Dear Arnd and Anders,
As a quick response, in my opinion, the "evidential value of
server-based signatures" will be easier for courts and judges than a
pure PKI client. Generally, courts around the world look to see if
evidence is "reliable." A properly implemented server-based signature
system should be accepted by the courts, just as any other type of
business process.
I was the Chair of the Evidence Commitee of the American Bar Association
"Digital Signatures" committee that prepared the ABA Digital Signature
Guidelines and assisted Alan Assay write the Utah Digital Signature
Act. We discussed many legal issues pertaining to evidentiary value.
Below, I present a section of the US Federal Register for the US
Treasury Department regulations. It discusses the admissibility of
digital signatures. It is a good, concise explanation about the
"self-authenticating" nature of digital signatures, which I hoped to
include in the ABA guidelines.
If you have any questions, just send me an email.
Regards, Gary
Weber, Arnd wrote:
>Will auditors, judges etc. be happy with the evidential value of
>server-based signatures? Wouldn't one have to expect fake signatures in the
>long run, after massive take-up of that approach? Did anybody investigate
>these issues in detail, can anybody tell me a reference?
>
>Thank you!
>
>Arnd
>
********************************************
Gary W. Fresen
Attorney at Law
Email: [EMAIL PROTECTED]
Mobile Phone: 847-420-8264
********************************************
[Federal Register: November 20, 1998 (Volume 63, Number 224)]
[Rules and Regulations]
DEPARTMENT OF THE TREASURY
Fiscal Service
31 CFR Parts 317, 351, 353, and 370
Regulations Governing Agencies for the Issue and Offering of
United States Savings Bonds, Including Sales by Electronic Means
AGENCY: Bureau of the Public Debt, Fiscal Service, Treasury.
ACTION: Final rule.
[Page 64548]
Admissibility of Digital Signature (Sec. 370.55)
This section addresses the legal requirement that an item be
authenticated before being introduced into evidence. ``Authentication''
is a term that has a technical meaning specifically linked to the
security of electronic signatures, but also has a separate meaning in
the law of evidence, at which this section is directed.
Under Rule 901 of the Federal Rules of Evidence, ``The requirement
of authentication * * * as a condition precedent to admissibility is
satisfied by evidence sufficient to support a finding that the matter
in question is what its proponent claims.'' For instance, under Rule
901(b)(2), this evidentiary requirement may be met in regard to a
handwritten record by nonexpert testimony as to the genuineness of
handwriting. Although there have not as yet been any cases on the
matter, the requirement of authentication for digital signatures likely
can be met under Rule 901(b)(9), which allows for the sufficiency of
``[e]vidence describing a process or system used to produce a result
and showing that the process or system produces such a result.''
However, in some situations authentication evidence is not required
as a condition precedent to admissibility. As noted under Rule 902 of
the Federal Rules of Evidence, extrinsic evidence of authenticity is
not necessary for certified birth and death certificates, newspapers
and periodicals, trade inscriptions, commercial paper, and notarized
records, among other things. Because these items are likely to be
authentic, a strict adherence to preliminary authentication procedures
unnecessarily would expend a court's time and resources. Accordingly,
the items are considered to be self-authenticating and--barring other
objections to the evidence--may be admitted into evidence without
additional preliminary review.
The section states a limited self-authentication provision for
digital
[[Page 64549]]
signatures. This section begins by noting that authentication of a
purported digital signature may be accomplished by evidence sufficient
to support a finding that a digital signature exists. However,
extrinsic evidence of authenticity is unnecessary to establish that a
digital signature corresponds to a public key pair, as well as that an
electronic record to which a digital signature is affixed has not been
altered from its original form.
There are several reasons that support the insertion of a limited
self-authentication clause into this final rule. If public-key
encryption has been properly implemented, the risk of a successful
forgery or alteration of a digital signature is extremely remote, and
is significantly less than the risk of forgery or alteration for paper
records. Furthermore, although a legal showing of authenticity in the
absence of a self-authentication provision almost certainly could be
accomplished, such a showing would require considerable time and
resources. Among other things, it would entail extensive scientific
testimony on encryption, leading to an expensive and unproductive
``battle of the experts.'' Use of a self-authentication provision
avoids this wasteful problem.
In almost all cases, the existence of a digital signature should be
beyond reasonable dispute. The most likely challenges to a digital
signature and an electronic record to which it is affixed will turn not
on whether a digital signature exists, but on whether the digital
signature should be attributed to a particular person. These challenges
frequently will focus on the issuance, protection, or revocation of the
digital certificates used to link a digital signature and accompanying
record to a particular person. This section does nothing to prevent
such challenges, for the self-authentication provision does not tie a
digital signature to a particular person. Extrinsic evidence tying the
public key pair used in the creation of a digital signature to a
particular person still will have to be provided before a digital
signature and a record to which it has been affixed could be
admissible. Furthermore, this section would have no application at all
in criminal cases.
Finally, even to the extent that a self-authenticated digital
signature and accompanying record could be introduced into evidence
under this section, this section in no way prevents a party against
whom a digital signature is asserted from contesting the existence or
authenticity of the signature. However, any arguments would go to the
weight of the evidence, not to its admissibility.
(18) Negligence Contributing to Forged Signature (Sec. 370.56)
This section states that a person whose failure to exercise
ordinary care substantially contributes to the creation or submission
of a forged signature is precluded from disavowing the forged
signature. Furthermore, the burdens are on the person against whom a
signature is asserted to produce evidence that ordinary care was
exercised and to persuade a trier of fact that it is more likely than
not that the person exercised ordinary care. However, in asserting a
signature under this section the Bureau of the Public Debt first will
have to establish that it exercised ordinary care in relying upon the
signature.
This section is drawn in part from section 3-406 of the Uniform
Commercial Code (UCC) (``Negligence Contributing to Forged Signature or
Alteration of Instrument.''). The responsibilities imposed upon persons
in regard to the technology used to create and submit electronic
signatures and accompanying electronic records are similar to those
imposed under the UCC in regard to rubber signature stamps used to sign
checks. Official Comment 3 to UCC section 3-406 is enlightening in this
regard. If a person's rubber signature stamp and checks, kept in an
unlocked drawer, are stolen and used by a party to forge a check, a
bank may successfully be able to argue that the person is precluded
from disavowing the forged signature because the person's lack of
ordinary care substantially contributed to the forgery. Similarly,
under the final rule if a person fails to take adequate security
precautions to protect access to electronic signature technology (such
as by not safekeeping a computer password, for instance) and this
failure substantially contributes to the creation or submission of a
forged signature, the person is precluded from disavowing the
signature.
By looking to the UCC provision, this section attempts to find
middle ground between varying approaches in current law as to how
liability should be distributed between the parties for unauthorized
transactions. For instance, a person can be held accountable for all
unauthorized calls from that person's telephone number, without regard
to whether ordinary care was exercised by the person. At the other end
of the spectrum, a person cannot be held accountable beyond $50 in
unauthorized transactions on that person's credit card, regardless of
whether the consumer exercised ordinary care in protecting the card or
in promptly reporting a loss or theft of the card.
Treasury believes that if pursued in these regulations, a provision
that allows the assertion of a forged signature against a person even
if the person exercised ordinary care would unfairly punish consumers
and discourage electronic commerce. At the same time, if a person's
fault has led to the creation of a forged signature, a provision that
limits or precludes the assertion of the signature against the person
does little to encourage the exercise of ordinary care. This section
allows the assertion of a forged signature only if the person's failure
to exercise ordinary care substantially contributed to the creation of
the signature.
This section places the burdens of production and persuasion upon
the person against whom the signature would be asserted to show that
the person exercised ordinary care. Because an electronic signature is
not created in the presence of the person accepting the signature, the
person accepting the signature typically does not have best access to
the evidence needed to establish the forgery and the exercise of
ordinary care. It is appropriate to require the person against whom the
signature would be asserted to make this showing. Also, in asserting a
signature under this section the Bureau of the Public Debt will have to
establish that it exercised ordinary care in relying upon the
signature. The evidence needed to establish that it used ordinary care
will be within the control of the Bureau of the Public Debt and so it
is fair to require the Bureau of the Public Debt to make this showing.
In its comment letter, the Federal Reserve Board expressed concern
that this section might be used to avoid the limitations of Regulation
Z. As alluded to above, Regulation Z caps cardholder liability for
unauthorized credit card use at $50. This section does not seek to
encroach upon Regulation Z. To the extent this section might apply to
unauthorized savings bond purchases involving credit cards, Treasury
would be seeking to recover on a savings bond contract, not a credit
card debt. In any event, Treasury has amended section 370.0 of this
part to emphasize that to the extent Regulation Z applies to
transactions accomplished pursuant to this part, the consumer
protections extended by Regulation Z are unaffected.
(19) Liability (Sec. 370.57)
This section limits the Bureau of the Public Debt's liability for
claims involving this subpart E to the amount
[[Page 64550]]
of the transaction, less any losses caused by the failure of a claimant
to exercise due diligence. For instance, this section could have
application to claims involving errors in the handling of otherwise
properly authorized transactions.
