Re: [dss] EU Directive versus ABA "digest signatures"

["jmessing" <jmessing@law-on-line.com>]

I appreciate Andreas' candor and the fact that he has spoken up on this important topic. However, as I tried to point yesterday on the call, it is probably inaccurate to label this an ABA approach. 

The American Bar Association's Science and Technology Section recently laid out three possible approaches, without recommending any, for the benefit of the US Bureau of Citizenship and Immigration Services, including traditional PKI. Science and Technology is just one division, although perhaps an important part of the ABA, and it does not speak for the entire organization. The Electronic Filing Committee of the ABA which I chair authored the paper. A copy is attached to this message. It includes references to various links and documents which Steve Gray has just asked me to provide. It also mentions the use of a DSS delegated signing use case as an example of using encrypted hashes or digital signatures as one of the three types of approaches, mentions the work of the DSS TC, and explains the historical derivation of the alternative digest type of solution, which originated not with the ABA but with an ad hoc committee sponsored by the National Center for State Courts that made recommendations about electronic filing processes in a published report. The method of authenticating filers and digested filed documents is only a part of the report, which covers many other aspects of electronic filing, many of them highly useful.

One point that should be kept in mind is that under the approach of the electronic processes committee, court orders and judgments having legal force will be filed and subjected to the same types of processes and documents filed by attorneys or litigants for presentation to the court, and thus will be signed identically.

It would also be erroneous to assume that timestamping will inevitably become part of the digest type of signature solution that may be adopted by the US courts. It is not out of the question, but the use of timestamps has not yet been seen by the proponents of the digest type of solution as necessary or appropriate. 

The fact that the ABA has not yet taken a position is important, but it should also be noted that the electronic filing processes committee's recommendations have already been adopted by two influential membership associations of state court administrators, which has resulted in their incorporation in many requests for proposals from state courts  to construct electronic court filing systems in the United States. A national conference of US Court judges recently adopted the electronic filing process committee's recommendations and incorporated them in draft rules which will likely be proposed to the ABA House of Delegates, a parliamentary type of body, in early February of 2004. If the ABA as a whole adopts the recommendations, then the federal courts in the US may follow suit. If the US courts use the digest type of signature solution in preference to encrypted hashes or PKI in the internal electronic filing processes, then the digest type of solution may come to be perceived as a perfectly suitable for other types of e-commerce by the courts, which could affect judicial thinking in decisions handed down in the United States.

The issue to my way of thinking is primarily one of security. Unencrypted hashes and audit records of authentication in a database require heightened database security to prevent alteration of the records, while encrypted hashes or digital signatures can take up a part of the security burden by virtue of protections provided to the private key. 

Already in California, in a case not involving digests or electronic signatures but of database access privileges, there has been a documented case of alteration of database records of a court to make criminal convictions "disappear". The guilty parties were ultimately convicted and sentenced. The references can be found in the attached ABA paper.

As the Chair of the Electronic Filing Committee of the ABA, I feel an important service to the ABA and the American judiciary could be a compilation of opinions and reasons for the opinions of those possessing expertise on these issues, and the presentation of the compilation to those who will deliberate to vote upon the issue. I have encouraged the DSS TC itself to take a position by either adopting or rejecting digested electronic signatures as part of the scope and requirements of the TC, and for members to write to me by private email as individuals or representatives of organizations and companies, with a statement of background and credentials, in order to weigh in on this important issue before the February vote takes place.

As a final note, one member of the electronic filing processes committee that came up with the digest type of solution has privately observed to me that there was no expert on cryptography or digital signatures who took part in the work of the committee, and as a result the cryptographic issues may have been imperfectly understood in its deliberations. That does not mean that ultimately the recommendations were wrong, but simply that the committee may have stumbled upon a good solution anyway.

I emphasize that the opinions of each of you who have knowledge, expertise, training and experience on issues of security and cryptography could matter to those who will be voting on the proposals to the ABA in February, and I encourage each of you to communicate your views along with a statement of your background and experience so that the importance of your voice can be properly understood by all.

Thank you and best regards to all.

John Messing

ABA voting representative to OASIS
Chair, Electronic Filing Committee, ST, ABA
Chair, eNotary TC, LegalXML-OASIS

---------- Original Message ----------------------------------
From: "Andreas Kuehne" <kuehne@klup.de>
Date:  Tue, 21 Oct 2003 15:02:22 +0200

>Hi Karel !
>
>> ... which also means that my name under this email is a proper electronic
>> signature. 
>Yes, if your name is a valid hash of your message and I can find it in a special database under a proper key ... that would convince me !
>
>> Advanced Electronic Signatures and Qualified Signatures are what DSS is targeting, I guess ?
>Of course they are in the focus, but a signing service should not be limited to it.
>
>Despite having no experience with "digest signatures" it seems to be an intersting solution. As a tradeoff for the need of online access you need just ONE crypto algorithm ( the hash ) that weakens over time .. Timestamping is included ..  Archiving is in the concept right from the start ...
>
>> So to include "digest signatures", you'll need some other motivation too.
>I would need some other motivation to exlude "digest signatures" !
>
>To design a good service interface that can stand the test of time is always a difficult task. I don't think it's a good approach to narrow its operational area just because one technique today is more common than another.
>
>
>Greetings
>
>Andreas
>______________________________________________________________________________
>Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2
>Kostenlos downloaden: http://screensaver.web.de/?mc=021110
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
>
>

ABA Comments on BCIS signatures.pdf