[vox] Are GPG signatures legally binding signatures in California?

Jan W jcwynholds at yahoo.com
Wed Jan 19 10:58:45 PST 2005 

--- "Robert G. Scofield" <rscofield at afes.com> wrote:

> On Monday 17 January 2005 16:23, Jan W wrote:
> > >From the little that I know, I think so.
> 
> I would urge caution.  My problem in all of this is that I don't
> understand 
> digital signatures.  And I don't understand the significance of the 
> difference between a signature and a certificate.  The the issue of 
> certificates needs to be addressed for these reasons.
> 

A certificate can be used multiple times to sign something.  E.G. -- an
S/MIME certificate can be used to send several emails that have
different signatures, because all the emails have different content.  A
digital signature is used to verify the contents just as much as it's
used to verify the sender.

Here's the snippet of regs regarding digital sigs:

   (1) It is unique to the person using it.
   (2) It is capable of verification.
   (3) It is under the sole control of the person using it.
   (4) It is linked to data in such a manner that if the data are
changed, the digital signature is invalidated.
   (5) It conforms to regulations adopted by the Secretary of State.

But this all has to do with using digital signatures that would be
accepted by "Public Entities".  So if Bob and Alice want to each
digitally sign their contract between each other (both private
entities), then it's perfectly legal; they can even use whatever
signatures they want, if they want to stamp their hands in mud and
smear the papyrus as a signature, then it would still hold up as a
legal contract.  

But if Alice wants to submit a proposal to the California Dept. of
Motor Vehicles (the public entity), and wants to use a digital
signature, then she has to get a certificate to sign her proposal from
one of the approved CA's.  Whether you used S/MIME or PGP or whatever,
it would be under the control of whatever public entity you were
submitting your material to.

> Government Code section 16.5 states that digital signatures have to
> conform to 
> regulations issued by the Secretary of State.  Those regulations are
> set out 
> in Title 2 sections 22000 to 22005 of the California Code of
> Regulations.  I 
> have not studied those regulations.  Maybe your in house counsel can.
> 
> Here's my concern.  Title 2 section 22003 states in part:  "although
> not all 
> digitally signed communications will require the signer to obtain a 
> certificate, the signer is capable of being issued a certificate to
> certify 
> that he or she controls the key pair used to create the signature"
> 
> Under Title 2 section 22003(a)(6): 
> 
> "(A)The California Secretary of State shall maintain an 'Approved
> List of 
> Certificate Authorities' authorized to issue certificates for
> digitally 
> signed communication with public entities in California. 
> 
> (B) Public entities shall only accept certificates from Certification
> 
> Authorities that appear on the "Approved List of Certification
> Authorities" 
> authorized to issue certificates by the California Secretary of
> State. "
> 
> Here is the approved list:  http://www.ss.ca.gov/digsig/digsig.htm
> 
> So I guess Ken's question might be supplemented with this one:  "Is a
> person 
> using a PGP signature capable of being issued a certificate by one of
> the 
> agencies on the approved list?"
> 

Yes, no reason why not.  Here is a short thing on using s/mime and pgp
together:

http://www.falcon.darkwave.org.uk/x509.html

But whoever is accepting your digital signature would have final say on
the type of signature (x509/pgp).

So my question now is:  "what party would accept this digital
signature?"  

If it's a private party, then you could use just about anything as a
signature (thumb print, XYZ-generated digital sig, etc), and if it's a
'public entity' then you need some sort of reputable (like verisign)
cert to sign your stuff.  Does that clarify the issue?  I hope so, and
I hope that i got all this stuff right (it's been awhile since I was
playing with this stuff)...

--thanks

jan

> I repeat: (1) I don't understand digital signatures; and (2) I have
> not 
> studied all of the regulations.  I'm just raising a question.
> 
> Bob
> 
> _______________________________________________
> vox mailing list
> vox at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
> 


=====
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
I believe that unarmed truth and unconditional love will have the final word in reality. That is why right, temporarily defeated, is stronger than evil triumphant.
    Martin Luther King Jr., Accepting Nobel Peace Prize, Dec. 10, 1964
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

More information about the vox mailing list