RE: [dss] EU Directive versus ABA "digest signatures"

["Nick Pope" <pope@secstan.com>]

John,

I do not believe it appropriate te for the DSS to give give a definitive
opinion on the legal accepatability and strength of this mechanism for court
filing.  Firstly, the legal implications of using particular mechanisms for
court filing I expect differs widely across different nations and, other
than yourself John, I beleieve that this committee is from a technical
background.  Secondly, the security that can be achieved with a database
depends on many factors outside the scope of the protocol: such as the
platform used, the security management, physical / procedural controls.

It is reasonable for the DSS to consider adding support for this mechanism
as a profile of the DSS protocol, and in doing this there needs to be some
discussion on its merits.   Thus, I am happy that we continue this
discussion on the list but I suggest that I suggest that the assessment of
the approach for court filing is more appropriately done at the individual
level than as a formal position by the DSS.

Nick


> -----Original Message-----
> From: jmessing [mailto:jmessing@law-on-line.com]
> Sent: 21 October 2003 15:23
> To: dss@lists.oasis-open.org; KarelWouters; Andreas Kuehne
> Subject: Re: [dss] EU Directive versus ABA "digest signatures"
>
>
> I appreciate Andreas' candor and the fact that he has spoken up
> on this important topic. However, as I tried to point yesterday
> on the call, it is probably inaccurate to label this an ABA approach.
>
> The American Bar Association's Science and Technology Section
> recently laid out three possible approaches, without recommending
> any, for the benefit of the US Bureau of Citizenship and
> Immigration Services, including traditional PKI. Science and
> Technology is just one division, although perhaps an important
> part of the ABA, and it does not speak for the entire
> organization. The Electronic Filing Committee of the ABA which I
> chair authored the paper. A copy is attached to this message. It
> includes references to various links and documents which Steve
> Gray has just asked me to provide. It also mentions the use of a
> DSS delegated signing use case as an example of using encrypted
> hashes or digital signatures as one of the three types of
> approaches, mentions the work of the DSS TC, and explains the
> historical derivation of the alternative digest type of solution,
> which originated not with the ABA but with an ad hoc committee
> sponsored by the National Center for State Courts that made
> recommendations about electronic filing processes in a published
> report. The method of authenticating filers and digested filed
> documents is only a part of the report, which covers many other
> aspects of electronic filing, many of them highly useful.
>
> One point that should be kept in mind is that under the approach
> of the electronic processes committee, court orders and judgments
> having legal force will be filed and subjected to the same types
> of processes and documents filed by attorneys or litigants for
> presentation to the court, and thus will be signed identically.
>
> It would also be erroneous to assume that timestamping will
> inevitably become part of the digest type of signature solution
> that may be adopted by the US courts. It is not out of the
> question, but the use of timestamps has not yet been seen by the
> proponents of the digest type of solution as necessary or appropriate.
>
> The fact that the ABA has not yet taken a position is important,
> but it should also be noted that the electronic filing processes
> committee's recommendations have already been adopted by two
> influential membership associations of state court
> administrators, which has resulted in their incorporation in many
> requests for proposals from state courts  to construct electronic
> court filing systems in the United States. A national conference
> of US Court judges recently adopted the electronic filing process
> committee's recommendations and incorporated them in draft rules
> which will likely be proposed to the ABA House of Delegates, a
> parliamentary type of body, in early February of 2004. If the ABA
> as a whole adopts the recommendations, then the federal courts in
> the US may follow suit. If the US courts use the digest type of
> signature solution in preference to encrypted hashes or PKI in
> the internal electronic filing processes, then the digest type of
> solution may come to be perceived as a perfectly suitable for
> other types of e-commerce by the courts, which could affect
> judicial thinking in decisions handed down in the United States.
>
> The issue to my way of thinking is primarily one of security.
> Unencrypted hashes and audit records of authentication in a
> database require heightened database security to prevent
> alteration of the records, while encrypted hashes or digital
> signatures can take up a part of the security burden by virtue of
> protections provided to the private key.
>
> Already in California, in a case not involving digests or
> electronic signatures but of database access privileges, there
> has been a documented case of alteration of database records of a
> court to make criminal convictions "disappear". The guilty
> parties were ultimately convicted and sentenced. The references
> can be found in the attached ABA paper.
>
> As the Chair of the Electronic Filing Committee of the ABA, I
> feel an important service to the ABA and the American judiciary
> could be a compilation of opinions and reasons for the opinions
> of those possessing expertise on these issues, and the
> presentation of the compilation to those who will deliberate to
> vote upon the issue. I have encouraged the DSS TC itself to take
> a position by either adopting or rejecting digested electronic
> signatures as part of the scope and requirements of the TC, and
> for members to write to me by private email as individuals or
> representatives of organizations and companies, with a statement
> of background and credentials, in order to weigh in on this
> important issue before the February vote takes place.
>
> As a final note, one member of the electronic filing processes
> committee that came up with the digest type of solution has
> privately observed to me that there was no expert on cryptography
> or digital signatures who took part in the work of the committee,
> and as a result the cryptographic issues may have been
> imperfectly understood in its deliberations. That does not mean
> that ultimately the recommendations were wrong, but simply that
> the committee may have stumbled upon a good solution anyway.
>
> I emphasize that the opinions of each of you who have knowledge,
> expertise, training and experience on issues of security and
> cryptography could matter to those who will be voting on the
> proposals to the ABA in February, and I encourage each of you to
> communicate your views along with a statement of your background
> and experience so that the importance of your voice can be
> properly understood by all.
>
> Thank you and best regards to all.
>
> John Messing
>
> ABA voting representative to OASIS
> Chair, Electronic Filing Committee, ST, ABA
> Chair, eNotary TC, LegalXML-OASIS
>
> ---------- Original Message ----------------------------------
> From: "Andreas Kuehne" <kuehne@klup.de>
> Date:  Tue, 21 Oct 2003 15:02:22 +0200
>
> >Hi Karel !
> >
> >> ... which also means that my name under this email is a proper
> electronic
> >> signature.
> >Yes, if your name is a valid hash of your message and I can find
> it in a special database under a proper key ... that would convince me !
> >
> >> Advanced Electronic Signatures and Qualified Signatures are
> what DSS is targeting, I guess ?
> >Of course they are in the focus, but a signing service should
> not be limited to it.
> >
> >Despite having no experience with "digest signatures" it seems
> to be an intersting solution. As a tradeoff for the need of
> online access you need just ONE crypto algorithm ( the hash )
> that weakens over time .. Timestamping is included ..  Archiving
> is in the concept right from the start ...
> >
> >> So to include "digest signatures", you'll need some other
> motivation too.
> >I would need some other motivation to exlude "digest signatures" !
> >
> >To design a good service interface that can stand the test of
> time is always a difficult task. I don't think it's a good
> approach to narrow its operational area just because one
> technique today is more common than another.
> >
> >
> >Greetings
> >
> >Andreas
> >_________________________________________________________________
> _____________
> >Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2
> >Kostenlos downloaden: http://screensaver.web.de/?mc=021110
> >
> >
> >To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to
> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
kgroup.php.
>
>