Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Security

House Nixes Digital Signature Bill 32

Seth Scali writes "The Electronic Signature in Global and National Commerce Act was nixed by the House of Representatives on Monday. According to the article over at ZD Net, the vote was 234 to 122-- or about 1/2 of what would be needed to pass." It needed a 2/3 majority. Most Congressmen seem to agree that we need some sort of legally binding digital signature capability, but say they don't think the current proposal offered enough security or consumer protection. Oh, well. Maybe next time.
This discussion has been archived. No new comments can be posted.

House Nixes Digital Signature Bill

Comments Filter:
  • You don't need a lot of skill to forge a signature in reality. It's far easier to set up your business in an ignored inner city area and rip off the poor since few people give a damn about it. This happens frequently, either by outright deeds such as those who are ripped off by heating contractors every year for heating systems that are never installed, misrepresentation such as concealing the true nature of the legally binding contract you just signed or by falsifying signatures which has happened with numerous shady financial services. Most times the person being victimized doesn't realize it, they're just suddenly faced with an unexpected bill. Even if they do its an uphill battle getting anything done about it. If they're lucky the local news will take an interest.
  • by Anonymous Coward
    I didn't like the fact that the credit companies (and others) could force providing account information electronically, just by burying it in the account agreement. Don't know about the rest of you, but I get enough e-mail as it is, and I don't need CapOne burying a huge interest rate increase in their (probably HTML) message about a shiny new card design.
  • This is a very good thing, it is bad enough that somebody could steal my credit card or other personal information. Think of what damage could be done when somebody could have that much more credit to masquerade as you...

    Just like Microsoft, the government can't be wrong *all* the time.
  • by Yeshua ( 93307 ) on Wednesday November 03, 1999 @03:31AM (#1567406)
    I would hope that such a bill would be rejected. While there does need to be at some point some form of legally binding electronic signature, I don't think we're at the point where we have the technology to really support this. A normal signature and its individuality is based on the indiosyncrasies and mannerism of each human being and their fine motor systems, and requires a lot of practise if you ever hope to copy it, an electronic signature however, is merely a piece of data, which at this point is far too easily replicated and misused. The current technology just has too many security holes to allow it to be a viable alternative as an individual authentication device.
  • Sorry if I didn't make myself clear. At the current time I do not think that a digital signature is a good thing. It would be too easy for a clever 'theif' to hijack this information and pretend to be somebody else. If the internet is going to be the foundation of our new economy we need something more substantial to validate transactions through a digital medium.
  • -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Easy to duplicate? I think not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.8 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVyQ+ DNiYollQCfZ8vP pqUx8DUPME1AjzB1bqdDD08= =rvgZ -----END PGP SIGNATURE-----
    --
    Interested in XFMail? New XFMail home page [slappy.org]
  • Bingo. This is exactly what I was talking about when I asked Bruce earlier this week what he thought of digital signatures. Physical copies of your signature are there to be evaluated. They've been a legally viable method of verification for a /long/ time.. and the cost of forging a signature generally exceeds the benefits of the forgery. Is it perfect? No. But binding us to weak-crypto to please some wrinkled prunes in congress would only result in fradulent activity on an unimaginable scale if such a scheme was cracked. And the government, being what it is, would not admit to it until many many lives had been destroyed or a few large businesses sunk over fradulent signatures.



    --

  • -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Easy to duplicate? I think not.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v0.9.8 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVy Q+DNiYollQCfZ8vP
    pqUx8DUPME1AjzB1bqdDD08=
    =rvgZ
    -----END PGP SIGNATURE-----
    --
    Interested in XFMail? New XFMail home page [slappy.org]
  • minor picky point:

    the blurb said the bill only got half the votes needed to pass, but by my math, it was only 4 votes away from passing. That's pretty close.
  • No, a digital signature is *not* just "piece of data". You seem to be confusing the idea of regular signatures with digital signatures.

    A regular signature is static-- you put it on one document the same way you put it on another (well, with minor variations, but the overall whole of the thing stays the same). It is difficult for somebody else to imitate it, due to those idiosynchrasies.

    However, a digital signature is *not* static. If you digitally sign a document, I cannot create another document and simply "cut and paste" the signature of the other document onto mine-- it would be immediately recognizable as bogus. The reason is that a digital signature *changes* with the contents of the document being signed and with the person signing it. If you and I sign the same document, the signatures are different and unique to each of us. If you sign two different documents, the signatures are different-- and unique to *you*.

    If you want to learn more, I'd recommend the original RSA paper, at http://theory.lcs.mit.edu/~rivest/rsapaper.ps , as well as a copy of the DSS (Digital Signature Standard), available from NIST at http://csrc.nist.gov/fips/fips1861.pdf , as well as Bruce Schneier's "Applied Cryptography".
  • What I find amusing is that the House shot down the Bill because it was deemed "not secure enough". Fancy that, I didn't know the House reps. were cryptanalysis experts!

