EU DIRECTIVE ON SIGNATURES
Richard Clayton
richard at turnpike.com
Sat, 22 Aug 1998 16:18:00 +0100
In article <199808220945_MC2-5700-F18A@compuserve.com>, Nigel Hickson
<nigelhickson@compuserve.com> writes
>Colleagues
>
>For information; I attach the information DTI have just circulated to
>directive "contact" list.
>
[snip]
>As already noted the Commissions view (which we support) is that the ability to
>determine the originator of data and protection of the integrity are important
>elements of secure electronic commerce. Electronic signatures go some way to
>providing this, especially when “certified” by a body known as a “Certification
>Authority” (CA) or, as used in the proposal, “Certification Service Provider”
>(CSP). The certification process enables a degree of certainty for the
>recipient of an electronic signature that the sender is really who they claim to
>be.
I wonder if this concentration upon "who they claim to be" is the
cryptography communities error in the way in which protocols have been
explained to the public, or if it is just inherent in the way in which
people in government think ?
Who exactly am I ?
As I understand it, I can call myself by any name I wish (provided I
don't attempt to defraud anyone), and I can move home at any time
without bothering to leave a forwarding address (again subject to not
leaving debts behind). Exactly what identifies me which can be written
into a certificate and which will not require me to get another one
tomorrow morning when I move, marry or join a witness protection scheme?
This concentration on identity is a fundamental mistake. It may be of
importance to governments collecting taxes - because I might claim
multiple individual allowances, or issuing pensions - because they might
pay me twice.
But misapplied outside of these rather specialist spheres, it leads to
nonsense like the next sentence...
>Businesses are not likely to act on electronic orders unless they are
>content as to the identity of the buyer.
This is just plain wrong.
Businesses are not likely to act on electronic orders unless they are
content that they are going to get paid !
Last time I ordered some books from amazon.com they didn't care who I
was, they cared that the 16 digit number I quoted them was recognised by
VISA. VISA just cared (probably) that this number was accompanied by
something which resembled the address I once gave them.
This is no different from placing an order over the phone, or indeed
someone using a Sears and Roebuck catalogue in Wyoming in the 1890s
http://www.sears.com/company/pubaff/1890.htm
Unless you have formed a "relationship" with a company then that company
will not send you goods unless they are prepaid, EVEN IF they know who
you are, EVEN IF they know where you live. The cost of collecting a bad
debt is just too high.
Having said that, some companies will send goods without payment; they
take a risk (perhaps having looked at your postcode, or some other
database) seeing a failure to be paid promptly as part of the price of
being "easy to use".
> Thus Certification Authorities are
>seen to perform an important role in binding the identity of an individual to an
>electronic signature certificate.
They'll certainly do that (in as far as it means anything) - but the
emphasis on this to the apparent exclusion of other issues is
disappointing...
... or perhaps we have all missed the point and electronic signatures
are not for business at all, but for the state ?
> Hence the discussion within the proposal on
>the criteria that CAs should meet (in terms of competence etc) in allowing a
>degree of trust to the certificates which they issue.
I want certificates which I can turn into money as recompense when they
fail to do what they claim... a view of "trust" as something which is
bound to fail, rather than something which is bound to work.
I think the insurance market might be the place to look for standards
being set in the next century rather than Brussels
[[ there are many other matters to comment upon, but one at a time :) ]]
--
richard richard.clayton @ T U R N P I K E .com
http://www.demon.net/news/features/crypto/ for Demon's views on crypto
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM