Interesting People mailing list archives
IP: RE: PFIR Statement on Electronic Signatures and Documents
From: Dave Farber <farber () cis upenn edu>
Date: Sun, 18 Jun 2000 17:15:00 -0400
X-Server-Uuid: 47feacc6-2336-11d3-82c6-0008c7db26d1 From: "Baker, Stewart" <SBaker () steptoe com> To: farber () cis upenn edu cc: "Albertazzie, Sally" <SAlbertazzie () steptoe com> Subject: RE: PFIR Statement on Electronic Signatures and Documents Date: Sun, 18 Jun 2000 16:35:16 -0400 X-Mailer: Internet Mail Service (5.5.2650.21) X-WSS-ID: 1553ECB425042-01-01 Dave, Lauren Weinstein's rant about passage of the electronic signature bill deserves a longer rebuttal than I can provide on a beautiful Sunday afternoon, but there are a number of errors that can be pointed out quickly. They are serious enough to cast doubt on the whole thrust of PFIR's statement. First, the notion that the bill allows "anything" to be an electronic signature and that it should have enacted security standards seems to be based on a romantic notion that handwritten signatures are secure in a way that protects us from fraud. This is just false. In fact, for most business transactions, typed or faxed or telegraphed names have been treated as meeting signature requirements for nearly 150 years. In an age of xerography and facsimile, requiring something that looks like a signature at the bottom of a document is not exactly a bulwark against fraud. So how is fraud prevented in such a world? By allowing the purported signer to say that he didn't actually put that symbol on the page or send that telegram or fax that document. The e-signature bill allows precisely the same protections. The idea that Congress should enact technology security standards is, well, unlikely. How long would such standards reflect current technology and practices? About a month would be my guess. How long would they be a source of politicking and standards lobbying by otherwise uncompetitive companies? More or less forever would be my guess. Instead, Congress eliminated any legal bar on accepting electronic signatures while leaving it to companies to work out the particular technologies they will use. In my experience, which includes building legal frameworks for more than a dozen PKI and electronic signature systems, the kind of technologies being used grow progressively more secure depending on the size of the transactions, which is pretty much what we'd expect and want. In fact, if anything, the signature technology is stronger than the rest of the computer system's security, which is pretty much in line with the more general observation that most computer security professionals measure themselves against the resources of 20-year-old hackers while the cryptographers are measuring themselves against the resources of NSA. Finally, the suggestion that Verisign has achieved a monopoly by buying Thawte is wrong, but perhaps understandably so. In fact, the only market where that is even arguable is for SSL certs, where Thawte was the low-cost alternative to Verisign. But since the merger, Entrust and Equifax, especially Equifax, have roared into the market. I think Equifax is now offering SSL certs for half the price that Thawte used to charge, and its market share is rising fast. Some monopoly! In short, there's a reason this bill passed almost unanimously in an age of bitter partisanship. At bottom, it's a good idea that both parties and practically all consumer groups agreed with. Stewart Baker Steptoe & Johnson LLP phone -- 202.429.6413 email fax -- 202.261.9825 main fax -- 202.429.3902 sbaker () steptoe com
Current thread:
- IP: RE: PFIR Statement on Electronic Signatures and Documents Dave Farber (Jun 18)