EU Draft Digital Signature Directive

Brian Gladman gladman at seven77.demon.co.uk
Thu, 27 Aug 1998 12:40:37 +0100 

George Foot <georgefoot@oxted.demon.co.uk> wrote:

[snip]
>In future: We are trying to use a digital signature as a substitute
>for personal knowledge of the person seeking to get short-term credit
>as an ordinary business convenience when placing an order.


This maybe what some people are trying to do with digital signatures but, if
they are, they have misunderstood this technology.  At very best all a
digital signature can do is to confirm that we are actually exchanging data
with the person (or entity) we expect - it says nothing at all about the
trust or confidence we should have in them as people (or processes).

When I sign a public key of a colleague I am simply asserting my belief (not
a fact) that this key belongs to them - I am saying ***nothing*** about
their trustworthiness as a person.  Others might not sign the key of a
colleague who they don't trust (and might hence be trying to say something
about them) but anyone who expects such behaviour to be the norm is taking a
very big risk.

In any transactions we have to have ways of developing confidence in both
the people and the processes involved - digital signatures assist in some
aspects of the latter but make no contribution to the former.

>This concept will appear to work because the great majority of
>commercial transactions are conducted by people who have no
>intention of defrauding anyone. It will imbue a false confidence.


It works because it has nothing to do with the trustworthiness of the people
involved.

>But it is in fact a glorious opportunity for specular fraud
>by ingenious crooks of which there is a ample supply in the
>real world.


This is correct precisely because some people have been badly misled into
believing that digital signatures do say something about the trust that can
be placed in their owners.   This is a good example of the misuderstandings
that arise when a technology becomes 'fashionable' and hence subject to
being sold on the basis of hype and misunerstanding rather than on the basis
of its real utility.

>Trust is a lengthy process of getting to know the character
>and reliability of a business associate and for this there is
>no substitute.


Correct and not what digital signatures seek to achieve.

      Brian