[vox] Are GPG signatures legally binding signatures in California?

[Robert G. Scofield]

On Monday 17 January 2005 16:23, Jan W wrote:
> >From the little that I know, I think so.

I would urge caution.  My problem in all of this is that I don't understand 
digital signatures.  And I don't understand the significance of the 
difference between a signature and a certificate.  The the issue of 
certificates needs to be addressed for these reasons.

Government Code section 16.5 states that digital signatures have to conform to 
regulations issued by the Secretary of State.  Those regulations are set out 
in Title 2 sections 22000 to 22005 of the California Code of Regulations.  I 
have not studied those regulations.  Maybe your in house counsel can.

Here's my concern.  Title 2 section 22003 states in part:  "although not all 
digitally signed communications will require the signer to obtain a 
certificate, the signer is capable of being issued a certificate to certify 
that he or she controls the key pair used to create the signature"

Under Title 2 section 22003(a)(6): 

"(A)The California Secretary of State shall maintain an 'Approved List of 
Certificate Authorities' authorized to issue certificates for digitally 
signed communication with public entities in California. 

(B) Public entities shall only accept certificates from Certification 
Authorities that appear on the "Approved List of Certification Authorities" 
authorized to issue certificates by the California Secretary of State. "

Here is the approved list:  http://www.ss.ca.gov/digsig/digsig.htm

So I guess Ken's question might be supplemented with this one:  "Is a person 
using a PGP signature capable of being issued a certificate by one of the 
agencies on the approved list?"

I repeat: (1) I don't understand digital signatures; and (2) I have not 
studied all of the regulations.  I'm just raising a question.

Bob