I own a small business that works with contractors all over the world, and I'm currently scratching my head over the issue of signing contracts. I know that gpg can/has been used to this purpose, but I wanted to ask the list's advice. There isn't a whole lot of information on the webs on the issue, this is the most thorough description I found:
http://wiki.bitcoin-otc.com/wiki/GPG_Contract Is there a general sense that this is viable (at least as viable as scanning and emailing contracts that have been signed with a pen)? Does the process outlined in that webpage have any gotchas? To wit (apologies for hackneyed "Bob and Alice"): 1. Bob writes a contract; the names and fingerprints of both Bob's and Alice's PGP keys are included in the original body of the contract. 2. Bob clearsigns the contract, sends to Alice. 3. Alice verifies Bob's signature, then adds text *outside* of the part of the contract signed by Bob, to the effect that she agrees to this contract. She clearsigns the entire contract (including Bob's signature) and sends it back to Bob. 4. Bob verifies his own original signature, to prevent tampering. 5. Bob verifies Alice's signature. Are there any technical pitfalls here? The main one that I can think of is that this potentially reverses the incentive for verifying key ownership -- usually you're working to prove that you *do* own a key, whereas now you might have a reason to temporarily fake ownership of a key you don't own (allowing you to later legally repudiate a contract). I can't think of how that would actually play out, but it seems like the system as a whole was not designed in this direction… As for the legal validity of such a process, I can do my own research, but if anyone had anything to note, that would be appreciated! Thanks, Eric _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
