EU DIRECTIVE ON SIGNATURES

Charles Lindsey chl at clw.cs.man.ac.uk
Sun, 23 Aug 1998 13:14:27 +0100 

	On Sat, 22 Aug 1998 16:18:00 +0100
	Richard Clayton <richard@turnpike.com> said...

> 
> In article <199808220945_MC2-5700-F18A@compuserve.com>, Nigel Hickson
> <nigelhickson@compuserve.com> writes
> 
> 
> >Businesses are not likely to act on electronic orders unless they are 
> >content as to the identity of the buyer.
> 
> This is just plain wrong.
> 
> Businesses are not likely to act on electronic orders unless they are
> content that they are going to get paid !

No, it is not as wrong as you suppose. Agreed it is a simplification
(and was probably intended to be understood as such).

What businesses would like to know is certain attributes of the buyer.
But it is up to the business to decide what attributes they would like
to see. Likely they will want to know if he can pay. Likely they will
want to know if the delivery address for the goods relates to the buyer
(or at least to the same entity as payment is promised by). But they
could as easily want to know the actual identity (they might prefer not
to send goods to a certain wealthy Arab living in Afghanistan, though I
am sure that gentleman's creditworthiness is entirely beyond reproach).

> 
> Last time I ordered some books from amazon.com they didn't care who I
> was, they cared that the 16 digit number I quoted them was recognised by
> VISA. VISA just cared (probably) that this number was accompanied by
> something which resembled the address I once gave them.

Yes, but amazon.com would be most concerned that the entity that
purported to state that the number you quoted was good for the amount in
question was indeed that well known organisation VISA, and a certificate
to that effect (perhaps from a CA) should resolve that.

The fact is that, for human comprehension, we feel more comfortable if
we can put a plauisible name to otherwise anonymous entities, however
tempting their certificates might look.

BTW, I have just been reading up on the Simple Public Key Infrastructure
(ftp://ftp.nordu.net/internet-drafts/draft-ietf-spki-cert-theory-02.txt
and related specifications). I see that Carl Ellison, the author, is on
this list. I think Nigel would do well to read it, because I expect the
world is moving on faster than the DTI can produce draft regulations to
control it.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5