EU Draft Digital Signature Directive

Chris Sluman Chris.Sluman-Open_IT at btinternet.com
Wed, 26 Aug 1998 19:26:49 +0100 

At 11:56 26/08/98 +0100, you wrote:
>From: John Williams <johnwill@bcsphcsg.demon.co.uk>
>> Agreed.  It is surely true for written signatures.  If you know me, and
>> see me sign a cheque made out to you - then you don't need my signature
>> witnessed,  or somehow authorised by a notary.  You are simply left
>> wondering if I have the funds in my bank account.  Even the bank doesn't
>> ask for a third party certification of my signature.  Why should a
>> digital signature be any different?
>
>Agreed, but surely you could contract with say your bank if
>they were willing on the basis of "my digital sig is your
>authorisation"?  Yes I realise there are complexities with
>repudiation etc., but surely it would be possible to agree
>a contract with your bank for them to accept your pgp-signed
>instructions as though they were written, signed instructions?
>Can anyone see any legal problems here?
>Is there is a market advantage here for any bank thats
>willing to take it?

As a simple example, I use Lloyds for my business banking. I do a
reasonable number of transfers between accounts (my own plus external) ~
3-4 per week. They accept my 'written authority' - a computer generated
fax, with no personal (or otherwise) signature.

The interesting thing was, when I upgraded WINFAX, I developed a new fax
form.  Next transfer was in a completely different style, font, everything.
 Did they ring up and check authenticity.......?

By accident, I (more correctly, my external-facing machine) sent two copies
of a transfer request. Identical - same date/time stamp, everything. You
guessed it, they actioned both.

The moral of the story is, as always, the weak link in the system is the
PEOPLE involved in any transaction chain. They either get in the way (and,
generally get b.ll.cked for their efforts) or they stay out of it (squeaky
clean) and all sorts of rubbish gets through.

UKCRYPTO is a fine forum for addressing the issues. We are either looking
at the whole problem, or we are concentrating on a (cryptography)
subsection. My current analysis suggests we are firmly straddling the fence
- a foot on one side definitely, but a foot dangling in (one or more)
no-man's-lands also.

Question - is this a bad thing? Where else are the real issues being
debated? (excuse nativity).

I once did some standards work where we tried to define a scope for the
work. The defined scope then became the boundary for the work. Question, is
the boundary within or without the scope? I think a lot of the peripheral
issues being raised in this forum are boundary issues.

My vote.  Count them IN.

Cheers,


________________
Chris Sluman
Open-IT Ltd.
31, Thornton Avenue
Streatham Hill
London SW2 4HJ
UK


Tel:	+44(181)674-8633
Fax:	+44(181)671-6434
Mobile:	+44(385)501963