Digital Signatures

George Foot georgefoot at oxted.demon.co.uk
Sun, 30 Aug 1998 10:41:41 +0100 (BST) 



Thank you for your helpful contribution to the debate.

We are aware of methods involving tamper proof boxes (and 
the like) which may be employed in some cases but which
are not likely to be universal.  There is also the 
case of being unprepared and installing the tamper proof
box "as a lock on the stable door after the house has bolted".

One still has to convince the judge that nobody had 
been able to get at the box without permission including 
the people entitled to do so.  That is to say one has to have 
arragements for entry only when several nominated people 
are present simultaneously...... and so on.  Such things are
not simple and constitute a real drag on a company so that 
"short cuts" will take place which are only revealed after 
some crisis has led to a full scale investigation. 

Then ask the lawyers,  but I think that personal repsonsibility
for wrongdoing will still rest with the Directors of a company.

With thousands of documents being signed on behalf of a company 
every day, our Mr. Smith can be a lowly employee who has 
never been given any detailed information about company precautions.

And somewhere in the chain there may be an ingenious 
fraudster who has tampered with the system without leaving 
a trace.

A fool-proof system has never existed and never will.

But thank you for your interest and concern.

George


On Sat 29 Aug, Charles Lindsey wrote:
> 	On Fri, 28 Aug 1998 18:07:33 +0100 (BST)
> 	George Foot <georgefoot@oxted.demon.co.uk> said...
> 
> > 
> > But when the judge says "Mr. Smith is that your digital signature"
> > poor Mr. Snith may not even understand the question. In any 
> > case is it his signature ?  It cannot even be said to be unique 
> > to him as this so-called electronic signature is probably 
> > known to many other employees of the firm and may be found at  
> > many locations within the company.
> 
> I would hope not. There are two ways a Company may arrange to sign
> documents "on behalf of the Company".
> 
> 1. The Company's "corporate signature" is kept in a tamper-proof iron
> box. The question then boils down to who may instruct the box. So the
> box is programmed to accept digitally signed instructions from certain
> employees (and probably each employee's certificate will state which
> kinds of document he is empowered to sign). If sensible arrangements are
> made for employees (or more likely their managers) to delegate their
> rights (on a time-limited temporary basis) during their absence, then
> there is never any need for any employee to disclose his secret to any
> other employee (and doing so should be a dismissable offence).
> 
> 2. The Company delegates the right to sign on its behalf to designated
> employees (again limited to certain classes of document). An employee
> signing on behalf of the Company should, at the same time, present a
> certificate of his authority signed by the Company key. Everything else
> is then as in case #1. This system is probably better than the first,
> because it involves less usage of the Company's key, which is probably a
> good thing. OTOH it is easier to revoke an employee's authority in case #1.
> 
> Charles H. Lindsey ---------At Home, doing my own thing------------------------
> Email:     chl@clw.cs.man.ac.uk  Web:   http://www.cs.man.ac.uk/~chl
> Voice/Fax: +44 161 437 4506      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
> PGP: 2C15F1A9     Fingerprint: 73 6D C2 51 93 A0 01 E7  65 E8 64 7E 14 A4 AB A5
> 
> 
> 

-- 
George Foot
georgefoot@oxted.demon.co.uk
Web Page.  http://www.oxted.demon.co.uk