    So it makes me wonder if what they did was protect our privacy and security, or if they just reacted aversely to a new technology they don't understand.

    I mean, gosh, there are still people out there who are afraid of using the ATM to make withdrawals! There's surely plenty enough technophobia amongst politicians to fear digital signature, what they probably consider to be, 'your name at the bottom of an email' or something.

    So, it's not a good thing. If they had shot down the Bill for reasonable security concerns over expert advice on cryptanalysis, it would be great. But now, it just smacks of technophobia, and so the breakthrough of a nation-wide digital signature standard won't make its way into the US just yet.

    Maybe we should ask Al to do something about it...

    "Knowledge = Power = Energy = Mass"

  • Why is this a good thing? I don't understand your argument.
    As far as I was concerned, this bill was a good thing. Arguments will follow if no-one else leaps in...
  • Contract law is the protection against this. The person amending the contract (which is essentially creating a new contract) has to make a reasonable effort to ensure that the target of the contract knows of it. Thats why rate increases normally come on seperate slips of paper in your mailings whether its credit cards, your insurance or your utilities. If they buried it on a four colour glossy piece of propoganda consumers could realistically expect to be able to have the contract nullified in court.
  • Regarding signatures, personally, I couldn't tell you if a signature was made by me or not, because my signature never really looks the same twice. I suspect I'm not alone on this one.

    At least digital signatures give you some assurance that the person that signed something really was the person you think it was. Tell me how I'm supposed to know that the little ink scribble at the bottom of a document was made by the proper person?

  • I thought that the vote was 234 AGAINST the bill, with 122 FOR it. Since it needs a two-thirds majority to pass, 122 *would* be about 1/2 the proper amount (the real number of votes would be 118 or 119). As it is, 234 + 122 = 356, and two thirds of that is 237.3, which we'll round up to get 238. So, actually, it needed four more votes to pass, as a number of people have pointed out-- thanks!

    So, based on my (mis) understanding of the article, I came to a mathematically correct conclusion based upon a faulty assumption-- I don't need more math, I need more common sense!
  • by El Peligroso ( 13137 ) on Wednesday November 03, 1999 @04:03AM (#1567418)

    The House passed the bill in question (It only takes 218 votes for a majority in the House, and this bill got 234). It won't become law because the President will veto it, thus the need for a 2/3rds majority to override. It's misleading to say that the House killed the bill.

    BTW, I really hate it when articles quote blatant spin as if it were actually newsworthy.

  • Well, unless there is a -close- to 100% foolproof way of authenticating a digital signature, we're just going to run into the same old hastles we're having now, where signatures are forged or copied, or transactions deliberately tampered with or fabricated.

    A GPG digital signature is currently nearly 100% authenticatable.

    A digital signature used to sign a document is both specific to that document and specific to that sender. If it was sent by the wrong person, the signature will be invalid. If the data changes between the time of signing and the time of verifying, the signature becomes invalid.

    Try playing with GPG [http://www.gnupg.org [gnupg.org]] for yourself. It's an extremely neat app.

  • Hard?? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Easy to duplicate? I think not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.8 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVyQ+ DNiYollQCfZ8vP pqUx8DUPME1AjzB1bqdDD08= =rvgZ -----END PGP SIGNATURE-----
  • The issues you're raising are important, but I don't think that you can simply say that "all the different arguments about the technological merits of one solution vs another can just sit by the wayside until these larger issues are worked out and understood." Those larger issues have to influence the technical solutions, and vice versa. For example, there are several protocols available for performing contract signing online. It's an old problem (well, older than I am). I don't think any of them explicitly address the issue you raise -- what if one or both parties lose the contract afterwards? How do you archive the contract (and do you want to) ? So that's a case where your "larger issues" need to direct technical research. At the same time, you can't just plug in one of these contract signing protocols and then expect it to work just like your usual notion of signing a contract. They require things like trusted third parties, or random beacons, or that you be willing to tolerate a probability of error here and there. If you don't watch it, you can be burned...for example, if Alice and Bob are negotiating a contract, should Bob be able to show the progress of that negotiation to Carol? What if Bob is negotiating for a new job with Alice and Carol? Whose interests does it serve if Bob can do that? if he can't? A recent protocol by Markus Jakobsson aims to prevent this(see it at http://www-cse.ucsd.edu/users/markus/); other protocols don't. Which you use depends on what you want. and though I hate to say it, sometimes what you want has to deal with what's possible.
  • >The managers of the bill brought it to the floor
    >under suspension of the (House) rules, meaning
    >it didn't go through the rules committee, which
    >is a normal course of action. Bills that are
    >brought up under suspension of the rules require
    >2/3rds majority to pass.

    I bow to your superior knowledge. The Washington Post article on the subject confirms this.

    Online Contracts Fail in House [washingtonpost.com]

    The Post also has an article from a few days ago on concerns that the new law would weaken consumer protection: Acti vists Call 'Digital Signature' Bills Flawed [washingtonpost.com]

    A digital signature bill is still alive in the Senate, and hopefully this will all be worked out soon.

  • by substrate ( 2628 ) on Wednesday November 03, 1999 @03:44AM (#1567423)
    I think there is a need for legally binding digital signatures, but its something I wouldn't want to see rushed through the legislature to make some withered old republicans look digitally saavy. This could have disastorous effects.

    Any legislation has to be written realizing that protocol or key length requirements need to change with time. A given protocol and keylength may be fine for early November 1999 but may be cryptographically weak in early November 2009. This brings up another point. The protocol and key length requirements need to be strict enough that the chances of them being compromised before the signature on the document no longer protects anything is vanishingly small. In other words the strength behind the signature is directly proportional to the lifetime of the document.

    Consider an earnings report for a company for a given quarter. It only requires a years worth of strength in its digital signature. If a third party were to release an October 1998 earnings report in an attempt to manipulate the stock price it would be quickly caught and discredited.

    Consider an individual taking out a 30 year mortgage on their home. If the digital signature can be forged in under 30 years this puts the consumer who took out the mortgage at risk. A malignant mortgage company could change interest rates or terms of the agreement to profit at the expense of the consumer. Things like this happen now with pen and paper signatures.

    The security requirements for taking out a second thirty year mortgage after the first could be different than those for the first. Technology has increased, computers are faster and maybe new hiccups like quantum computation are a reality.

    Digital signatures have the capability of being many orders of magnitude safer than pen and ink signatures if and only if people aren't legistated into weak signatures.
  • In England, there are good reasons to be wary of ATM machines. There have been numerous cases of "phantom withdrawls", where money has gone missing and the bank has denied any responsibility, on account of the fact that the person "could" have used an ATM machine to take the money themselves.

    Technophobia isn't rampant there, but skeptisism towards large companies who try to worm their way out of accountability is.

    How does this affect digital signatures? Well, unless there is a -close- to 100% foolproof way of authenticating a digital signature, we're just going to run into the same old hastles we're having now, where signatures are forged or copied, or transactions deliberately tampered with or fabricated.

    IMHO, digital signatures =must= be coupled with user input which is simply too complex to forge. Using a random sampling of the retina as a one-time pad would work for this. Then use the pad to encrypt the signature, and any other data.

    But that only gives you a measure of security against outsiders. What about dodgy bank employees? There, encryption is useless, as the bank has to have the decryption key to be able to make use of the data. At -some- point, in the bank, the information has to be in the clear, and all someone has to do is inject false data there.

    Actually, there's a way to solve that, too. If the bank's software is "incomplete", and your signature includes self-decrypting executable code, which is necessary to complete the transaction, it would be necessary to obtain that code before false transactions could be made in your name. However, if this code requires a "ping" or "traceroute" to your card, before it will work, it would be beyond most employees to fake a response. It doesn't make it impossible, but that's not the point. At present, any bank clerk with an IQ of -5, who can tell the difference between a keyboard and a ham sandwich has 99% of the tools they need to do a phantom withdrawl. Make it hard enough, and the people left who still could would probably be earning so much that they wouldn't bother with such petty cash.


  • House Republicans intend on bringing this bill back up for a vote before the end of the current congressional session. When you consider it was rushed to the floor and missed being approved by only 4 votes (where did that "about 1/2 of what would be needed to pass" come from?) you can understand their optimism in trying again. This time, instead of bringing it up on the suspension calendar (with the required a 2/3rds vote) they will try to run it through the rules committee and get a "closed rule" on the bill, meaning no amendments to it on the floor. That way they only need a simple majority to pass it.


    If the House is going to go down this route, look for it to happen by Friday. But with Lott saying the target adjournment date is Nov. 10, you can be fairly certain this bill will expire with the session (unless they manage to get it appended to a year-ending omnibus appropriation bill, then anything goes . . . ).

  • Having worked with the company that handles most of the ATM and credit card transactions on the East coast I can say they have every right not to trust the things. CNS is in deep shit and I know for a fact after looking at a lot of their code that I am not going to use those things next year. Or maybe I should, maybe I could cash in with everybody else.

