IETF Logo Mail Archive

Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

"Steven M. Bellovin" <smb@cs.columbia.edu> Thu, 11 January 2007 20:10 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H56G7-0001Gf-Ik; Thu, 11 Jan 2007 15:10:47 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H56G6-0001GU-6P for tls@ietf.org; Thu, 11 Jan 2007 15:10:46 -0500
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H56G1-0005Ym-Os for tls@ietf.org; Thu, 11 Jan 2007 15:10:46 -0500
Received: by machshav.com (Postfix, from userid 512) id 0A21EFB475; Thu, 11 Jan 2007 20:10:37 +0000 (UTC)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 046DBFB473; Thu, 11 Jan 2007 20:10:36 +0000 (UTC)
Received: by berkshire.machshav.com (Postfix, from userid 54047) id 65AEC765FE8; Thu, 11 Jan 2007 15:10:34 -0500 (EST)
Date: Thu, 11 Jan 2007 15:10:31 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: home_pw@msn.com
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
In-Reply-To: <BAY126-DAV135C98C0829F4744C4F3A992B10@phx.gbl>
References: <200701102032.VAA12262@uw1048.wdf.sap.corp> <001901c734f9$8dbbe1b0$d8ae5e41@pbo8f8e10aowa> <BAY126-DAV135C98C0829F4744C4F3A992B10@phx.gbl>
Organization: Columbia University
X-Mailer: Claws Mail 2.7.0 (GTK+ 2.10.6; i386--netbsdelf)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <20070111201034.65AEC765FE8@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

On Thu, 11 Jan 2007 11:33:01 -0800
<home_pw@msn.com> wrote:

> I've lost track of the URL, but somewhere on an MSN/Microsoft site it
> once had a click-signature mechanism. "Click the Agree button" to be
> legally bound to something, over the SSL channel. That is not
> particularly remarkable, of course. However, there was specific and
> remarkable legal blurb justifying this as an "electronic signature".
> I recall reading it, wide-eyed.
> 
> One can gauge the trustworthiness of that "https signature" based on
> classical evaluation analysis (a) was the https
> implementation/ciphersuite/CA good enough (b) was the HTML rendered
> in Microsoft's IE product c) Is the browser and OS assured to ensure
> nothing else on the PC could interfere with the rendering of the
> server's-page ...and its dynamic button and event
> generation/communication. Absent an NCSC evaluation report thereto,
> the only party that can argue one way or the other is of course the
> vendor - which just happened to be Microsoft of course.
> 
> So, I think this was an edge case, that only an MSN site can make
> this claim for a click signature, because it has complete control
> over the trusted technology being applied (being an arm of Microsoft,
> the product maker of IE, https, MSN Servers, etc). However, to be an
> electronic signature, there has to be a recordation act. Presumably,
> the MSN audit logs have the details of the ciphersuite used, the
> browser headers, and perhaps even the SSL session pdus for replay.
> 

You've swallowed the "digital" signature Kool-Aid.

What you saw was quite in conformance with the (U.S.) Electronic
Signatures Act of 2000.  See, for example:

	http://www.ftc.gov/os/2001/06/esign7.htm
	http://www.techlawjournal.com/internet/20000703.htm

Briefly, the legal notion of a signature has little relationship to
what computer people call a digital signature.  The (U.S.) courts have
held that computer-printed signatures on pieces of paper are legally
binding.

Sure, such paper -- or such mouse clicks -- can be forged, and there
isn't the technical attribute of non-repudiation.  If it comes to a
court fight, you can make that argument.  You can also make the
argument that a digital signature was forged because your key was
stolen or your machine was hacked.

In any event, your analysis and conclusions are wrong.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status