TCJ> In many environments (contract law eg.) there is a line above the
signature which defines the purpose for the signing and a line below the
signature which defines the role of the signer. Note that this is
dependent on the instance, and may vary ON A SINGLE CONTRACT if signed
more than once by the same person.
Charlie> I don't see why these items cannot still be part of the
(electronic) document, with a reference to a person (e.g. the common
name) appearing in place of the usual signature. The roles etc. need
not be in anyone's certificate. When a person signs the whole document,
he/she essentially affixes his/her signature in all the places, and in
all roles, where his/her name appears. Won't that do it?
The problem here is that with PEM certificates, the role is in the
certificate. And with RFC822 email there is no structure that will
allow us to do as you suggest, eg "affix her signature in all the
places". There is no way to specify a "place" to put a signature, and
so there is no way to assign a purpose to a signature when there are
more than one.
If the signature block is ever touched again, I would strongly suggest
that the role and purpose of the signature be placed there. If the
certificate is not sent with the document, the role does not appear
anywhere directly associated with the document. Also the role of an
individual signer can vary, and so if the signer does not state the
purpose of the individual signature, the the signer is not sure how the
signature will be "placed" in the transmitted document. Even if the
certificate is supposedly sent with the document, there is no way to
prove it since the header info is not part of the message that is
signed.
- -
Steve C> To the extent that it matters what a PCA says, I think the
answers are yes. For example, if someone at TIS were to send an
unauthorized purchase order to a company, the set of issues we'd have to
deal with would be the same whether it's an electronic purchase order or
a paper purchase order. We'd either have to honor it or disavow it, and
the supplier would either sue or us or not. If a supplier wants to know
whether a purchase order is valid, the supplier should ask who's
authorized to sign purchase orders for TIS. The means for checking on
us having little or nothing to do with PEM. Records in the State of
Maryland will tell you who our officers are. Dun and Bradstreet, TRW or
our bank will give you credit and financial information. Our clients
will tell you about our reputation. Etc., etc. PEM does not speak to
this issue; it only provides a mechanism for sealing and signing
messages.
Most of what you say is correct, however two major points:
1> The supplier does not care who is authorized to sign for TIS. It
only matters that the PO came from TIS and that the supplier has reason
to believe it was valid.
2> None of your arguments, (correctly I would posit) tie the PCA
policy to any action that TIS would perform! My belief is that there is
no way to expect a signer to be responsible for the PCA policy when she
has very limited options on choosing it. Is there any chance that the
purchasing agent of TIS would be allowed to change the PCA that TIS used
for its own CA, just because she was personally uncomfortable with it?
- -
To the contrary of what some may think of my position, I feel that:
DIGITAL SIGNATURES WILL ONLY BE SUCCESSFUL TO THE EXTENT THAT WE CAN
CONVINCE PEOPLE THAT THEY SERVE THE SAME PURPOSE AS ANALOG SIGNATURES.
There is too much infrastructure in place that supports analog
signatures for us to hope that we could have any impact on that
structure. Lets try to find ways to support digital signature in the
same way rather than invent new ways to use them. Then the comfort
factor for the use of the digital signature will be all that much
greater.
Note that one corollary to my opinion is that no one would be permitted
to sign for me if I were absent. If a Purchasing Department needs to
have somebody sign in my absence, give them their own certificate and
let them sign. Don't give anybody your password, your key, your
certificate, your toothbrush, or your wife to use in your absence. You
will be sorry if you do!
Peace ..Tom Jones