From: Michael G Schwern Date: 23:20 on 19 Feb 2008 Subject: Signatures I hate that it's 2008 and we're still signing documents with a pen. Let me explain. I'm working out the final details of a contract which involves signing a very simple NDA. The code is all public so the NDA is a mere formality. They took a PDF and printed it. Then they signed it. Then they scanned it. Then they emailed it to us to sign. We printed it. Then we crossed out a few objectionable clauses. We signed it and scanned it back in. The scan went to an office server. It was then emailed back to us and we will then email it off to the client who will hopefully accept it. If they don't we start this ridiculous process of transferring paper to bits to paper to bits all over again. It's not like we haven't had have secure, cheap digital signature technology for decades now. It's not like everyone with a PC, scanner and printer doesn't have the technology to forge a handwritten signature.
From: numien Date: 10:28 on 20 Feb 2008 Subject: Re: Signatures Michael G Schwern wrote: > It's not like we haven't had have secure, cheap digital signature > technology for decades now. It's not like everyone with a PC, scanner > and printer doesn't have the technology to forge a handwritten signature. Especially a DIGITAL handwritten signature. Scanner + photoshop/gimp = signed by anyone you want, and it'd probably look better than the actual print/sign/scan one.
From: Andy Armstrong Date: 11:13 on 20 Feb 2008 Subject: Re: Signatures On 20 Feb 2008, at 10:28, numien@xxxxxxxxx.xxx wrote: > Michael G Schwern wrote: >> It's not like we haven't had have secure, cheap digital signature >> technology for decades now. It's not like everyone with a PC, >> scanner and printer doesn't have the technology to forge a >> handwritten signature. > > Especially a DIGITAL handwritten signature. Scanner + photoshop/gimp > = signed by anyone you want, and it'd probably look better than the > actual print/sign/scan one. I have a scan of my signature as a PNG that I use for 'signing' digital documents. Nobody ever notices that I haven't printed it out, signed it and scanned it :)
From: Tony Finch Date: 17:40 on 20 Feb 2008 Subject: Re: Signatures On Tue, 19 Feb 2008, Michael G Schwern wrote: > It's not like we haven't had have secure, cheap digital signature technology > for decades now. It's not like everyone with a PC, scanner and printer > doesn't have the technology to forge a handwritten signature. Handwritten signatures are a record of the assent of the signer. They are not a security technology. Tony.
From: Philip Newton Date: 17:49 on 20 Feb 2008 Subject: Re: Signatures On Wed, Feb 20, 2008 at 6:40 PM, Tony Finch <dot@xxxxx.xx> wrote: > On Tue, 19 Feb 2008, Michael G Schwern wrote: > > > It's not like we haven't had have secure, cheap digital signature technology > > for decades now. It's not like everyone with a PC, scanner and printer > > doesn't have the technology to forge a handwritten signature. > > Handwritten signatures are a record of the assent of the signer. Ah, but how can you tell from a bunch of pixels on the screen/a bunch of bits in a PDF file whether they're the result of scanning in a handwritten signature that shows from a signer giving his assent, or whether they're the result of someone having fun with their graphics tablet and Photoshop? The problem is that a forged signature does *not* record the assent of the purported signer, and that you can't tell them apart if all you have is a digital document that was supposedly scanned in from a piece of paper. And if you can't tell whether a bunch of bits is a scanned-in handwritten signature or not, you might as well not include that bunch of bits in the file since it's not adding any semantics. Cheers,
From: Jarkko Hietaniemi Date: 18:10 on 20 Feb 2008 Subject: Re: Signatures > Ah, but how can you tell from a bunch of pixels on the screen/a bunch > of bits in a PDF file whether they're the result of scanning in a > handwritten signature that shows from a signer giving his assent, or > whether they're the result of someone having fun with their graphics > tablet and Photoshop? > > The problem is that a forged signature does *not* record the assent of > the purported signer, and that you can't tell them apart if all you > have is a digital document that was supposedly scanned in from a piece > of paper. > > And if you can't tell whether a bunch of bits is a scanned-in > handwritten signature or not, you might as well not include that bunch > of bits in the file since it's not adding any semantics. This is why I have always wondered how faxing a signed document was supposed to be a binding thing. > Cheers, > -- > Philip Newton <philip.newton@xxxxx.xxx> > >
From: Michael Leuchtenburg Date: 20:14 on 20 Feb 2008 Subject: Re: Signatures Jarkko Hietaniemi wrote: >> And if you can't tell whether a bunch of bits is a scanned-in >> handwritten signature or not, you might as well not include that bunch >> of bits in the file since it's not adding any semantics. > > This is why I have always wondered how faxing a signed document was > supposed to be a binding thing. This is why bicycle couriers are still employed: faxing of a signed document has yet to be tested up to the Supreme Court, so it may or may not be found to be binding should it go to court. - Michael
From: Tony Finch Date: 18:46 on 20 Feb 2008 Subject: Re: Signatures On Wed, 20 Feb 2008, Philip Newton wrote: > > The problem is that a forged signature does *not* record the assent of > the purported signer, and that you can't tell them apart if all you > have is a digital document that was supposedly scanned in from a piece > of paper. Right. If you dispute the legitimacy of a forged contract, and you can't resolve the problem with the other parties, then it becomes a matter for the civil or possibly criminal courts. This is not a problem of computer technology or telecommunications technology: you can also forge paper-and-pen documents. This is why signatures on important documents have witnesses, so that there are disinterested third parties who can stand up in court to say what actually happened. The question then becomes one of what is the digital equivalent of a human witness, but since software sucks you aren't going to get very far with finding an answer. Tony.
From: Michael G Schwern Date: 07:41 on 21 Feb 2008 Subject: Re: Signatures Tony Finch wrote: > On Wed, 20 Feb 2008, Philip Newton wrote: >> The problem is that a forged signature does *not* record the assent of >> the purported signer, and that you can't tell them apart if all you >> have is a digital document that was supposedly scanned in from a piece >> of paper. > > Right. If you dispute the legitimacy of a forged contract, and you can't > resolve the problem with the other parties, then it becomes a matter for > the civil or possibly criminal courts. This is not a problem of computer > technology or telecommunications technology: you can also forge > paper-and-pen documents. This is why signatures on important documents > have witnesses, so that there are disinterested third parties who can > stand up in court to say what actually happened. I know, let's prop up an insecure, inefficient system which invites fraud and forgeries with lots of laws and courts and laywers and notaries. Rather than fix the security hole, we'll just make exploiting it illegal. Because if you make it illegal then it goes away. THAT ALWAYS WORKS! Let's also ignore the consequences of international business deals where it's nigh impossible to verify a reliable witness and also muddy up the legal situation with multiple jurisdictions. While we're at it, let's set up businesses so they have no idea how to use the cryptographically secure system. [1] Throw in some FUD about the ambiguous legal status of digital signatures for good measure. [1] In this case, a domain registrar. So it's not like they don't know these computery things.
From: Phil Pennock Date: 08:08 on 21 Feb 2008 Subject: Re: Signatures On 2008-02-20 at 23:41 -0800, Michael G Schwern wrote: > [1] In this case, a domain registrar. So it's not like they don't know > these computery things. My domain registrar sends out robot mails PGP signed. But I'm not sure that any of the sigs on the key (0x1144E223) are anything but clueless sigs by people who don't understand the testimony implied by a PGP key signature. Certainly no sigs from keys which are clearly staff keys for the registrar. Unfortunately, I can't use PGP-signed email to communicate with them because I'm not a reseller. :^( And it looks like they still expect inline signatures instead of MIME-based PGP sigs. *shrug* On the bright side again, they were able to set up IPv6-only NS glue for one of my NS records, so I have an IPv6-only delegation path for my domains. On the dark side, the online tools couldn't quite handle it, but on the bright side they were willing to set it up manually, despite my being a lowly registrant and not a reseller. So there is some hope in the domain registration world.
Generated at 10:26 on 16 Apr 2008 by mariachi