Comments: survey of RFC S/MIME signature handling

when we were asked in to help word smith the cal state (and later federal) electronic signature act ... the lawyers had quite a bit to say about this ... some past posts
http://www.garlic.com/~lynn/subpubkey.html#signature

i've joked that it involves semantic confusion because the terms "digital signature" and "human signature" both contains the word "signature"

the whole idea that past certification events has anything to do with (future) intent, non-repudiation, and/or human signature (i.e. read, understood, agrees, approves, and/or authorizes) has been severely depreciated since the heyday of the enormous (semantic) confusion if the 90s.

furthermore, it can be considered that even bringing up anything to do with non-repudiation, intent, and human signature in conjunction with issuing a digital certificate is enormous misdirection and obfuscation.

the issue of certification authorities, certification process, and digital certificates are analogous to the letters of credit/introduction from the sailing ship days (and before) when the relying party had no other means of obtaining information about the party they were dealing with. in those days, relying parties realized that the letter of introduction might have something to do with the truth of what a stranger might possibly claim. However, the letter of introduction was specifically with respect to specific facts that were verified at the time the letter was written.

There was NEVER any implication that the act of certifying information included in the letter of introduction was in any way associated with the subject's subsequent human signature that carried with it any implication of intent, non-repudiation, read, understood, agrees, authorizes, and/or approves.

In fact, it was physically and temporal impossibility that the act of certifying some information at some point distant in the past had any bearing on the future human act of applying a (human) signature.

Subsequent work (after the 90s) in the area of intent, non-repudiation, having read, understood, agrees, approves, and/or authorizes ... all revolved around services that happened at the moment a signature was applied ... somewhat equivalent to having "witnesses" involved in the signing of a will (and severely depreciated any possible prior work in relating any past work of certification authorities to any future demonstration of intent).

In this subsequent work, there was nobody confused that the act of certification at some point in the past (which is what a digital certificate represents) .... was in any possible way related to the conditions around the future application of a signature. This would be on par with trying to make some connection between the issuance of a birth certificate being related to proving that some person had intended to sign a specific will. Part of the issue is that the two events; some certification and some signing (demonstrating read, understood, approves, agrees, and/or authorizes), are typically separated by quite a distance ... both physically and temporally.

Posted by Lynn Wheeler at May 5, 2007 10:14 AM

re:
http://www.garlic.com/~lynn/aadsm26.htm#67 survey of RFC S/MIME signature handling

or to be (only slightly) more facetious ... require that all birth certificates to carry a disclaimer that the document in no way is met to carry any implication as to the validity of any signatures that the named person may place on wills (at any time in the future). the birth certificate disclaimer then would have to be extended to include the enumeration of all possible documents on which a person might place their signature.

Posted by Lynn Wheeler at May 5, 2007 02:28 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x56199bc49238) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.