See
 * DigitalSigning for main information
 * DigitalSigningProtocol for what was in this page (Requirements)

= Digital Signing Policy ? =

Once the things mentioned in DigitalSigning are established, then we might be able to write a policy.

Random notes follow...

== The Meaning of Signing ==

== Digital Signing with text ==

 * https://financialcryptography.com/mt/archives/000641.html

== Digital Signing with Public Key Signatures ==

=== Recording the Signature ===

 * the signature applied must be recorded
 * the certificate making the signature must be recorded
 * the root chain needed should be cached
   * including all intermediate subroots and the roots
   * this is so to compare all of the certs against a "created cert"
   * one not issued properly by CAcert is not valid
   * c.f. [[http://www.win.tue.nl/hashclash/rogue-ca/|CCC 2008]] false intermediate attack

== The Agreement ==
=== Recording the Document ===

 * entire document needs to be established or at least testable in some fashion
 * document should be simple
   * the principle of one document says that there should only be one interpretation of the document, which rules against complicated formatting features that might include hidden or deceptive information

=== Recording the Event ===
 * independent verification of event needs to be established

=== Additional Important Parts ===
 * date of agreement needs to be established
   * this is the date of effect of the agreement
   * this is not necessarily the date of the digsig or the signing
   * but in absence of an agreed date of effect, other dates might indicate something to the Arbitrator
 * parties need to be established

== Specific Goals ==

The policy should consider the following:

 *       A specific environment exists.  Examples:
   * invoices that must be digitally signed by regulation, or,
   * exchange of contracts for purchase/supply agreements.
 *       The meaning of the signature is well understood by all parties.
 *       Sender and recipients agree on the meanings and uses.
 *       The "advanced signing" certificate is used only within that environment and for that limited purpose.
 *       The reliance is not solely secured by the digital signature.
 *       The risks, liabilities and obligations are understood and accepted by all parties.
 *       The certificate is encrypted and stored on hardware controlled by the Subscriber, and is never delegated.

== Relationship of Terms ==

Does the policy have any relationship to EU's digital signing directive?  E.g., Advanced Signatures.  Does the policy assist, avoid or reject the directive?

----
 . CategoryPolicy