Re: trademarks [was Re: Minutes of the Board meeting 2006/Feb/15]

On Tue, 2006-02-28 at 09:41 -0500, Dominic Lachowicz wrote:
> On 2/28/06, Owen Taylor <otaylor redhat com> wrote:
> > I'm not sure that going over https would make it any more legally
> > binding...
> If I said "https", then I'd agree with you, but I didn't. I said
> "secure", but perhaps that was the wrong word. The semantic I'm
> looking for is "there is some way to verify that the submitter is who
> she says she is, in a legally binding sense". You know, more than just
> an accept button and some text fields that anyone can fill in with any
> values they like.

Signatures are pretty funny things ... for a very large number of 
real-world important things, I can fax a signed document; presumably
given an example of someone's signature it's not hard to create a
very convincing looking fax with that signature. 

So, most of the time, a signature is, as far as I can tell, really
an expression of intent on the part of the signer rather than a
security mechanism.

The "sign by retyping your name in slashes" thing on that web page,
as corny as it may seem, is actually the recommendation of our
lawyers. And while, as a computer person, I had trouble implementing
that form with a straight face, I'm not sure that, say, a PGP  signature
of the submitter would have any more security validity... not even to
discuss what courts would consider legally binding.

PGP signatures have a bad problem with repudiation ... at any point
I can claim that I accidentally revealed my private key two
years ago, and that the signature could have been forged. 

To really get something secure, you need something equivalent to
notarization or a signature guarantee where a trusted third party
confirms your identity and countersigns the document. (And to
fix the repudiation problem, that identity confirmation can't be
automated by way of a PGP key.)

If you think about from a different angle, what's the damage someone
could do by submitting a forged form? If the user groups claims that
they never signed the document, and thus aren't bound by the terms of
the agreement, then they don't have the accompanying rights to use the

So, in other words, while I intentionally said "https" instead of
echoing your "secure web app, my general feeling is that this isn't
something that is really a matter of technology.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]