acm - an acm publication

Articles

Reader comments: PGP Signatures for Electronic Documents?

Ubiquity, Volume 2000 Issue June, June 1 - June 30, 2000 | BY John Gehl 

|

Full citation in the ACM Digital Library


Re: Electronic Signature Legislation (Ubiquity, May, 2000)
      Paul Lane expresses concern about a signed electronic document being altered without anyone knowing. Even a paper document -- formally notarized -- can be altered; only after a careful examination would the fraud be detected. Paper documents are indeed fraudulently signed and notarized, sometimes throwing the ownership of a home or other real estate into doubt. For electronic documents, the answer might lie in PGP signatures. Not only can PGP meet Ephraim Michael's requirements for authentication and nonrepudiation (if the web of trust described in Phil Zimmermann's writings is used) as well as Michael's requirement for assent. It can also meet Lane's requirement for integrity since the signature will fail verification if the signed file is altered.

      For some time now, PGP signatures have been used in the software industry so that recipients can verify that downloaded critical software is indeed both authentic (the downloaded version was indeed created by the asserted source) and unaltered. Web masters sometimes use PGP to sign key Web pages to facilitate detection of alterations by hackers.

      Two years ago, the California Secretary of State established a regulation on the use of digital signatures on electronic documents submitted by local governments to the state. (See http://www.ss.ca.gov/digsig/regulations.htm.) While not explicitly naming PGP, the regulation clearly describes the public key/private key system that is implemented in PGP. In lieu of the web of trust, the regulation also allows the alternative of local governments having their public keys certified by a certificate authority, two of which have already been approved by the Secretary of State.

      Of course, proposed legislation (both in the U.S. and the U.K.) that would require individuals to give the police their private keys and pass-phrases would undermine the use of PGP -- or any other dual-key system -- for acceptable electronic signatures. This is even recognized by the California Secretary of State, whose regulation requires "the private key used to create the signature on the document is known only to the signer".

-- David E. Ross



There's More Than One Way to Mow the Lawn

Re: The Humane Interface, (Ubiquity May, 2000)

      The excerpt from the new book on interface design by Jef Raskin does not take into account a peculiar human behavior that I have observed. Let me use the example of mowing the lawn or shaving. I will follow the same path many times in a row and suddenly adopt a new path that I will likewise follow many times in a row. I for one cherish the ability to accomplish the same task five different ways in my word processor or my OS. I want five different paths to take. I will, at one time or another, explore and try to master each path. I will then use combinations (to my liking) of each. He states, "When you have to choose among methods, your locus of attention is drawn from the task and temporarily becomes the decision itself." Is that supposed to be a bad thing? I plan to learn new ways of living until the day I die.

-- Gregory A. Moore

COMMENTS

POST A COMMENT
Leave this field empty