RE: [dss] EPM use cases: some questions and one requeriment.

["jmessing" <jmessing@law-on-line.com>]

Trevor is correct. The US ESign legislation superceded any legal requirement mandating the use of digital signature technology, as suggested by the ABA's early and now somewhat dated Digital Signature Guidelines. The EEC's legislation is less strictly technology-neutral than ESign, but with a similar bent towards not requiring digital signature technology as an exclusive method of legally signing electronic documents, though the EEC expressly allows a secure electronic signature based upon crypto, which the US arguably does not.

ESign is currently undergoing study and review by the Department of Commerce pursuant to statutory requirements in the original ESign law. Its provisions are unlikely to be significantly amended to require digital signatures as a sole or even required method to create valid electronic signatures.

See http://www.ntia.doc.gov/ntiahome/frnotices/2002/esign/ for the request for comments from the Secretary of Commerce and the comments received. The ABA submitted comments on the court documents exception and the sections dealing with the Uniform Commercial Code, which are also posted on the site along with other views.

John Messing
ABA representative to Oasis
Chair, Electronic Filing Committee, ABA
Chair, eNotary TC, LegalXML-Oasis

---------- Original Message ----------------------------------
From: Trevor Perrin <trevp@trevp.net>
Date:  Mon, 30 Jun 2003 02:26:31 -0700

>
>Hi Ed,
>
>inline, some questions we can discuss on the call -
>
>At 12:28 AM 6/26/2003 -0400, Edward Shallow wrote:
>
>>-----Original Message-----
>>From: Trevor Perrin [mailto:trevp@trevp.net]
>>Sent: June 25, 2003 2:01 PM
>>To: Gray Steve; dss@lists.oasis-open.org
>>Cc: Ed Shallow (E-mail)
>>
>>Thanks,
>>
>>My questions that remain, which we can discuss in email or at the concall:
>>
>>What is the point of the sender acquiring a "postmark" on his document?
>><ed>
>>In short, non-repudiation of origin (ref. ISO/IEC 13888-1-2-3). Regardless
>>of which legal position or non-repudiation model one subscribes to, the
>>re-production of evidence by Trusted Third Parties of these elements of
>>non-repudiation are crucial. In fact much of the motivation behind
>>deployment of trusted computing systems is the pursuit of this
>>trustworthiness. IMHO to de-scope these subjects from the domain of a public
>>protocol which professes to address digital signature creation and
>>verification would result in a non-achievement.
>>
>>Refs:
>>ETSI 101-733 and 101-903 OASIS CoverPages, Abstract and Links
>>http://xml.coverpages.org/ni2002-04-24-a.html
>>Non-Repudiation in the Digital Environment, McCullagh and Caelli
>>http://www.firstmonday.dk/issues/issue5_8/mccullagh/#note13
>>"UNCITRAL Model Law on Electronic Commerce with Guide to Enactment" Article
>>13, at http://www.un.or.at/uncitral/texts/electcom/ml-ec.html
>>American Bar Association Guidelines for Digital Signatures," at
>>http://www.abanet.org/scitech/ec/isc/dsgfree.html
>></ed>
>
>I think you're arguing that "re-production of evidence by Trusted Third 
>Parties of [...] elements of non-repudiation are crucial" to verifying 
>digital signatures.  I thought the point of digital signatures, and 
>certificates, and time-stamps, is that Alice can create a time-stamped 
>signature, and Bob can verify it, and if there's a dispute Judge Judy can 
>verify it, but there's no need for a TTP to store something for every 
>signature.
>
>I only skimmed through the references, but they seemed to support this:
>
>According to the ABA reference,
>  - section 5.1 - "A message bearing a digital signature verified by the 
>public key listed in a valid certificate is as valid, effective, and 
>enforceable as if the message had been written on paper."
>  - section 5.2 - "Where a rule of law requires a signature, or provides 
>for certain consequences in the absence of a signature, that rule is 
>satisfied by a digital signature which is (1) affixed by the signer with 
>the intent of signing the message, and (2) verified by reference to the 
>public key listed in a valid certificate."
>
>According to ISO/IEC 13888-3,
>  - section 8.1 - "An NRO token is used to provide protection against the 
>originator's false denial of having originated the message.  The NRO token 
>is generated by the originator A of the message m (or authority C), sent by 
>A to the recipient B, [and] stored by the recipient B after 
>verification."  The definitions that follow make it clear that such a 
>non-repudiation-of-origin-token is basically just the signer's public-key 
>signature on a message.
>This document also mentions possible roles for 3rd parties such as CAs and 
>TSAs, and "Notary Authorities" (similar to a DSS signing service) and 
>"Evidence Recording Authorities".  But the last two are in an informative 
>annex (as opposed to normative, I guess), and there's no mention of them 
>being required for verifying signatures.
>
>
>>To whom is this postmark meaningful, and what does it mean?
>>
>><ed>
>>In certain scenarios and/or jurisdictions the onus of proof in the event of
>>a legal challenge on the alleged signing of a document may rest with the
>>signator. In such cases and scenarios, a receipt of non-repudiation of
>>origin (what we innocently label the PostMark) would be valuable and worth
>>paying for.[...]
>></ed>
>
>I'm not sure what you mean by "receipt of non-repudiation of origin", but 
>it sounds like a non-repudiation of origin token per ISO/IEC 13888-3, in 
>which case I would think the the signer's time-stamped signature is sufficient.
>
>
>>According to A11, "The main purpose of the EPM is to provide a
>>non-repudiation service that attests Who, What, Why, When a document was
>>signed, plus the archival service".  Isn't this provided by a normal,
>>time-stamped digital signature?
>>
>><ed>
>>No, it does not. Validity, integrity, and trustworthiness are still very
>>much in doubt and inadmissable in nearly all jurisdictions.
>></ed>
>
>Could you give some examples?  I'm not aware of digital signature laws that 
>require a TTP to create a "receipt of non-repudiation of origin" for each 
>signature, or to archive each signature.  Though I don't know much about 
>these laws in general.
>
>Trevor 
>
>
>You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
>
>