlF8SW6MgVKwf8=; b=wooa/pLWlnlc05UKUgcDNAb7FtGpGAjKXlxwvCJ0hSUvRQb2oim3Ct6Y9J8yJSTO5B bfhFaNoXM35PwL6wuRo+KKHVP8NARL+EXaOLjKsI/RS7pSKE+xP6mhF7/UMF5nmT2FFd HzEywFOew21zPeN3wRZTHELNTzejzdgXZS/Lvvfbhplv1e5ZRjfhKpQRB3p9HXFeYafx xY7z4/BS043mfwGndJI0VrRqIdJevyxKMWKOHDS3XY3zz4Io2MdK9FL2fZHOXGWF765d 8BCmrE7MfCgKNdETqrFngWO01fD949LGwNcnG3v9ibAAO5OeZe+Ku4t8BskNITWFgTUR Tnog==
Openpgp: id=93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/21/2014 03:01 PM, Rich Freeman wrote:
> On Fri, Feb 21, 2014 at 12:35 PM, brent timothy saner 
> <brent.saner@gmail.com> wrote:
>> However, what is the status of this in the US? Are digital
>> signatures (e.g. done via PGP/openPGP[GnuPG/GPG]) considered
>> valid and legally binding?
> 
> I'm not an expert on e-sig law in general, but I do deal with
> e-sigs insofar as they are regulated by the US FDA.
> 
> In general I'd warn you that what makes sense to a 
> programmer/cryptographer and what is legal are VERY different
> things. A cryptographer is going to be concerned with whether an
> e-sig can be easily forged.  The US government is mainly concerned
> with whether life is easy for businesses that want to use e-sigs.
> 
> I've never seen a system that actually uses anything that most of
> us would consider secure for e-sigs.  Typically they're implemented
> by asking somebody if it is OK to sign something, authenticating
> them, and then setting a field in a table somewhere to indicate
> that it was signed.  More often than not there is no security
> beyond UPDATE data SET data.signer='fred' WHERE data.id=123;
> 
> Sometimes they'll actually put some kind of hash in a table to 
> "secure" e-sigs, but all secrets necessary to generate the hash
> are embedded in the application, so just about anybody who could
> stick the hash in the database could probably reverse-engineer and
> generate the hash.
> 
> Generally those who regulate such matters are more concerned with
> your processes and paperwork documenting that the system works than
> with whether it actually works.  So, make sure you have some
> paperwork showing that you tried to forge a signature for somebody
> else, that you entered the wrong password, and that the application
> gave you an error.  No, no hacker would actually do it that way,
> but it is an exercise in paperwork.
> 
> I do know that there are Federal laws regulating e-sigs, so as long
> as you comply with those laws you should be fine in the US.  Just
> don't expect the laws to make sense, any more than the concept that
> somebody who is arrested can show the police a bill with your name
> on it and be let go with you getting the arrest record, or just
> about anything having to do with how our credit card and banking
> systems work.
> 
> Rich 
> ___________________________________________________________________________
>
> 
Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce General
> Discussion  --
> http://lists.phillylinux.org/mailman/listinfo/plug
> 


also relevant, for those interested, there's a prototyped
implementation spec for this:

http://www.olemartin.com/projects/ContractSigningUsingPgp.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTB8K7AAoJEIwATC+TSB9rpBwP/28eKh8RHAI7pdqCrBdV4Iyx
SMFK61/uzG7iigjbPXYutKxioXj+yFzsknM6aAeTjLx2p4+apxxxVbi1IaeSp+wO
vTVo8dMsJbtbhCZmAdkUgY39uJefKADbkgVOO6dovAz75K4Jgn0Z7dQbFm7PD7b+
GGMZ3jZGvk/RcAhSM01v/G+buMxv14ev754lwX/P430roWh1sSICBqs7dOW7wJic
erkmm6g37ifk4DYkYqRdHu+DONQieFwkM58HRUXKR4JiVlhoi9xndGk7e0OJhPdL
dRZmjfDplYWcM66G9ssL13X39DpwzgLFmf7Qg0D4loBrgBVyb5mDfikl2zUS2XKG
vZwutrYw2Zb+6ic0SO82tXaWJB5jRTuGJ9R+hun1SUeT3x7/nehv0QNKRhYDnjmt
JPIK5CKUvWH1+Wp4MdupBkIVWSNou1RI5TE934GrKzR6p7Sl2c5FZmJo2TkQ0X3D
viE5s3DNL+6xCjJ6SUA/QvW1FBxWfdoEoDkU98kjDqcRXCU7iSy7WgAjQy8dtt4z
ts1suUB/3Lh4HscidDqjRNoF49lT3spCf/sA5thfnB5JshQzyiF1+K+rdPvpcCvw
j8VqQHpbbtuOAsKQu/42NzvZyDWNjfoL4UGzSZeTWnNNvEh8GUvIQ7Fe+GShCzKd
PUiA7jUWKUUREbe/znVo
=UF+2
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Signing contracts digitally?
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] Signing contracts digitally?
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] Signing contracts digitally?
Next by Date: Re: [PLUG] Signing contracts digitally?
Previous by thread: Re: [PLUG] Signing contracts digitally?
Next by thread: [PLUG] Job Posting - Shoprunner is hiring software developers
Index(es):
- Date
- Thread