Steve Crocker: Ok, I'll bite. The distinction that has been important in past
discussions is that a certificate issued for a distinguished name
which contains company information does not imply that any specific
roles or privileges are conveyed. For example my certificate says
"Trusted Information Systems." If I sign a message with that
signature, it doesn't mean that I'm necessarily acting as a TIS
employee (or officer).
Steve, if you send me a letter on company letterhead, I believe that I would
normally be entitled to the presumption that you were sending to me as company
business. Note that I said presumption, not conclusive proof. If I understand
the lawyers, nothing is ever quite black and white. Instead there are shades of
presumption rangeing from a completely unsubstantiated claim on the part of the
plaintiff (e.g., an oral contract with no witnesses), to a presumption or
predisposition on the part of the plaintiff (a written statement or request on
company letterhead), to the "preponderance of the evidence" (e.g., a signed
contract) where the burden of proof begins to shifts to the defense to
disprove,
to perhaps a signed and notarized document ("clear and convincing evidence"),
to perhaps a signed and notarized document, accompanied by advertisements
trumpting the fact that you had been selected for this contract ("beyond all
reasonable
doubt"), to judicial acts by a land court, after which they hold the title, not
you
(incontrovertible).
If your certificate says O=Trusted Information Systems, then I think I have some
reason to presume that you are affiliated with them in some sense. If you
are a contractor, tenant, resident visitor, etc., I would hope that your
Organizational
Unit might refer to that fact, e.g., O=Trusted Information Systems,
OU=Contractor,
OU=Contractor Name.
However, if your certificate states that you are O=Trusted Information
Systems, organizationalRole=President, or organizationalRole=Purchasing
Agent, although I may not know what level of authortiy you have been granted by
your own organization, i.e., what dollar value you can sign off on with
only your signature, I think that the fact that your company is acting as the
CA
and has signed your certificate should be considered CONCLUSIVE proof that
that is your correct title or organizationalRole. If you don't
agree, then I think we have an even bigger problem than I imagined.
(By the way, I agree with Dave Sudia of Bankers Trust. The CA should attest to
the
role, but not necessarily to the individual's name, since organizations have
very
limited means of checking someone's identity. But your name doesn't matter if
I have given you a particular role within my company. That's why I would prefer
for the user to swear before a Notary Public that he is who he says he is.
If he lies, he is subject to criminal charges for perjury, and civil damages.
Otherwise I have almost no claim against him.
Steve: If I understand the drift of the current thread of messages, the
question on the table is different. It's whether my signature serves
to bind my words to me in a legal sense. For example, if I send an
electronic purchase order with my signature, does that have the same
force as if I had sent it on paper? Or, if I say something nasty
about someone in electronic mail, does that expose me to the same
liability it would if I had said it in print?
Yes, I certainly think so. Whatever authority or lack of authority you had
with respect to a paper document should apply to your digital signature,
unless you do something special to limit or proscribe that use. Or abuse,
really, because the primary threat is the possibility that someone steals your
key and impersonates you.
Steve: To the extent that it matters what a PCA says, I think the answers are
yes. For example, if someone at TIS were to send an unauthorized
purchase order to a company, the set of issues we'd have to deal with
would be the same whether it's an electronic purchase order or a paper
purchase order. We'd either have to honor it or disavow it, and the
supplier would either sue or us or not. If a supplier wants to know
whether a purchase order is valid, the supplier should ask who's
authorized to sign purchase orders for TIS. The means for checking on
us having little or nothing to do with PEM. Records in the State of
Maryland will tell you who our officers are. Dun and Bradstreet, TRW
or our bank will give you credit and financial information. Our
clients will tell you about our reputation. Etc., etc. PEM does not
speak to this issue; it only provides a mechanism for sealing and
signing messages.
Correct. The X9 transaction authorization certificates should eventually
answer the question as to whether some individual or Role (DN, really)
is AUTHORIZED to perform some action.(But not whether you have enough money
in the bank to pay for the item being ordered.) But what happens if I as a
manager
send a message to my Contracting Officer or the Contracting Officer's Technical
Representative proposing a particular task plan, and the COTR sends a message
back that approves that plan. If in fact the two of us DO have the appropriate
authority to sign such documents, are our digital signatures as binding as
our written ones would be? I think so. If I agree to perform a given task
within a
given budget, and then overrun, can I claim that my digital signature was
invalid,
and try to get out of the difficulty that way? I wouldn't want to count on it!
(Aside to Doug Porter - how many PEM users are either involved in grants to
educational institutions or are involved in either government or industry with
contracts and COTRs, and would like to expedite this process?)
Steve: It's certainly the intent that digital signatures have
comparable meaning as wet signatures. However, it's obviously up to
the community to decide how to treat this technology. If the users
treat digital signatures with the same respect they treat wet
signatures, then it's likely the law will follow.
I agree. But would it be prudent of me to sign an unlimited Power of Attorney
with an indefinite duration, that gives that person total and absolute control
over everything in my life, for as long as I live? I don't think so. In fact, I
don't
think it would be prudent to sign something that has an effective date that
falls
after the expiration of my CRL, for otherwise the CRL would have little effect.
These are some of the issues that need to be addressed, and that I have included
in my proposed Affidavit of Legal Mark. (That is also why it is 10 pages of
rather
dense legalese.)
Steve: You said the two PCA policies you've read -- ours and RSA's -- don't
contain the words you want with respect to the meaning of a signature.
What words do you want in the PCA policy?
Now that is the ultimate put up or shut up, and a difficult challenge to resist!
I'll tell you what. I will try to come up with the additional words, both for
what I
believe the intent was or is for the TSI PCA and for the RSA Commercial
Hierarchy
PCA as well, but it will take a little time.
I also feel that one-on-one negotiations, even over a relatively public forum
such
as pem-dev, are not the best way to address such issues, because we are
primarily the
developers and technocrats, not the users, lawyers, financial types, etc., that
must
eventually be satisfied. Instead, I am thinking about hosting a small workshop
for
such people to try to address these issue, so that maybe we could come to a
broad-
based concensus on these issues. Maybe in Boston in late September or early
October,
when the leaves are at their best.
Would you be interested? Would anyone else?