Shachar Shemesh <[EMAIL PROTECTED]> writes: > As far as I understand the law (again, not from reading it), it does not > list specific algorithms that should be used or specific procedures for
Mistake #1, and counting. I did point out before, that certain MUAs implicitly sign the message by calculating a hash sum over the message and certain key parameters in it and making it unique to the sending machine and to the time and network it was sent at/on. By your definition then, ALL email sent by anybody using such MUAs is legally binding. The MUAs in cause are the default MUAs used by everyone on the Internet, in this country and elsewhere, moreover the UID is mandated by RFCs and no using them breaks emails systems (don't ask how I know this). > authenticating that the keys belong to the specific person. All it does > do is to define what a CA is, and say that such a CA is authorized to > authenticate keys. There is nothing there (again, hearsay that had > better be verified) that suggests that merely because PGP uses a > different kind of authentication, it is not as binding as the usual PKI > method. And there is nothing that suggests that other signing mechanisms, such as UIDs assigned by operating systems to messages and checksums required as per RFCs for the transmission of messages over the Internet, and implicitly archived by packet sniffers, are *not* signatures by your definition. > This means, to me, you have but two options. Signing your emails with a > key the you did not prove to me belongs to you, which is useless with or > without the law, and signing your emails with a key you did prove to me > in the past, which makes your emails legally binding. No, you have but two options: Pretending that the messages are not signed while in fact the OS and the transport mechanisms both archive and sign them, or signing them in semi-mockery in a way that reduces the potential value of any collected information for malicious use, and increases it for oneself (maintaining a complete log of what one has sent can be 'interpreted' as much or as little as any log collected by an ISP - including any quotes out of context - positively or negatively - again 'it depends'). > > In general, making new 'definitions' of the value of signatures is > > void of value when one considers precisely the fact that you state so > > obviously in this answer: That in fact 'it depends' and there are > > 'limits' which actually redefine the meaning of 'not legally binding'. > Those limits apply to any contract, electronic or not, and therefor have > no bearing on the question at hand. You cannot limit my rights by > signing a piece of paper I did not sign, just as you cannot limit my > rights by sending me an electronically signed email. If those limits apply to 'any contract' then why is it necessary to make new limits when you said yourself that something sent to you by someone else 'cannot bind you to do anything'. It is also somewhat ironic that you write this using media and machines (and using software and licenses) which have implicitly limited your rights in many ways right now, most of them without having you sign anything. Again 'it depends'. Just like some clickthrough licenses have paragraphs like 'void where invalid' and such. Signatures are just another mirror in the maze and this particular instace (the law, if it is as you said), is a particularly bad implementation of a mirror imho. It leaves a LOT open for 'interpretation' in court, should it come to that. > > And signing one's emails with non-legally-binding and deniable methods > > is a part of ensuring that freedom of speech is maintained, > If you sign your emails in a deniable way you, indeed, avoid the > problems of the digital signature law. What I fail to see is what you > gain by it. Deniability and signature are, as far as I can see, mutually > exclusive. Let's analyze this: A signature is a device that identifies the signed object in a context (or network or system) of trust for at least one peer (who can be yourself). A chaff signature is a device that may appear as a signature to smeone who is not a member of the network of trust. Deniability constitutes the credible ability of the signer to deny that he has signed an object in front of a peer who is not a member of the network of trust, and who is potentially attempting intrusion therein or control thereof. For any such peer who is not a member of the network, the provable existence of chaff signatures and their regular use by the signer may mean that he has no case when he thinks that he has one, and the widespread use of signatures (of the non-open, non-binding kind) is a way for signers to put themselves in such a position of deniability, while sometimes maintaining the possibility to prove the opposite (i.e. a real signature of the non-binding kind). When the signatures are not in fact chaff, but have some other obscure role, such as UIDs or message IDs, then even the fact that the signer is practicing deniability exercises cannot be proven, even if all the elements of the system are available to the unauthorized peer. Peter ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
