Signature certification

Nicholas Bohm nbohm at ernest.net
Fri, 30 Mar 2001 10:28:47 +0100 

At 19:47 29/03/2001 +0100, Charles Lindsey wrote:
>	On Thu, 29 Mar 2001 12:51:19 +0100
>	Nicholas Bohm <nbohm@ernest.net> said...
>
>> 
>> At 10:41 29/03/2001 +0100, Charles Lindsey wrote:
>> >
>> >Yes, the analogy between certification and conventional witnessing is a
>> >good one.
>> 
>> I disagree.  A witness need know nothing about the signer, but must see
>> him/her sign.  The only function of the witness is to appear in the witness
>> box when there is a dispute whether a particular person signed the
>> document, and say whether or not the alleged signer (present in person or
>> over a video link or shown in a photograph) is or is not the person the
>> witness saw make the signature.  There is not much true similarity to
>> certification in the CA sense. 
>
>So? The witness testifies that the signature was made by a person whom
>she identifies by whatever facts she then gives in evidence.
>
>A CA testifies that the signature is that belonging to a person whom he
>then identifies by whatever fact he then gives in evidence.
>
>The nature of the evidence given may be different in the two cases.
>Mrs Smith says "I recognise the face of the person who signed it"; the
>CA says "the person concerned produced his passport and his driving
>licence and a signed statement from his GP, whom I then spoke to for
>confirmation". In each case the court decides whether the evidence
>offered is good enough. But the principle is the same in either case.

Perhaps a common principle can be stated at some level of abstraction, but
the two cases are very different in functional terms.

The CA provides a certificate about a public key which its recipient takes
as an assertion (in accordance with the CPS) that the CA has checked that
the corresponding private key was available to a person generally known by
a particular name.  The recipient believes that the certificate provides an
immediately verifiable assurance about the name of the signer.

The recipient of a witnessed document has no reason to believe that the
witness will say that she saw the document signed by a person known to her
as (let alone checked by her as) being generally known by the name of the
purported signatory.  It is equally possible that when presented face to
face with the person who purports to have signed the document, the witness
will say that that was not the person she saw sign.  So her attestation
provides a recipient with no grounds for trusting the witnessed signature.
And the recipient is assumed to have no prior knowledge of what the
witness's signature should look like, so the recipient has no basis for
judging the quality of whatever assurance the witness will ultimately
provide (whereas of course a CA is supposed to be known and trusted).

The true comparison is between having a document notarised and having a
signature certified by a CA.  I think it was disingenuous of the
Consultation Paper to assimilate electronic signature certification to
(homely everyday) witnessing instead of (bureaucratic burdensome)
notarisation.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK

Phone	01279 871272	(+44 1279 871272)
Fax	01279 870215	(+44 1279 870215)
Mobile	07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF