Peter wrote: > Let me expand on this: Not all (more exactly: most) digital signatures > are digital signatures in this context. In particular, f.ex., signing > an email with a *private* public key that is shown only to qualified > individuals on demand (and a court would certainly not qualify) is > explicitly, by design, not 'digital signing' in the sense implied by > you and by the new law, Well, it is not a digital signature by any original definition either. Unless I know the certificate used for signing, the fact that the RSA/DSA/ElGamal/Whatever algorithm was applied to it neither adds nor subtracts. I have to know who the key belongs to in order for the actual signature to mean anything.
We will now break for a quick disclaimer: *DISCLAIMER* Not only am I not a lawyer, but the following analysis is based not on actually reading the text of the law, but on it being explained to me. As such, it may be even less accurate than the usual half assed analysis of legal matters you (plural) have come to expect of me: We now return you to our usual program: However, if I have done any reasonable measures to ascertain that key X belongs to you, then the law says I can depend on anything signed using said key as coming from you, unless, of course, you follow the exceptions provided by the law to notify me in a timely manner that your key is no longer valid. As far as I understand the law (again, not from reading it), it does not list specific algorithms that should be used or specific procedures for authenticating that the keys belong to the specific person. All it does do is to define what a CA is, and say that such a CA is authorized to authenticate keys. There is nothing there (again, hearsay that had better be verified) that suggests that merely because PGP uses a different kind of authentication, it is not as binding as the usual PKI method. This means, to me, you have but two options. Signing your emails with a key the you did not prove to me belongs to you, which is useless with or without the law, and signing your emails with a key you did prove to me in the past, which makes your emails legally binding. > In general, making new 'definitions' of the value of signatures is > void of value when one considers precisely the fact that you state so > obviously in this answer: That in fact 'it depends' and there are > 'limits' which actually redefine the meaning of 'not legally binding'. Those limits apply to any contract, electronic or not, and therefor have no bearing on the question at hand. You cannot limit my rights by signing a piece of paper I did not sign, just as you cannot limit my rights by sending me an electronically signed email. > And signing one's emails with non-legally-binding and deniable methods > is a part of ensuring that freedom of speech is maintained, If you sign your emails in a deniable way you, indeed, avoid the problems of the digital signature law. What I fail to see is what you gain by it. Deniability and signature are, as far as I can see, mutually exclusive. > Peter Shachar -- Shachar Shemesh Lingnu Open Source Consulting ltd. Have you backed up today's work? http://www.lingnu.com/backup.html ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
