RE: [dss] EU Directive versus ABA "digest signatures"

["Gray Steve" <steve.Gray@upu.int>]

John

I will study this further and discuss with my colleagues in relation to EPM in the US and elsewhere. Will give some feedback soon around the policy and other issues, as opposed to the technical issues directly related to DSS


Steve

-----Original Message-----
From: jmessing [mailto:jmessing@law-on-line.com]
Sent: Tuesday, October 21, 2003 6:00 PM
To: jmessing@law-on-line.com; dss@lists.oasis-open.org; KarelWouters;
Andreas Kuehne; Nick Pope
Subject: RE: [dss] EU Directive versus ABA "digest signatures"


Understood. My comments and requests for contributions were directed to what I perceive to be technical issues: authentication, security, a need for stablility in electronic document archiving over time, digests, encryption keys, and related technical matters, not legal issues. These all impact the proper policy determinations to be made, much as in a business process. Thanks for the response.

---------- Original Message ----------------------------------
From: "Nick Pope" <pope@secstan.com>
Date:  Tue, 21 Oct 2003 16:53:28 +0100

>John,
>
>I do not believe it appropriate te for the DSS to give give a definitive
>opinion on the legal accepatability and strength of this mechanism for court
>filing.  Firstly, the legal implications of using particular mechanisms for
>court filing I expect differs widely across different nations and, other
>than yourself John, I beleieve that this committee is from a technical
>background.  Secondly, the security that can be achieved with a database
>depends on many factors outside the scope of the protocol: such as the
>platform used, the security management, physical / procedural controls.
>
>It is reasonable for the DSS to consider adding support for this mechanism
>as a profile of the DSS protocol, and in doing this there needs to be some
>discussion on its merits.   Thus, I am happy that we continue this
>discussion on the list but I suggest that I suggest that the assessment of
>the approach for court filing is more appropriately done at the individual
>level than as a formal position by the DSS.
>
>Nick
>
>
>> -----Original Message-----
>> From: jmessing [mailto:jmessing@law-on-line.com]
>> Sent: 21 October 2003 15:23
>> To: dss@lists.oasis-open.org; KarelWouters; Andreas Kuehne
>> Subject: Re: [dss] EU Directive versus ABA "digest signatures"
>>
>>
>> I appreciate Andreas' candor and the fact that he has spoken up
>> on this important topic. However, as I tried to point yesterday
>> on the call, it is probably inaccurate to label this an ABA approach.
>>
>> The American Bar Association's Science and Technology Section
>> recently laid out three possible approaches, without recommending
>> any, for the benefit of the US Bureau of Citizenship and
>> Immigration Services, including traditional PKI. Science and
>> Technology is just one division, although perhaps an important
>> part of the ABA, and it does not speak for the entire
>> organization. The Electronic Filing Committee of the ABA which I
>> chair authored the paper. A copy is attached to this message. It
>> includes references to various links and documents which Steve
>> Gray has just asked me to provide. It also mentions the use of a
>> DSS delegated signing use case as an example of using encrypted
>> hashes or digital signatures as one of the three types of
>> approaches, mentions the work of the DSS TC, and explains the
>> historical derivation of the alternative digest type of solution,
>> which originated not with the ABA but with an ad hoc committee
>> sponsored by the National Center for State Courts that made
>> recommendations about electronic filing processes in a published
>> report. The method of authenticating filers and digested filed
>> documents is only a part of the report, which covers many other
>> aspects of electronic filing, many of them highly useful.
>>
>> One point that should be kept in mind is that under the approach
>> of the electronic processes committee, court orders and judgments
>> having legal force will be filed and subjected to the same types
>> of processes and documents filed by attorneys or litigants for
>> presentation to the court, and thus will be signed identically.
>>
>> It would also be erroneous to assume that timestamping will
>> inevitably become part of the digest type of signature solution
>> that may be adopted by the US courts. It is not out of the
>> question, but the use of timestamps has not yet been seen by the
>> proponents of the digest type of solution as necessary or appropriate.
>>
>> The fact that the ABA has not yet taken a position is important,
>> but it should also be noted that the electronic filing processes
>> committee's recommendations have already been adopted by two
>> influential membership associations of state court
>> administrators, which has resulted in their incorporation in many
>> requests for proposals from state courts  to construct electronic
>> court filing systems in the United States. A national conference
>> of US Court judges recently adopted the electronic filing process
>> committee's recommendations and incorporated them in draft rules
