You ask a fair question and you set forth the scenario quite
precisely. Let me use your scenario to pinpoint the issue I have in
mind.
Consider the following scenario: Bob prepares a draft of a contract,
signs it, and emails it to Carol. Carol reads it, prepares some
comments of the form: If you make <these changes> to <that
document>, I will sign <my signature>. Carol then constructs a
multi-part MIME-PEM document consisting of the following parts:
A) the original message, containing the contract,
How does the next reader, or Bob for that matter, know for sure
whether Carol has included the message that Bob sent or some other
message? The signature guarantees that it came from Bob, but it may
be some other version of the same document. The mistake may be
innocent or deliberate.
I agree that this is a problem. One possible solution is for Bob to either
include date information in the material he signs or for Bob to sign something
a bit larger than just the document -- e.g. an embedded message with date and
version information in the headers.
Of course this reduces the issue of trust to whether or not you trust Bob. One
could argue that since you trust Bob to produce reasonable content under his
name, you can trust him for the rest. But this isn't true in general. Can you
trust Bob not to, say, back-date a document? (Or, as you get into in your
examples below, send one version to one person and another version to someone
else?)
A solution that covers this is to use a designated neutral trusted registration
authority for such documents. Such an authority would receive documents, make
sure they originate from a trusted user, time stamp them, sign them and save
them. People discussing documents of this sort would then exchange copies
signed by this neutral trusted authority. (Actually, this brings up a use for
signed message/external-body objects, doesn't it?)
In case it isn't already clear, I would expect this to be a program and not an
actual person.
You can go much further, of course, but this begins to encroach on services
that guarantee delivery. This is all fine and dandy, but it lies outside the
scope of services PEM is designed to provide.
signed with Bob's signature
B) her comments
Carol then puts her signature on the combined document (A and B),
and sends it back to Bob, with copies to Ted and Alice.
Ted and Alice can clearly see that the original contract (part A)
is what Bob wrote, because his signature is still on it. Also,
Not quite. Ted and Alice can see clearly that part A was written by
Bob at some point. Suppose they received a copy of this document via
a separate channel, they won't be able to tell quickly whether it's
the same version unless they compare checksums.
Yup. From a user interface perspective it would sure be nice to provide an
option to do this.
they can clearly see that Carol has not signed the contract itself,
because her signature applies to parts A and B -- the contract
combined with her comments. And the comments say, in English,
that she will only agree to the contract with the specified changes.
In my opinion, the semantics of a signature should be "I said
these words", and the interpretation of the words should be
done by a process that is defined separately from the
digital signature validation process, such as contrct law.
To try to combine them makes things much too complicated.
In some sense, during the review and commentary process, it's less
important who wrote a particular draft and more important to know
which draft you're delaing with. Signatures matter only when the
words are fully agreed to.
Here's a somewhat nasty way for Bob and Carol to conspire against Ted
and Alice. Bob sends Carol, Ted and Alice part A. Bob then sends
Carol a slightly modified version of A, called A'. A' looks similar
to A but differs in some critical detail. Bob and Carol read A very
carefully and decide they're comfortable with it. They decide they'll
sign it if Alice will sign it. Alice sends Bob, Carol and Ted a
message that contains A' with her comments, which may be as simple as
"if you sign this, I'll sign it too."
Or, in a different scenario, let's suppose Bob and Carol depend on Alice for
advice. Ted sends A to Bob and Carol but sends A' to Alice. Alice says to Bob
and Carol, "This (meaning A') is ok." Bob and Carol use the original message
(containing A) and sign off on it.
At root in each of these scenarios is the question of whether two
copies are the same. Of course, each party can do an explicit
comparison against the original, but that may be time-consuming or
otherwise inconvenient.
Other scenarios can be constructed where the issue is more one of document
dating. As far as I know the only general solution to these problems is to make
use of a trusted third party to register definitive versions of documents and
keep track of when they were written.
Ned