EU Draft Digital Signature Directive

William H. Geiger III whgiii at openpgp.net
Fri, 28 Aug 1998 13:48:08 -0500 

-----BEGIN PGP SIGNED MESSAGE-----

In <3.0.5.32.19980828184740.00a11870@mail.netkonect.co.uk>, on 08/28/98 
   at 06:47 PM, Nicholas Bohm <nbohm@ernest.net> said:

>>Several contributors have suggested that personal signatures are in some
>way attached to the person of the signer.  Since only a few people know
>what my signature or I look like, and as many conmen are quite capable of
>copying a signature (off a stolen card, for example) and as the number of
>people who check signatures is vanishingly small, and finally as
>signatures vary to the point that a useful scheme to check signatures
>electronically proved quite impracticable, I do not think that ordinary
>signatures are any more difficult to fake than digital ones - probably
>less.

>I think this misses the point of the analogy.  The point to my mind is
>that if someone fakes my signature and deceives a third party, it is
>quite difficult for the third party to make me carry the can.  Once the
>handwriting experts get on to the case, it becomes quite hard for anyone
>to prove that a signature was made by me if it wasn't.

>That is not true of digital signatures:  if they can be faked at all
>(through some variety of compromise, not necessarily through fault on the
>owner's part), they can be faked perfectly.  It is very unfair to the
>third party who could not have detected the forgery by any practicable
>means if he cannot make me carry the can (which is not the case with
>handwriting in principle, however slack everyone chooses to be in
>practice and at their own risk);  but it is very unfair to me if the
>compromise was one I could not have avoided by reasonably available means
>(it isn't easy to get your system proofed against tempest attacks, bugs,
>trojans etc - and there are no current standards of what protection I can
>reasonably be expected to take).

>It is this risk of unfairness to both sides that makes current proposals
>a dangerously inadequate basis for the structures that are hoped to rest
>on them.

I agree 110%. Digital signatures are *not* ready for prime time. They may
never be. This is not the fault of the signature protocols themselves, or
the digital signature software, but of the environment that they must
operate in.

A sad fact is that the majority of desktop computers are running Win95/98.
Microsoft has historically been unwilling and unable to produce a secure
OS, it is doubtful that they ever will. This is not so much a programming
problem as it is a management problem. MS management refuses to put the
time, effort, and expense that is required at all levels to provide their
users with anything that resembles a secure environment.

Add to this poorly written digital signature laws, misguided (if not
outright hostile) government intervention, and a complete lack of
understanding by the general public, and we have one huge house of cards
waiting for the slightest breeze to blow it over.

It reminds me of the say "feet of clay" but here we have "feet of
quicksand" and no matter how strong we build the top layer of protocols
and programs the underlying infrastructure will not support it.

The only acceptable policy is the one current CC companies have (at least
in the US), accept the fact that there will be fraud, a lot of fraud, deal
with it the best you can, and don't hold the end user liable when it
happens. Unless the liability issue is resolved, e-comm will be dead in
it's tracks.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
- ---------------------------------------------------------------
 
Tag-O-Matic: Windws is ine for bckgroun comunicaions

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNeb+sI9Co1n+aLhhAQEf0AQAxoVdb1W/yCUpM8gcFuDkZjrbX9XPQQZ2
OazGXZY2cmtpQZYZWE9VNaBH+9tG/A8bIIyN7ai2YGFCQ5xCMm7G8VeDVs1lU+ki
NRHWFBCOEHcSzdCL2vaBHpYlCoQOX+lHFW4nysolS4CC3JXIdfoV4/1RJy2DtHWV
GiGhDXcp9oo=
=Ogyu
-----END PGP SIGNATURE-----