Bob> Creating a hypothetical PCA policy ...
"The intent of signatures created within our hierarchy is to identify
who created the message in question with a level of assurance that is
practical for a widely diverse user population. The use of a signature
certified within this hierarchy for legally binding purposes, e.g., for
purposes of trade or commerce, may not be appropriate given the level of
assurance provided and is therefore not recommended."
Bob> Without some sort of notice to this effect, the user is potentially
liable for something that he didn't sign, because he hasn't devoted the
necessary time and the resources to ensure that his keys are adequately
protected for all possible types of risk.
This is getting to be just like Alice, Through the Looking Glass.
Privacy Enhanced Mail does not necessarily enhance mail with privacy.
Originator Authenticity does not necessarily authenticate the
originator. I did think that it authenticated the signer - but now I
find that, Digital Signatures don't make the signer liable because maybe
he didn't sign it. Whoa, wait a minute here. What's left?
<Just the grin>
I am reminded of the Holy Roman Empire, which historians tell us was
neither holy, nor Roman, nor an empire. The only left to deny is the
"mail" part and then we too can say - nothing is as it seems.
Peace ..Tom Jones