Friday, 25 May 2012

PGP/GPG Digital Signature credibility

I recently had a discussion on a mailing list regarding digital signatures on emails or files. The discussion was with a lawyer.

As usually happens when techies and lawyers discuss something, they approach the issue from very different directions.

From a techie point of view, a signed email is a signed email, and there are levels of security afforded depending on the key size and algorithm, and so on.

From a legal point of view, signing a document has specific meaning, and somehow you have to confirm that the signer had intent to sign the document, and understood that what they were doing was signing it in the same way as signing a paper document. Signatures using a rubber stamp on paper are, in many cases, valid, but if a document was just routinely signed by a clerk or even automatically signed, then that does not have the same meaning.

So, I was thinking about PGP / GPG signatures. A bit of quick googling did not suggest that what I would like exists, so I am thinking an RFC would be a good idea. Of course, what would be better is if someone can say "yes, it already does that, see RFC xxx"...

Basically, when signing with PGP or GPG you are typically asked to enter a passphrase. This is a clear user interaction and equivalent (in my mind) to signing with a pen. You know you are attaching a personal signature to the document.

So what I would like to see is a tag on the signature to flag the level of user interaction that was deployed to access the secret key and create the signature.

E.g. bit fields for :-

1. Some user interaction (pass phrase) was required to access the secret key
2. User interaction required OTP / two factor authentication
3. Secret key is on a physically secure device that cannot be duplicated
4. A recent cache of the key was used (i.e. no user interaction this time)
5. Biometric validation was used to access the key
6. User chose to positively confirm that they wished to legally sign this (checkbox)
7. A duress procedure was used and duress not indicated

This would allow automated signatures to be distinguished from clearly deliberate signatures, and even give additional credibility to the signature.

The signing code would generally know the answers to these questions and be able to indicate these automatically.

I assume it is possible for new fields to be added to the format for signatures and that these can be the "comprehension not required" type.

Does this sound like a good RFC?

5 comments:

  1. While it sounds like a good idea, for legal purposes I imagine it would still be looked upon the same way as most EULAs are - that is, the user doesn't read them, so they're only semi-not-entirely-legal binding agreements.

    ReplyDelete
    Replies
    1. Well, it is not about making it legally binding, it is about recording that this did require an active user interaction, and what level of such interaction. That then goes a long way to confirming the signer knew they were in fact signing it.

      Delete
  2. Signing something indicating duress will immediately give away the fact you're flagging duress, because everyone will need to validate your signature.

    Is that a good idea to give the state of the duress flag away?

    ReplyDelete
    Replies
    1. Good question - and I have no idea what is best in such cases. Interesting point.

      Delete
  3. Can we can’t transfer signature to email or any other document. Digital Signature Templates

    ReplyDelete