[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [E-CARM] PKI, CAs, TTPs &c.

In summary:
	The signature on the document establishes intent.
	Identity is asserted by the certificate.

	Saying that my key is my name is equivalent to 
	saying that my pen is my name.  This is nonsense.

	My key is what I use to - among other things - establish
	intent and provide integrity.  My pen is used for the same

	My X.509 certificate is what I present to assert an identity.
	My birth certificate (and other credentials) do the same
	in other contexts.


At 04:00 PM 3/27/98 -0500, Perry E. Metzger wrote:
>"Bob Jueneman" writes:
>> Most handwritten signatures aren't even legible, and might as well
>> be a "chop". That's why most documents require you to print or type
>> your name, in addition to signing. So a handwritten signature is
>> only very loosely bound to the signer's identity.
>More importantly, a signature on a document is not proof of
>identity. It is proof of *intent*. Digital signatures are totally
>unlike real signatures in that there is an expectation not only that
>you've become legally encumbered by signing but that the "signature"
>is expected to be an unforgeable proof. The law really has no such
>absolute assumption about real signatures. The reason one typically
>signs a contract is not to prove that you are you, but to prove that
>you read and agreed to the terms. It is understood that by signing,
>you are taking a step to bind yourself.
>> Therefore, commerce as we know it today is impossible, because 
>> the technology upon which it rests is insecure. :-)
>Actually, I've been trying to make the point that people aren't paying 
>attention to the actual concerns of commerce for some time
>now. Sigh...

Follow-Ups: References: