[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] EPM use cases: some questions and one requeriment.
John, Interesting that the US ESIgn act is undergoing a review. A review is also happening on the EU Electronic Signatures Directive at the moment (see attached). Nick (PS: Message copied to Hans Nilsson, who is working on EU review study, for info) > -----Original Message----- > From: jmessing [mailto:jmessing@law-on-line.com] > Sent: 30 June 2003 15:14 > To: Edward Shallow; 'Gray Steve'; dss@lists.oasis-open.org; Trevor > Perrin > Subject: RE: [dss] EPM use cases: some questions and one requeriment. .,..... > > ESign is currently undergoing study and review by the Department > of Commerce pursuant to statutory requirements in the original > ESign law. Its provisions are unlikely to be significantly > amended to require digital signatures as a sole or even required > method to create valid electronic signatures. > > See http://www.ntia.doc.gov/ntiahome/frnotices/2002/esign/ for > the request for comments from the Secretary of Commerce and the > comments received. The ABA submitted comments on the court > documents exception and the sections dealing with the Uniform > Commercial Code, which are also posted on the site along with other views. > > John Messing > ABA representative to Oasis > Chair, Electronic Filing Committee, ABA > Chair, eNotary TC, LegalXML-Oasis > > ---------- Original Message ---------------------------------- > From: Trevor Perrin <trevp@trevp.net> > Date: Mon, 30 Jun 2003 02:26:31 -0700 > > > > >Hi Ed, > > > >inline, some questions we can discuss on the call - > > > >At 12:28 AM 6/26/2003 -0400, Edward Shallow wrote: > > > >>-----Original Message----- > >>From: Trevor Perrin [mailto:trevp@trevp.net] > >>Sent: June 25, 2003 2:01 PM > >>To: Gray Steve; dss@lists.oasis-open.org > >>Cc: Ed Shallow (E-mail) > >> > >>Thanks, > >> > >>My questions that remain, which we can discuss in email or at > the concall: > >> > >>What is the point of the sender acquiring a "postmark" on his document? > >><ed> > >>In short, non-repudiation of origin (ref. ISO/IEC 13888-1-2-3). > Regardless > >>of which legal position or non-repudiation model one subscribes to, the > >>re-production of evidence by Trusted Third Parties of these elements of > >>non-repudiation are crucial. In fact much of the motivation behind > >>deployment of trusted computing systems is the pursuit of this > >>trustworthiness. IMHO to de-scope these subjects from the > domain of a public > >>protocol which professes to address digital signature creation and > >>verification would result in a non-achievement. > >> > >>Refs: > >>ETSI 101-733 and 101-903 OASIS CoverPages, Abstract and Links > >>http://xml.coverpages.org/ni2002-04-24-a.html > >>Non-Repudiation in the Digital Environment, McCullagh and Caelli > >>http://www.firstmonday.dk/issues/issue5_8/mccullagh/#note13 > >>"UNCITRAL Model Law on Electronic Commerce with Guide to > Enactment" Article > >>13, at http://www.un.or.at/uncitral/texts/electcom/ml-ec.html > >>American Bar Association Guidelines for Digital Signatures," at > >>http://www.abanet.org/scitech/ec/isc/dsgfree.html > >></ed> > > > >I think you're arguing that "re-production of evidence by Trusted Third > >Parties of [...] elements of non-repudiation are crucial" to verifying > >digital signatures. I thought the point of digital signatures, and > >certificates, and time-stamps, is that Alice can create a time-stamped > >signature, and Bob can verify it, and if there's a dispute Judge > Judy can > >verify it, but there's no need for a TTP to store something for every > >signature. > > > >I only skimmed through the references, but they seemed to support this: > > > >According to the ABA reference, > > - section 5.1 - "A message bearing a digital signature verified by the > >public key listed in a valid certificate is as valid, effective, and > >enforceable as if the message had been written on paper." > > - section 5.2 - "Where a rule of law requires a signature, or provides > >for certain consequences in the absence of a signature, that rule is > >satisfied by a digital signature which is (1) affixed by the signer with > >the intent of signing the message, and (2) verified by reference to the > >public key listed in a valid certificate." > > > >According to ISO/IEC 13888-3, > > - section 8.1 - "An NRO token is used to provide protection > against the > >originator's false denial of having originated the message. The > NRO token > >is generated by the originator A of the message m (or authority > C), sent by > >A to the recipient B, [and] stored by the recipient B after > >verification." The definitions that follow make it clear that such a > >non-repudiation-of-origin-token is basically just the signer's > public-key > >signature on a message. > >This document also mentions possible roles for 3rd parties such > as CAs and > >TSAs, and "Notary Authorities" (similar to a DSS signing service) and > >"Evidence Recording Authorities". But the last two are in an > informative > >annex (as opposed to normative, I guess), and there's no mention of them > >being required for verifying signatures. > > > > > >>To whom is this postmark meaningful, and what does it mean? > >> > >><ed> > >>In certain scenarios and/or jurisdictions the onus of proof in > the event of > >>a legal challenge on the alleged signing of a document may rest with the > >>signator. In such cases and scenarios, a receipt of non-repudiation of > >>origin (what we innocently label the PostMark) would be > valuable and worth > >>paying for.[...] > >></ed> > > > >I'm not sure what you mean by "receipt of non-repudiation of > origin", but > >it sounds like a non-repudiation of origin token per ISO/IEC 13888-3, in > >which case I would think the the signer's time-stamped signature > is sufficient. > > > > > >>According to A11, "The main purpose of the EPM is to provide a > >>non-repudiation service that attests Who, What, Why, When a document was > >>signed, plus the archival service". Isn't this provided by a normal, > >>time-stamped digital signature? > >> > >><ed> > >>No, it does not. Validity, integrity, and trustworthiness are still very > >>much in doubt and inadmissable in nearly all jurisdictions. > >></ed> > > > >Could you give some examples? I'm not aware of digital > signature laws that > >require a TTP to create a "receipt of non-repudiation of origin" > for each > >signature, or to archive each signature. Though I don't know much about > >these laws in general. > > > >Trevor > > > > > >You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php > > You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
WSES_N_0264_Revision_of_the_European_Electronic_Signature_Directive.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]