>> which will likely be proposed to the ABA House of Delegates, a
>> parliamentary type of body, in early February of 2004. If the ABA
>> as a whole adopts the recommendations, then the federal courts in
>> the US may follow suit. If the US courts use the digest type of
>> signature solution in preference to encrypted hashes or PKI in
>> the internal electronic filing processes, then the digest type of
>> solution may come to be perceived as a perfectly suitable for
>> other types of e-commerce by the courts, which could affect
>> judicial thinking in decisions handed down in the United States.
>>
>> The issue to my way of thinking is primarily one of security.
>> Unencrypted hashes and audit records of authentication in a
>> database require heightened database security to prevent
>> alteration of the records, while encrypted hashes or digital
>> signatures can take up a part of the security burden by virtue of
>> protections provided to the private key.
>>
>> Already in California, in a case not involving digests or
>> electronic signatures but of database access privileges, there
>> has been a documented case of alteration of database records of a
>> court to make criminal convictions "disappear". The guilty
>> parties were ultimately convicted and sentenced. The references
>> can be found in the attached ABA paper.
>>
>> As the Chair of the Electronic Filing Committee of the ABA, I
>> feel an important service to the ABA and the American judiciary
>> could be a compilation of opinions and reasons for the opinions
>> of those possessing expertise on these issues, and the
>> presentation of the compilation to those who will deliberate to
>> vote upon the issue. I have encouraged the DSS TC itself to take
>> a position by either adopting or rejecting digested electronic
>> signatures as part of the scope and requirements of the TC, and
>> for members to write to me by private email as individuals or
>> representatives of organizations and companies, with a statement
>> of background and credentials, in order to weigh in on this
>> important issue before the February vote takes place.
>>
>> As a final note, one member of the electronic filing processes
>> committee that came up with the digest type of solution has
>> privately observed to me that there was no expert on cryptography
>> or digital signatures who took part in the work of the committee,
>> and as a result the cryptographic issues may have been
>> imperfectly understood in its deliberations. That does not mean
>> that ultimately the recommendations were wrong, but simply that
>> the committee may have stumbled upon a good solution anyway.
>>
>> I emphasize that the opinions of each of you who have knowledge,
>> expertise, training and experience on issues of security and
>> cryptography could matter to those who will be voting on the
>> proposals to the ABA in February, and I encourage each of you to
>> communicate your views along with a statement of your background
>> and experience so that the importance of your voice can be
>> properly understood by all.
>>
>> Thank you and best regards to all.
>>
>> John Messing
>>
>> ABA voting representative to OASIS
>> Chair, Electronic Filing Committee, ST, ABA
>> Chair, eNotary TC, LegalXML-OASIS
>>
>> ---------- Original Message ----------------------------------
>> From: "Andreas Kuehne" <kuehne@klup.de>
>> Date:  Tue, 21 Oct 2003 15:02:22 +0200
>>
>> >Hi Karel !
>> >
>> >> ... which also means that my name under this email is a proper
>> electronic
>> >> signature.
>> >Yes, if your name is a valid hash of your message and I can find
>> it in a special database under a proper key ... that would convince me !
>> >
>> >> Advanced Electronic Signatures and Qualified Signatures are
>> what DSS is targeting, I guess ?
>> >Of course they are in the focus, but a signing service should
>> not be limited to it.
>> >
>> >Despite having no experience with "digest signatures" it seems
>> to be an intersting solution. As a tradeoff for the need of
>> online access you need just ONE crypto algorithm ( the hash )
>> that weakens over time .. Timestamping is included ..  Archiving
>> is in the concept right from the start ...
>> >
>> >> So to include "digest signatures", you'll need some other
>> motivation too.
>> >I would need some other motivation to exlude "digest signatures" !
>> >
>> >To design a good service interface that can stand the test of
>> time is always a difficult task. I don't think it's a good
>> approach to narrow its operational area just because one
>> technique today is more common than another.
>> >
>> >
>> >Greetings
>> >
>> >Andreas
>> >_________________________________________________________________
>> _____________
>> >Horoskop, Comics, VIPs, Wetter, Sport und Lotto im WEB.DE Screensaver1.2
>> >Kostenlos downloaden: http://screensaver.web.de/?mc=021110
>> >
>> >
>> >To unsubscribe from this mailing list (and be removed from the
>> roster of the OASIS TC), go to
>> http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_wor
>kgroup.php.
>>
>>
>
>
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.
>
>

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php.