[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [dss] Clarification on scope please - What is DSS claiming tobe in rel ation to legally binding signatures to people for Non Repudiation
Annually, a round of emails to the Information Security Committee of the ABA's list is generated about the technologist's doctrine of non-repudiation. It has become a kind of tradition that is spoken fondly of. The consensus is generally overwhelmingly unfavorable to the doctrine. It has been observed that by definition, once there is a dispute in court about the validity of a signature, it has already been repudiated. Technical methods for check-mating an attempt to repudiate a signature are viewed with skepticism by US courts. Generally, trials are about the credibility of people, not technologies. If an electronic signature were challenged in a court, both sides would call in experts to testify about the workings of the technologies and expert findings in light of the facts of the case. It is not too difficult to find opposing views on an issue from persons with respectable credentials, particularly if one has the ability to pay expert witness fees. A few years ago a federal felony criminal conviction was obtained on the basis of unauthenticated emails that the defendant did not admit he had authored. The court took into account corroborating testimony from witnesses about receiving the emails, and other oral statements attributed to the defendant to find that a criminal fraud for an academic honor had been perpetuated. It was a career-devastating conviction which was upheld on appeal. There was no crypto, no digital signatures, no discussion about non-repudiation. In another case, federal jurisdiction was obtained over an offshore civil defendant based upon proof that an email had been sent to the defendant. There was no receipt, no digital signature, nothing of the type of neat "gotcha's" that technologists love to discuss and assume or pretend are necessary for legal enforceability. Because electronic information is difficult to eradicate, it is possible that a reconstructed audit trail could suffice to prove point of origin and authorship, without any crypto at all. Most knowledgeable US lawyers scoff at non-repudiation talk as the modern-day equivalent of alchemy. In some other countries, this may not be true, principally because CPS and CP's usage of the terms has crept into legal vocabulary. Not in the US. Not so far. As for digital signatures, under US ESign law, any attempt to limit enforceability or provide for enhanced legal recognition of digital signatures in the classic "asymmetrically encrypted hash" sense, runs severe risks of being declared unenforceable, particularly if records of an agency of the US Government are involved. "The federal E-Sign law precludes requiring a particular technology in relation to its records absent specific findings by an agency. “[A]gencies are given the authority to interpret §101(d) on retention of records by specifying standards to assure accuracy, record integrity and accessibility. The interpretive regulations may require specific formats or give special legal status or effect to the use of particular technologies if the requirement serves an important governmental objective and is substantially related to the achievement of that objective. This is limited, however, by a provision that the agency may not require use of a particular type of software or hardware in order to satisfy record-retention rules.” P. Fry, “A Preliminary Analysis of Federal and State Electronic Commerce Laws,”, http://www.bmck.com/ueta-esign.doc., p. 12. One of the purposes of the Congress in adopting eSign was to prevent a monopoly over electronic signatures by requiring X-509 certificates and public key infrastructures as had been adopted earlier by states such as Washington and Utah. At last report, the State of Washington still does not accept this view. John Messing American Bar Association Delegate to OASIS The contents of this email are not intended as legal advice, no electronic signature is effectuated by it, and no attorney client relationship is created by it. ---------- Original Message ---------------------------------- From: Tim Moses <tim.moses@entrust.com> Date: Wed, 9 Jul 2003 15:21:59 -0400 >Personally, I think non-repudiation is a total rat-hole and red herring. Of >course, our protocol should allow for actors to be accountable for their >actions. But, our discussions should be strictly technical. There are >plenty of <soap:boxes> for anyone who wants to argue about (and come to no >conclusions over) legal theory. > >What would John Linn say if we were to ask him whether legal considerations >were taken into account in the definition of GSS_API and whether it would be >complete today if they had? > >All the best. Tim. > >-----Original Message----- >From: Gray Steve [mailto:steve.gray@upu.int] >Sent: Wednesday, July 09, 2003 2:18 PM >To: dss@lists.oasis-open.org >Subject: [dss] Clarification on scope please - What is DSS claiming to >be in rel ation to legally binding signatures to people for Non >Repudiation > > >Dear Colleagues > >I am seeking general feedback and opinions in relation to the issue of >Non-Repudiation (and yes, technically everything can be repudiated) > >The Posts, through the development of the EPM are addressing requirements so >that digital signatures can replace handwritten signatures so that legal >documents can remain in electronic form. This is not just a legal issue. It >is also a business risk issue. For example, my use case describing the Non >Disclosure Agreement describes an end-to-end process of a legal electronic >document being created. The NDA could easily be a contract worth millions >of dollars and therefore significant business risk. > >Our objective is to define standards that support the concept of legally >binding Non-Repudiation services using digital signatures for electronic >documents, transactions, etc. > >This objective is based on strong market validation involving governments, >business, software vendors, etc. But we must address more than just pure >technical issues. We must also be making a strong statement about the legal >value of an electronic document or message that is digitally signed, by >combining information about Who, What When, Why and the strength of the >process in gathering this information. A strong chain of trust mitigates >the business risks. > >Basically we need standards with Non-Repudiation in scope, but if the DSS is >focused on too low a level it may be too generic and therefore weaken the >perception of Non-Repudiation. > >So my question to the TC ; > >- Is Non-Repudiation clearly within the scope of DSS as a formal User >requirement > >Perhaps John Messing could also comment from a legal perspective in relation >to the eNotarisation use case and the Legal XML TC as to if/how/where you >think legally binding Non Repudiation belongs for use cases involving >significant business risk. > > >Regards > > >Steve Gray > > > > >> _________________________________________________ >> Steve Gray >> Program Manager, e-Business >> Postal Technology Centre >> International Bureau of the Universal Postal Union >> Weltpoststrasse 4 >> 3000 Bern 15 >> Switzerland >> >> Tel: +41 31 350 3116 (Direct) >> Tel: +41 31 350 3111 (Switchboard) >> Fax: +41 31 352 4323 >> e-mail: steve.gray@upu.int >> Web: http://postinfo.upu.org >> http://www.upu.int >> >> >> >> >> > >You may leave a Technical Committee at any time by visiting >http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php > >You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]