Management of signature keys for government

[Ian Brown]

> today you cannot repudiate a
> paper-signed contract by claiming that you signed a quantity of
> blank pages and left them lying about. It is _your_ responsibility
> to protect your signature.

I don't think the blank cheques is the right analogy. If you could
digitally sign an equivalent -- "I am stupid enough to authorise any
transaction in this file but not included in the signed data" -- you
would have to be very careful about who you gave this file to, but it
wouldn't be the same as being careful with your signature.

It's easy to lay liability on people for digital signatures. How would a
court view, say, signatures made by people who had bought faulty
smartcards that leaked their private key (GCHQ Ltd.) or used a very bad
random number generator when generating it (DTI Ltd.)?

Or someone who claimed "I didn't realise I had to keep that secring.pgp
file and my passphrase a secret. I really don't understand computers,
Your Honour."

Ian ;)