digitally signing contracts
melvincarvalho at gmail.com
Mon Oct 31 16:40:33 CET 2011
On 30 October 2011 05:21, Eric Abrahamsen <eric at ericabrahamsen.net> wrote:
> I own a small business that works with contractors all over the world,
> and I'm currently scratching my head over the issue of signing
> contracts. I know that gpg can/has been used to this purpose, but I
> wanted to ask the list's advice. There isn't a whole lot of information
> on the webs on the issue, this is the most thorough description I found:
> Is there a general sense that this is viable (at least as viable as
> scanning and emailing contracts that have been signed with a pen)? Does
> the process outlined in that webpage have any gotchas? To wit (apologies
> for hackneyed "Bob and Alice"):
> 1. Bob writes a contract; the names and fingerprints of both Bob's and
> Alice's PGP keys are included in the original body of the contract.
> 2. Bob clearsigns the contract, sends to Alice.
> 3. Alice verifies Bob's signature, then adds text *outside* of the part
> of the contract signed by Bob, to the effect that she agrees to this
> contract. She clearsigns the entire contract (including Bob's
> signature) and sends it back to Bob.
> 4. Bob verifies his own original signature, to prevent tampering.
> 5. Bob verifies Alice's signature.
> Are there any technical pitfalls here? The main one that I can think of
> is that this potentially reverses the incentive for verifying key
> ownership -- usually you're working to prove that you *do* own a key,
> whereas now you might have a reason to temporarily fake ownership of a
> key you don't own (allowing you to later legally repudiate a contract).
> I can't think of how that would actually play out, but it seems like
> the system as a whole was not designed in this direction…
> As for the legal validity of such a process, I can do my own research,
> but if anyone had anything to note, that would be appreciated!
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users