Ian, I don't share your huge sceptism regarding signatures but OTOH and I am not relegious about them either. :-| They do though look like a better alternative to authentication in many web applications.
I will try as best as I can to answer your questions but I think that this is in vain as I get the feeling you don't really think this request has much validity. >> http://web.telia.com/~u18116613/onlinesigstdprop.ppt >I'm unable to read PPT, perhaps you could >cut&paste these things here: MSFT-hater? > * What is the meaning of the signature? That the user accepts the content of the displayed document > * What is the document or contract that the > signature is over? Technically it can be anyhthing viewable in a web-browser * What is the likely dispute resolution process? Unspecified (as in S/MIME) * Who are the parties? The parties should in order to make sense be a user and a webprovider that the user trusts (or is supposed to trust). That is, this is not a payment system. Such systems are IMHO an entirely different thing *unless* we are talking 3D Secure. >There is a bit of sort of myth that a cryptographic >digital signature is like a human signature. It's not >really much like that at all, Agreed. >and using it without thought does not work. Disagree. Current system have been designed without much thought and so far they appear "to work". :-) >As evidence of that, we're still waiting after 3 decades... The #1 reason for PKI slowness is that we still do not have anything *reasonable* to keep keys in. In the mean-time we use unreasonable solutions like soft keys. Because without demand, no action. It is indeed hard to accept, but this is how it is. >If one wants to do human signing in all its generality >then there are a number of barriers that have to be >crossed, more than can be described in a quick email. Agreed. The PPT gives a little bit more although not the kind of lawyer-style info you request. >OTOH if one has a specific application and >one can reduce the complexities, then something >more useful can be done. The complexities as I see them is to define what is in scope and what is not. I have spent a lot of time on this but it of course only represents *my* view on this. >How refined can you make your application? This is very subjective. *I* believe I have removed all but the essentials but I'm sure other people lack some stuff and other wants less. Some people think that only .TXT is valid. Unfortunately you can't combine .TXT with advanced functionality so I disregarded that. >> In Sweden 400 000 citizens used web-sign to file tax declarations >> using a non-public "bank-standard". >At the core of this would be that the banks have >distributed to each of their clients a private key >of some form? Am I guessing right here? To some extent yes. Banks are acticing as TTP CAs. Citizens get/genrate their cert/keys trough an on-line operation. >Also, just as described, this would be considered to >be a fiscal mark within an application set up for >fiscal marks by organisations that do fiscal stuff, >so it sort of works. >But it won't generalise. It works in an e-government sphere were a verified citizen identity has a known meaning. >Consider that the banks >above are standing behind each signature, and >then generalise it to say I buy a house using a >Verisign cert from a person using a Comodo cert >and both of us are in separate countries and the >house happens to be in another. No chance of >that working. Neither would a hand-written signature (unless the relying party is stupid) so there is nothing particularly odd going on here. That is, your signature is useless unless you are known in some way by the relying party. In some cases like when buying houses you must not only be identified/known but also found to be creditable. To solve things in courts is much too expensive, and therefore most of the non- repudiation stuff is really meaningsless. <snip> >It would be an equal mistake to assume that adding a signing capability >would give us signatures. Are you unaware of the 3 million US federal PKI cards that are in use? Including used with web-sign although using proprietary SW. Now they are going to issue 30 million based on HSPD-12. They have the money. <snip> >> At the same time just about every e-government is indeed targeting >> the web as the primary input output channel. >Whatever. It's unimportant who's targetting what. >Governments, especially, have passed laws >saying that digsigs are the way of the future, >and look where that got them. They indeed have problems. But I maintain that without a credible PKI container we a problem forever. The container is BTW soon born. It is the mobile phone, not the smart card. http://web.telia.com/~u18116613/TheUniversalAccessControlCard.pdf >What's important is who's succeeded in getting >lots of working signatures. Using current breed of NDA-requiring SW I wonder how this relates to my Moz-request. >And how they did it by narrowing the scope of their signatures to >highly specific things. Essentially to the same things you would sign physically today plus a number of things that require that you show up in person that you now can do remote such a doctor appointment. Given that there is a citzen PKI of course. Within an organization using a local PKI this can be used for any internal signature needed. Anders _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
