David Shaw wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote:
When the word "notarised signature" is used, is this
a term that has been tested against the legal meaning
of the words?
Specifically, the term has quite different significances
under civil code and common law. In the civil code, a
notary is a very important person, perhaps more significant
than an attorney. He or she has to study for 6 years to
obtain their qualification, and it is a tightly constrained
field (at least in the country I'm mildly familiar with).
The term "notary signature" should not imply any legal meaning
whatsoever. As you point out, it means different things to different
people in different places.
I can't imagine the terminology is a problem. After all, the terms
"signature", and "certification" mean different things in different
legal juristictions as well, and PGP has been using those terms for
over a decade.
Right. That precisely is the issue, in that it
has been observed that the misuse of the word
'signature' by the cryptographic communiity has
contributed to the mess that is CAs and PKIs...
People have understood that digital signatures
imply legal signatures in some hand waving sense.
People have therefore tried to build systems to
use digital signatures to replace other forms,
generally with little success.
So, I guess what I'm saying is this: If one
subscribes to the view that a bug in "digital
signatures" is the word "signature", then
perhaps we should not compound that bug by
expanding the term to "notarised signature".
If so, then what in cryptographic terms is
that new form of signature? As far as I can
see it is a 3rd party signature over a sig:
0x50: Notary signature.
This signature is a signature over some other OpenPGP signature
packet. It is a notary seal on the signed data. ...
I'd suggest something like:
0x50: 3rd party confirmatory signature.
This signature is a signature over some other OpenPGP signature
packet. It provides a mechanism for a 3rd party to confirm the
first signature over the signed data, and is analogous to a
notary seal. ...
Except that is a little clumsy.
(also 5.2.3.25.)
If not, as a minimum, it might be a good idea to add
a statement that the use of the term is not meant to
draw from the legal definition(s) of same.
I'm okay with this if the WG thinks it is necessary, though if we're
going to go down that route, it would probably be simpler to put a
single sentence in the introduction disclaiming any legal standing for
terminology used in the whole document than it would be to add
specific notes to the notary section.
Sure. I'm not wedded to the change myself,
I'm just much more sensitive to the legal
system having been recently squeezed through
the mill (and, PGP signatures played a small
part in that ;-)
My perspective comes down to: "how can we
reduce costs in future disputes?"
The issue with the current text would be
that some poor muggins might have to go
through a court case explaining why the
phrase
"It is a notary seal on the signed data."
does not imply that it is a notary seal on
the signed data, and the person who signed
it is not fraudulently purporting to be a
notary.
As the text is quite explicit as to what
it is (normally a laudable objective!),
and as the program (optimistically)
conforms to the RFC, then he has a bit
of a battle making the alternate case...
--
iang