digitally signing contracts

Mark H. Wood mwood at IUPUI.Edu
Mon Oct 31 16:23:22 CET 2011

I have no experience in this matter, but it's an interesting problem,
so here are my thoughts, whatever they are worth:

When contracting on paper, the signature is a personal characteristic
of the signer, so samples can be compared by an expert witness.
Unless there's some sort of biometric component to the creation of the
certificates, personal characteristics don't enter into crypto
signatures, so you need some other way to make it personal, such as a
face-to-face meeting at which certificates or at least key
fingerprints are exchanged by parties who can sense each other
directly, match photo IDs to faces, and the like.  You could consider
it a keysigning party for two and use published recommendations to
guide you in setting up the process.  Once personal control is
established, I suppose that no more meetings are required.  So this
would seem to work well for people who are able to meet once, and even
better for parties who then make contracts again and again from time
to time.

If trusted third parties are willing to attest to signatures then the
other parties only need to meet with the third parties, separately.  I
recall seeing notices by some notaries public that they also certify
PGP keys.

Another form of assurance might be the publication of key fingerprints
on the key owner's website.  (How much would you bet that your website
wasn't cached by Google or sampled by the Wayback Machine before you
changed the fingerprint?  A number of companies have found, to their
embarassment, that trying to "disappear" inconvenient pages is not

Still another form of assurance would be the publication of keys in
the keyserver network, since it's impossible to remove keys unless you
control all of the servers.  And again, someone may have a copy of
that certificate which is simply not remotely accessible but which
could conceivably turn up in court.

As with signatures on paper, you need to evaluate your risk and decide
whether it's acceptable.  Your insurance agent may be able to help.

If you read some of the laws governing admissibility of digital
signatures, you may find that your requirements are already laid out
for you, to some level of abstraction.  It's a possible starting
point, at any rate.  And your lawyer might be a good source of
pointers to procedural and technical recommendations, since that would
make his job easier.

I'll note that there are a number of companies in the business of
issuing durable digital identity tokens: X.509 certificates.  You
might want to insist on EV certificates, since EV has a documented
meaning and some CAs are not very energetic in identifying non-EV
customers.  In any case you probably ought to read the CA's
Certification Practice Statement and decide whether their procedures
are acceptable to you.  There may be sound ways to use X.509 material
to initialize OpenPGP exchanges if that's important to you, or you
could use PEM instead of PGP.

Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20111031/91b838ee/attachment-0001.pgp>

More information about the Gnupg-users mailing list