RE: [dss] EPM use cases: some questions and one requeriment.

["Nick Pope" <pope@secstan.com>]

John,

Interesting that the US ESIgn act is undergoing a review.  A review is also
happening on the EU Electronic Signatures Directive at the moment (see
attached).

Nick

(PS: Message copied to Hans Nilsson, who is working on EU review study, for
info)



> -----Original Message-----
> From: jmessing [mailto:jmessing@law-on-line.com]
> Sent: 30 June 2003 15:14
> To: Edward Shallow; 'Gray Steve'; dss@lists.oasis-open.org; Trevor
> Perrin
> Subject: RE: [dss] EPM use cases: some questions and one requeriment.
.,.....
>
> ESign is currently undergoing study and review by the Department
> of Commerce pursuant to statutory requirements in the original
> ESign law. Its provisions are unlikely to be significantly
> amended to require digital signatures as a sole or even required
> method to create valid electronic signatures.
>
> See http://www.ntia.doc.gov/ntiahome/frnotices/2002/esign/ for
> the request for comments from the Secretary of Commerce and the
> comments received. The ABA submitted comments on the court
> documents exception and the sections dealing with the Uniform
> Commercial Code, which are also posted on the site along with other views.
>
> John Messing
> ABA representative to Oasis
> Chair, Electronic Filing Committee, ABA
> Chair, eNotary TC, LegalXML-Oasis
>
> ---------- Original Message ----------------------------------
> From: Trevor Perrin <trevp@trevp.net>
> Date:  Mon, 30 Jun 2003 02:26:31 -0700
>
> >
> >Hi Ed,
> >
> >inline, some questions we can discuss on the call -
> >
> >At 12:28 AM 6/26/2003 -0400, Edward Shallow wrote:
> >
> >>-----Original Message-----
> >>From: Trevor Perrin [mailto:trevp@trevp.net]
> >>Sent: June 25, 2003 2:01 PM
> >>To: Gray Steve; dss@lists.oasis-open.org
> >>Cc: Ed Shallow (E-mail)
> >>
> >>Thanks,
> >>
> >>My questions that remain, which we can discuss in email or at
> the concall:
> >>
> >>What is the point of the sender acquiring a "postmark" on his document?
> >><ed>
> >>In short, non-repudiation of origin (ref. ISO/IEC 13888-1-2-3).
> Regardless
> >>of which legal position or non-repudiation model one subscribes to, the
> >>re-production of evidence by Trusted Third Parties of these elements of
> >>non-repudiation are crucial. In fact much of the motivation behind
> >>deployment of trusted computing systems is the pursuit of this
> >>trustworthiness. IMHO to de-scope these subjects from the
> domain of a public
> >>protocol which professes to address digital signature creation and
> >>verification would result in a non-achievement.
> >>
> >>Refs:
> >>ETSI 101-733 and 101-903 OASIS CoverPages, Abstract and Links
> >>http://xml.coverpages.org/ni2002-04-24-a.html
> >>Non-Repudiation in the Digital Environment, McCullagh and Caelli
> >>http://www.firstmonday.dk/issues/issue5_8/mccullagh/#note13
> >>"UNCITRAL Model Law on Electronic Commerce with Guide to
> Enactment" Article
> >>13, at http://www.un.or.at/uncitral/texts/electcom/ml-ec.html
> >>American Bar Association Guidelines for Digital Signatures," at
> >>http://www.abanet.org/scitech/ec/isc/dsgfree.html
> >></ed>
> >
> >I think you're arguing that "re-production of evidence by Trusted Third
> >Parties of [...] elements of non-repudiation are crucial" to verifying
> >digital signatures.  I thought the point of digital signatures, and
> >certificates, and time-stamps, is that Alice can create a time-stamped
> >signature, and Bob can verify it, and if there's a dispute Judge
> Judy can
> >verify it, but there's no need for a TTP to store something for every
> >signature.
> >
> >I only skimmed through the references, but they seemed to support this:
> >
> >According to the ABA reference,
> >  - section 5.1 - "A message bearing a digital signature verified by the
> >public key listed in a valid certificate is as valid, effective, and
> >enforceable as if the message had been written on paper."
> >  - section 5.2 - "Where a rule of law requires a signature, or provides
> >for certain consequences in the absence of a signature, that rule is
> >satisfied by a digital signature which is (1) affixed by the signer with
> >the intent of signing the message, and (2) verified by reference to the
> >public key listed in a valid certificate."
> >
> >According to ISO/IEC 13888-3,
> >  - section 8.1 - "An NRO token is used to provide protection
> against the
> >originator's false denial of having originated the message.  The
> NRO token
> >is generated by the originator A of the message m (or authority
> C), sent by
> >A to the recipient B, [and] stored by the recipient B after
> >verification."  The definitions that follow make it clear that such a
> >non-repudiation-of-origin-token is basically just the signer's
> public-key
> >signature on a message.
> >This document also mentions possible roles for 3rd parties such
> as CAs and
> >TSAs, and "Notary Authorities" (similar to a DSS signing service) and
> >"Evidence Recording Authorities".  But the last two are in an
> informative
> >annex (as opposed to normative, I guess), and there's no mention of them
> >being required for verifying signatures.
> >
> >
> >>To whom is this postmark meaningful, and what does it mean?
> >>
> >><ed>
> >>In certain scenarios and/or jurisdictions the onus of proof in
> the event of
> >>a legal challenge on the alleged signing of a document may rest with the
> >>signator. In such cases and scenarios, a receipt of non-repudiation of
> >>origin (what we innocently label the PostMark) would be
> valuable and worth
> >>paying for.[...]
> >></ed>
> >
> >I'm not sure what you mean by "receipt of non-repudiation of
> origin", but
> >it sounds like a non-repudiation of origin token per ISO/IEC 13888-3, in
> >which case I would think the the signer's time-stamped signature
> is sufficient.
> >
> >
> >>According to A11, "The main purpose of the EPM is to provide a
> >>non-repudiation service that attests Who, What, Why, When a document was
> >>signed, plus the archival service".  Isn't this provided by a normal,
> >>time-stamped digital signature?
> >>
> >><ed>
> >>No, it does not. Validity, integrity, and trustworthiness are still very
> >>much in doubt and inadmissable in nearly all jurisdictions.
> >></ed>
> >
> >Could you give some examples?  I'm not aware of digital
> signature laws that
> >require a TTP to create a "receipt of non-repudiation of origin"
> for each
> >signature, or to archive each signature.  Though I don't know much about
> >these laws in general.
> >
> >Trevor
> >
> >
> >You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php
>
>

You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/dss/members/leave_workgroup.php

WSES_N_0264_Revision_of_the_European_Electronic_Signature_Directive.pdf