(sorry for the late response.) On Wed, Dec 17, 2008 at 4:20 AM, Ian G <i...@iang.org> wrote: > On 17/12/08 12:42, Kyle Hamilton wrote: >> But... ....... and would also violate the archival principle >> (that signatures of archived documents can be verified via the >> presence of a timestamp from a reputable timestamping authority and a >> trust anchor which still needs to be available). > > Yes, to recall an unpopular claim of mine: digital signing where it > attempts to mimic human signing should be deprecated in poorly architectured > applications like S/MIME. For reasons just like these. > > (BTW, where is this "archival principle" documented?)
Aside from audits, it's also basically required by US Federal Court Rules of Civil Procedure 26 and 34, as effective 12/2006. Any court may require that any evidence submitted be authenticated. Without the root available to authenticate... Remember that it's not 'mimicing human signing'. It's preventing modification of what was originally sent. (It's rather like the process of committing logs -- if the logs need to be verifiable that nothing has been retroactively added or removed or changed, they need to have some means of chaining the IV from the prior log entry.) > It is perhaps fun to laugh about the silly Germans ... but consider: their > digital signature project is very serious, it is strongly supported by the > tax authorities and they fully intend for tax submissions to be signed. > They have already passed or attempted to pass the legislation to make this > so. > > Also, Germany is heartland for Mozilla. There are more supporters there > than other places, in general. That's because in the US, Firefox is coming to be viewed as an evil lesser than but akin to IE. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
