EU Draft Digital Signature Directive

[Denis.Russell@ncl.ac.uk]

At 5:29 pm +0100 19/8/98, Clare Wardle wrote:
>At the risk of joining Nigel in the pillory............
>
>Quite a few contributors to this group as well as others  have said
>there is no reason to have  a public directory at all because everyone
>only wants to talk to their friends...

*Some* people may have said that, but as the latest person of the list to
mention communicating "with my friends" may I remark that I was very
careful not to say that that was the *only* thing that I wanted to do, but
when I was doing that I didn't need any government assistance thank you
very much, and I see no point in any government involvement at all.

>...   - now someone has noticed that it might be handy to have a method
>of checking whether the travel agent you are  thinking of buying a
>holiday from  exists, and being able to look him up in a public
>directory would be quite useful too.

I don't quite know who has had a remarkable revelation of what here
recently, but there seems to be a range of ideas floating about concerning
just what "a public directory" is going to give you. In its simplest form
it just tells you information of the sort that "Fred Bloggs has a thingmie
of value whatsit, and the directory operators say that this is so". So, for
example, suppose a directory service was run by the DTi: it might contain
the entry "The public key belonging to Maxwell Travel Bargains is
qwertyuiop, and the DTi asserts that this is true". Note that this doesn't
actually say anything about Maxwell Travel Bargains, and I for one wouldn't
take that as any assurance that it was safe to spend money on a yacht
holiday from them - only that there is such a company/entity, and that it
is pretty safe to assume that *communications* with that company/entity can
be performed securely using the given key.

To develop confidence in having *dealings* with that company rather than
merely communicating securely I would expect some of the usual
non-electronic signals, like a friend who had had a successful time with
them last year, etc. However, there would be some kinds of electronic
references that could be provided electronically. For example, if Maxwell
Travel Bargains were ABTA bonded, this could be expressed and
electronically certified via such a certification service - or even via a
"private" certification service run by ABTA itself. (Actually, this
indicates another point that the certification itself is separate from any
physical servers in which it appears, but lets not get diverted.) In
general, signed references from satisfied customers could be added in this
way, but checking them to see whether you believed they were of any value
would be more difficult. (It would be easy to check that the signature of
the recommendation from one "Brian Ward" was indeed by someone called
"Brian Ward", but how do you decide electronically that the Brian Ward in
question is a jolly good sort and his recommendation was useful?)

The point here is that certificates and directories do provide electronic
tools for facilitating electronic intercourse, including trade, but it is
the structure and extent of the *content* that is important, and it is only
by the correct interpretation of the content that you will avoid booking
holidays with perfectly real companies that will take perfectly genuine
electronic pounds to book you on a completely fictional luxury cruises.

Meanwhile, I'll continue my electronic intercourse with consenting friends
without any official assistance thank you very much. I'll ask when I need
it.

>..I think it's quite fair for Nigel to have his little jokules.

There are lots of little jocules awaiting us all on the net. I guess the
main ones that worry me are the little jocules that government legislation
will play on our cyber lives in the future.

	Denis.