Digital Signing Policy ?
Once the things mentioned in DigitalSigning are established, then we might be able to write a policy.
Random notes follow...
The Meaning of Signing
Digital Signing with text
Digital Signing with Public Key Signatures
Recording the Signature
- the signature applied must be recorded
- the certificate making the signature must be recorded
- the root chain needed should be cached
- including all intermediate subroots and the roots
- this is so to compare all of the certs against a "created cert"
- one not issued properly by CAcert is not valid
c.f. CCC 2008 false intermediate attack
Recording the Document
- entire document needs to be established or at least testable in some fashion
- document should be simple
- the principle of one document says that there should only be one interpretation of the document, which rules against complicated formatting features that might include hidden or deceptive information
Recording the Event
- independent verification of event needs to be established
Additional Important Parts
- date of agreement needs to be established
- this is the date of effect of the agreement
- this is not necessarily the date of the digsig or the signing
- but in absence of an agreed date of effect, other dates might indicate something to the Arbitrator
- parties need to be established
The policy should consider the following:
- A specific environment exists. Examples:
- invoices that must be digitally signed by regulation, or,
- exchange of contracts for purchase/supply agreements.
- The meaning of the signature is well understood by all parties.
- Sender and recipients agree on the meanings and uses.
- The "advanced signing" certificate is used only within that environment and for that limited purpose.
- The reliance is not solely secured by the digital signature.
- The risks, liabilities and obligations are understood and accepted by all parties.
- The certificate is encrypted and stored on hardware controlled by the Subscriber, and is never delegated.
Relationship of Terms
Does the policy have any relationship to EU's digital signing directive? E.g., Advanced Signatures. Does the policy assist, avoid or reject the directive?