-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,lzlonbEUqGQnIChsCm8XZSFcTei9uzbksC9xA+uIcqt
norxKFGyd9IIHDmbJOH98ZLo4eJwmiC42dLKt3GDOTtikFhm0CcxAZtQDf4V7+2V
dPH4EgTpL0rRo6q4QtEqu
Bob,
Ok, I'll bite. The distinction that has been important in past
discussions is that a certificate issued for a distinguished name
which contains company information does not imply that any specific
roles or privileges are conveyed. For example my certificate says
"Trusted Information Systems." If I sign a message with that
signature, it doesn't mean that I'm necessarily acting as a TIS
employee (or officer).
If I understand the drift of the current thread of messages, the
question on the table is different. It's whether my signature serves
to bind my words to me in a legal sense. For example, if I send an
electronic purchase order with my signature, does that have the same
force as if I had sent it on paper? Or, if I say something nasty
about someone in electronic mail, does that expose me to the same
liability it would if I had said it in print?
To the extent that it matters what a PCA says, I think the answers are
yes. For example, if someone at TIS were to send an unauthorized
purchase order to a company, the set of issues we'd have to deal with
would be the same whether it's an electronic purchase order or a paper
purchase order. We'd either have to honor it or disavow it, and the
supplier would either sue or us or not. If a supplier wants to know
whether a purchase order is valid, the supplier should ask who's
authorized to sign purchase orders for TIS. The means for checking on
us having little or nothing to do with PEM. Records in the State of
Maryland will tell you who our officers are. Dun and Bradstreet, TRW
or our bank will give you credit and financial information. Our
clients will tell you about our reputation. Etc., etc. PEM does not
speak to this issue; it only provides a mechanism for sealing and
signing messages.
It's certainly the intent that digital signatures have
comparable meaning as wet signatures. However, it's obviously up to
the community to decide how to treat this technology. If the users
treat digital signatures with the same respect they treat wet
signatures, then it's likely the law will follow.
You said the two PCA policies you've read -- ours and RSA's -- don't
contain the words you want with respect to the meaning of a signature.
What words do you want in the PCA policy?
Steve
-----END PRIVACY-ENHANCED MESSAGE-----