digitally signing contracts

Hauke Laging mailinglisten at hauke-laging.de
Mon Oct 31 18:11:30 CET 2011


Am Sonntag, 30. Oktober 2011, 05:21:56 schrieb Eric Abrahamsen:

> Is there a general sense that this is viable (at least as viable as
> scanning and emailing contracts that have been signed with a pen)?

I think there are two points:

1) What exactly does a digital signature mean?

2) Can you prove that the signing key belongs to the person you have to sue in 
case of doubt?

to 1):
it is not obvious that a signature for a document means that the signer feels 
bound be that document. The signature can mean "I sign all documents so that 
the recipient can be sure it is from me (and unmodified)." This would not be 
the same like a signature by hand below a treaty (just like a signature on the 
back of a treaty paper probably would not be accepted by courts).

German signature law requires "to add the name to a document and sign it then 
by a (legally) valid key". I am not sure what that means. I think of a 
signature over two "files", the document and a file containing the name. But 
that has its risks, too. I guess that a signature over two files is just a 
signature over the combined files. So you would have to check that the 
document you sign (as usual) does not "happen" to contain your name at the 
end. Probably certain document formats (or rather applications) do not care 
about some data behind the recognized part and do not show that data.

This just inspires me: The meaning should be obvious by the signature itself. 
That is a good example for standardized signature notations. As long as the 
law does not, you have to make clear what signature is required for formally 
accepting a treaty (represented by a document). You could require a signature:
i_accept_this_treaty at mydomain.tld=yes. Or you require a signature by a certain 
key which is used for accepting treaties only (and thus cannot accidentally 
create signatures).

To be safe you need a treaty which makes clear the usage of digital 
signatures. I just catch myself: I have made such treaties before but not 
covered the problem I just described. :-)


to 2):
It is a difference whether
a) you can be sure that a key belongs to a person (which is easily done by 
checking the fingerprint)
b) you can prove in court that the key belongs to the person.

You either need a third party which is trusted by the courts (not your court 
but the one where you have to sue the other one...) or a treaty with a hand 
signature. This is easy:

"I admit to be bound by signatures by the key identified by this fingerprint 
until further notice (key revocation): ..."


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20111031/766fa8ea/attachment.pgp>


More information about the Gnupg-users mailing list