EU DIRECTIVE ON SIGNATURES

Richard Clayton richard at turnpike.com
Sun, 23 Aug 1998 18:37:49 +0100 

In article <199808231214.NAA12407@clw.cs.man.ac.uk>, Charles Lindsey
<chl@clw.cs.man.ac.uk> writes

>       On Sat, 22 Aug 1998 16:18:00 +0100
>       Richard Clayton <richard@turnpike.com> said...
>
>> In article <199808220945_MC2-5700-F18A@compuserve.com>, Nigel Hickson
>> <nigelhickson@compuserve.com> writes
>> 
>> >Businesses are not likely to act on electronic orders unless they are 
>> >content as to the identity of the buyer.
>> 
>> This is just plain wrong.
>> 
>> Businesses are not likely to act on electronic orders unless they are
>> content that they are going to get paid !
>
>No, it is not as wrong as you suppose. Agreed it is a simplification
>(and was probably intended to be understood as such).

I would suggest that the problem is not that it is a simplification, but
that it seems to be being taken at face value, and thus leads directly
to some of the actual proposals.

But, perhaps all this stuff about "business" is a red herring thrown in
to the mix by some members of the authoring committee to confuse ? or
because they are themselves confused ?

III 5 says very clearly "However, a legal framework is mainly needed for
certificates to enable the authentication of the electronic signature of
a signing individual. The present Directive therefore focuses on the
function of a certificate (called 'qualified certificate') as a linkage
to the civil identity or the role of the person."

Commerce is not about civil identities, and it is only very loosely
about peoples roles. Commerce is about money and payment and the
movement of goods, and I don't see much in the Liability section
(article 6) about those -- there is just more about the CSP being sure
who people are -- until we get to the curious item 4:

        "Member States shall ensure that a certification service
        provider may indicate in the qualified certificate a limit on
        the value of transactions for which the certificate is valid.
        The certification service provider shall not be liable for
        damages in excess of that value limit."

It is an interesting thought that the bureaucrats think that the CSP
will wish to allow people to rely on a certificate for transactions of
monetary value, solely on the basis that they know who you are.

This sounds like an old-time moneylender who is prepared to advance you
a fiver "cos, we knows who you are; understand!"

Insurance for CSPs may not be cheap :(

>What businesses would like to know is certain attributes of the buyer.
>But it is up to the business to decide what attributes they would like
>to see.

I would agree absolutely - but the directive is locked into the idea
that certificates exist to closely couple a real world identity into the
cyberworld. It requires "unmistakable" names or pseudonyms.

It even ties itself into various LEA knots (the usual LEA/privacy
problem) trying to deal with mapping these pseudonyms back to some sort
of unmistakable name.

Note that almost every deployed system works entirely with pseudonyms
(richard@turnpike.com is not my name!) because an unmistakable identity
is going to be rather long and tedious (not to say privacy-disabling) to
trot out all the time.

> Likely they will want to know if he can pay.

I can't find a way to say "you've clearly not run a business" without
appearing condescending. Sorry :(  but this is NOT what a business
person would say:

A business wants to know IF they will be paid - they don't care WHO does
the paying! That's why credit cards are so useful. The business pays a
few percent and doesn't have to take a risk. Businesses factor invoices
for similar reasons.

> Likely they will
>want to know if the delivery address for the goods relates to the buyer
>(or at least to the same entity as payment is promised by).

ONLY if that is a condition of being paid !

You will find wide variations when paying by credit card as to where the
goods can be delivered...  these reflect different attitudes to risk,
different conditions imposed by the credit card companies, and in some
cases the ignorance of the sales people :(

> But they
>could as easily want to know the actual identity (they might prefer not
>to send goods to a certain wealthy Arab living in Afghanistan, though I
>am sure that gentleman's creditworthiness is entirely beyond reproach).

An interesting example of someone who is "clearly" identified by name
(which will not be unique in that part of the world), whose address is
hard to establish (he may well be moving at present), and who is almost
certainly in a position to influence some of the local authorities to
change his documentation.  Exactly what "unmistakable" identity should
we consider relying upon ?

One can perhaps imagine a circular stating that "certificate <nnnn>"
referred to a persona non grata and by inference that you will have a
poor defence when Customs & Excise lock you up... but this doesn't sound
like "business" it sounds like "The State".

Business is not concerned with absolute identities whereas the State is.

So are we getting a system for the State (where it may well be
necessary, I'm not sure I know enough to say otherwise) being foisted on
us under the guise of it being a system for business ?

>I expect the
>world is moving on faster than the DTI can produce draft regulations to
>control it.

especially if they start from a flawed understanding of the problem :(

-- 
richard                      richard.clayton    @    T U R N P I K E .com
 http://www.demon.net/news/features/crypto/  for Demon's views on crypto
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM