I recently had a discussion on a mailing list regarding digital signatures on emails or files. The discussion was with a lawyer.
As usually happens when techies and lawyers discuss something, they approach the issue from very different directions.
From a techie point of view, a signed email is a signed email, and there are levels of security afforded depending on the key size and algorithm, and so on.
From a legal point of view, signing a document has specific meaning, and somehow you have to confirm that the signer had intent to sign the document, and understood that what they were doing was signing it in the same way as signing a paper document. Signatures using a rubber stamp on paper are, in many cases, valid, but if a document was just routinely signed by a clerk or even automatically signed, then that does not have the same meaning.
So, I was thinking about PGP / GPG signatures. A bit of quick googling did not suggest that what I would like exists, so I am thinking an RFC would be a good idea. Of course, what would be better is if someone can say "yes, it already does that, see RFC xxx"...
Basically, when signing with PGP or GPG you are typically asked to enter a passphrase. This is a clear user interaction and equivalent (in my mind) to signing with a pen. You know you are attaching a personal signature to the document.
So what I would like to see is a tag on the signature to flag the level of user interaction that was deployed to access the secret key and create the signature.
E.g. bit fields for :-
1. Some user interaction (pass phrase) was required to access the secret key
2. User interaction required OTP / two factor authentication
3. Secret key is on a physically secure device that cannot be duplicated
4. A recent cache of the key was used (i.e. no user interaction this time)
5. Biometric validation was used to access the key
6. User chose to positively confirm that they wished to legally sign this (checkbox)
7. A duress procedure was used and duress not indicated
This would allow automated signatures to be distinguished from clearly deliberate signatures, and even give additional credibility to the signature.
The signing code would generally know the answers to these questions and be able to indicate these automatically.
I assume it is possible for new fields to be added to the format for signatures and that these can be the "comprehension not required" type.
Does this sound like a good RFC?