Tom,
Tell you what, I'll compromise a bit on the argument. Let's say we
usually don't use the signature for a role in isolation, but generally
use it in conjunction with an individual signature to provide the
desired accountability. By separating the two concepts, the role and
the individual, we still reduce CRL management costs and provide for
an individual using his signature independent of the role signature,
for circumstnaces where there is no intent to invoke the imprimateur
of the role. We also provide a means for addressing the potentially
sticky problem of long term control of an individual's private key,
vs. the key used by an individual in the context of a role.
I am not an attorney, so I'm not sure if your argument about the
uselessness of a role signature, independent of a person is valid or
not. My (informal) model of its utility is based on personal
experience in hardcopy dealings with folks whom I have never and
probably never will meet, but whose signature is presumed to represent
a binding commitment for their organizations, because it is
accompanied by an assertion that the individual holds some relevant
role in that organization. I receive documents signed by these
(faceless) folks and I rely on them as "official" because of the
letterhead, purported title, etc., but not because of the specific
name of the signer.
What I am really arguing is that there is no legal value to be gained
by signing a document with a role's public key, other than that it
^^^^^^
private
helps to establish the origin of the document. But in that case, the
actual role used to sign the document has little bearing of the status
of the document. Authorization has nothing to do with it. It is of NO
interest to ANYONE outside the corporation whether some
individual inside the corporation was authorized or not, it is
only important that the document can from the corporation and that the
receiver has some reason to believe its validity.
I am puzzled by this last paragraph. We all know that not everyone in
an organization is authorized to make a commitment on behalf of the
organization. The usual example is that only officers of banks are
authorized to sign loan agreements for banks, not tellars, etc., and
that is whay so many bank employees carry the title of
"vice-president." So, clearly, the role occupied by an inidvidial is
criticla in determining the individual's authorization in some, if not
many, commercial circumstances. I agree that the role often will not,
by itself, tell you all you need to know about the authority accorded
the role occupant, but it certainly seems like a useful first step and
one can imagine establishing ancilliary, signed docuemnts or
certificates that would codify the authorization associated with
various roles.
Steve