digitally signing contracts

Eric Abrahamsen eric at ericabrahamsen.net
Sun Oct 30 05:21:56 CET 2011


I own a small business that works with contractors all over the world,
and I'm currently scratching my head over the issue of signing
contracts. I know that gpg can/has been used to this purpose, but I
wanted to ask the list's advice. There isn't a whole lot of information
on the webs on the issue, this is the most thorough description I found:

http://wiki.bitcoin-otc.com/wiki/GPG_Contract

Is there a general sense that this is viable (at least as viable as
scanning and emailing contracts that have been signed with a pen)? Does
the process outlined in that webpage have any gotchas? To wit (apologies
for hackneyed "Bob and Alice"):

1. Bob writes a contract; the names and fingerprints of both Bob's and
   Alice's PGP keys are included in the original body of the contract.
2. Bob clearsigns the contract, sends to Alice.
3. Alice verifies Bob's signature, then adds text *outside* of the part
   of the contract signed by Bob, to the effect that she agrees to this
   contract. She clearsigns the entire contract (including Bob's
   signature) and sends it back to Bob.
4. Bob verifies his own original signature, to prevent tampering.
5. Bob verifies Alice's signature.

Are there any technical pitfalls here? The main one that I can think of
is that this potentially reverses the incentive for verifying key
ownership -- usually you're working to prove that you *do* own a key,
whereas now you might have a reason to temporarily fake ownership of a
key you don't own (allowing you to later legally repudiate a contract).
I can't think of how that would actually play out, but it seems like
the system as a whole was not designed in this direction…

As for the legal validity of such a process, I can do my own research,
but if anyone had anything to note, that would be appreciated!

Thanks,
Eric




More information about the Gnupg-users mailing list