using keys with multiple users

Leigh S. Jones kr6x@kr6x.com
Sat May 11 03:14:02 2002


There's a difference between a situation where a single
individual can be held responsible for his actions and a
situation where a corporation can be held responsible
for it's actions.  Where an individual represents a
corporation by signing his own signature, the signature
is traceable to a single individual, who could, in theory,
attest to the signature or deny it as a forgery when
questioned under oath.

It's a big world, and there are many legal systems.  In
one legal system it is fair to assume that the decisions
made in courts will be different from the decisions
made in other systems.  The system of justice in the
USA is moving toward acceptance of the legality of
digital signature in certain circumstances, but in other
circumstances and other countries the digital
signature has more limited acceptance.

For instance, the value of a digital signature is only as
good as the trust that we place in the public key and
in the security of the private key.  If the veracity of a
digital signature can be attacked successfully in court,
then the digital signature would have little value.  For
instance, if I leave a copy of a signed will with a
lawyer but appear to recant the provisions of that will
and leave a new will on my computer drive before
expiring, but no trust can be placed in the digital
signature because it appears that I created a new
signing key immediately before executing the signature
on my deathbed, then it's clear that it will be difficult
to use the electronic evidence to challenge the first
will.  Too easy to forge that.

Read FDA document 21CFR Part 11 for an
example of one US government agency that will
not accept signatures that have been executed
by a corporate "role" in lieu of an individual.

----- Original Message -----
From: "Anthony E. Greene" <agreene@pobox.com>
To: <gnupg-users@gnupg.org>
Sent: Friday, May 10, 2002 4:58 PM
Subject: Re: using keys with multiple users


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10-May-2002/15:58 -0700, "Leigh S. Jones, KR6X" <kr6x@kr6x.com>
wrote:
> >
> >2 - issue copies of a single key to each employee, in
> >which case the key name would be something like:
> >"MyCompany Corporate Support Key <support@MyCompany.com>"
> >in which case there would be little confusion on the
> >part of your correspondents but questionable legal
> >value of a signature
>
> The are companies with multiple contracting officers, or multiple of
other
> kinds of people that have to represent the company. This is no
different.
> The company is responsible for the actions of those it chooses to
> represent it. Any problems this may cause are the company's
> responsibility, not the customer's.
>
> Tony
> - --
> Anthony E. Greene <mailto:agreene@pobox.com>
> OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94
239D
> AOL/Yahoo Chat: TonyG05         HomePage:
<http://www.pobox.com/~agreene/>
> Linux. The choice of a GNU generation <http://www.linux.org/>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: Anthony E. Greene <mailto:agreene@pobox.com> 0x6C94239D
>
> iD8DBQE83F6PpCpg3WyUI50RAs1ZAKDgewvjXy3mCNn85ATpkwiqwF80uwCeLqkB
> ki2anLu6hHNIl6PVv+wjHYY=
> =hS8k
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users