    Okay, so maybe the Bill wasn't shot down for reasonable security concerns, but I still would like to say that I can't imagine it would be very hard to 'steal' somebodies identity. Assuming they use a private/public key algorythm it wouldn't probably be too hard to get the private key. With America's current computer ignorance, anybody with a little balls and good social engineering skills could steal somebody's identity.

    Without informing the public a million times over I just see this leading to disasterous problems.
  • Does anybody know if the original RSA paper is worth much as a collector's item yet? I still have mine, from 1977.

  • um, not quite cowboy. The managers of the bill brought it to the floor under suspension of the (House) rules, meaning it didn't go through the rules committee, which is a normal course of action. Bills that are brought up under suspension of the rules require 2/3rds majority to pass. Because of this, it will never make it to Clinton for him to veto. The fact that Clinton said he would veto it is irrelevant and shouldn't be taken as a given (he said he'd veto the welfare reform act a few years ago and then signed it). Clinton's lackeys in the Commerce department were close to saying okay to this bill, and most likely could have gotten what they wanted in a conference committee, leading to a presidential signature.
  • substrate (substrate@engineer.com):
    I think there is a need for legally binding digital signatures, but its something I wouldn't want to see rushed through the legislature to make some withered old republicans look digitally saavy. This could have disastorous effects.

    Not to be confused by some worthless, bought-and-paid-for Democrats, eh?

    But seriously, folks, legally binding digital signatures may need to be more than encrypting, with the user's private key, the hash of the document. In no particular order:

    1. third party escrow, that verifies the signature soon after the document is signed. That way, even if the crypto method is cracked later on, or the private key is compromised, there still exists a known good copy of the document.
    2. signing key expiration (already exists in pgp)
    3. some watermarking technology, similar to some corporate checks today (which show "void" when a check is copied)

    These methods aren't foolproof, of course ...
  • In the news I read, the reasons given for nixing Digital Signatures had to do with creating a second class of enforceable, legally binding contracts. I wholeheartedly agree with this. There is no sense in rushing into a new use of technology and forcing it down the throats of consumers who will not understand the message they are receiving. Contract law is one area that is clear enough for a great many people to understand. It is well thought out and well documented in the Uniform Commercial Code and a great many state laws.

    This applies to a whole huge list of transaction types and contract law situations.

    • A company may distribute a recall notice to connected consumers. The consumer thinks it is junk mail and deletes it. Who is responsible for a future situation where the product defect caused an accident? The consumer could be asked to digitally sign the copy they were sent acknowledging reciept of the recall, but was something this basic included in the bill?
    • Data Integrity Issues: What happens when a consumer's data is lost and it contained contracts in electronic form? Can he get a copy from the other party?
    • What happens when the corporation loses their copy? If it's a contract that I have the only copy left, may I say I don't have a copy either and stop taking actions for which the agreement applies if the terms are later found to be unfavorable?
    • We would be forcing the courts to decide the question: Did the consumer sign and when did the consumer sign? Typically, a corporate attorney would make better use of terminology and understand the issues better than the consumers attorney. Would you trust that the outcome in determining such basic facts to be favorable?


      As much as I love technology and all the cool benefits of it in terms of information flow, I think that for something as important as this, it's imperative that the plan be well thought out and understood by even those who do not understand the underlying technology. It was prudent to wait.

      So, who cares about key length? Really. If the consumer will not even understand they are entering a legally binding agreement or receiving information which legally binds them, then we are not ready as a society to take the step. It's really as simple as that, and all the different arguments about the technological merits of one solution vs another can just sit by the wayside until these larger issues are worked out and understood.

      If that doesn't take place first, then passing a digital signature act will be something the goverment does to us, not for us.

  • What is needed is for digital signtures to get more prevalence in companies and have a legal challenge so that a body of case-law can be built to support digital signatures. More software that's well marketed and publicized will get us to that point.

    - Michael T. Babcock <homepage [linuxsupportline.com]>
  • Excuse me? Digital Signatures, barring a fault in implementation are very difficult to forge. From your stance I will assume you do not understand what a digitial signature is. A digital signature is a hash of the signed document that is encrypted with the signer's private key. This means that since changing the document produces a very different hash and the person changing the document should not have the origional signer's private key, they would be unable to recreate the signature.

    The key weakness in this scheme is protecting the signer's private key. This key is protected well barring physical access to the machine it resides on. Chances are you'll realize your machine has been comprimised and be able to revoke the keypair (certificate) before anything can happen.
    This risk can also be reduced with a certificate stored on a smart card.

    While not impossible, forging a digital signature is not a trivial exercise. Forging a pen and paper signature is by far easier. There were some issues with this legislation that show that it may have been rushed to the floor, but there does need to be legislation providing a minimum of legal strength to digital signatures on a national level. Many states already recognize them as legally binding, but without all the states having this is keeping the technology from being used on a national basis. The Clinton administration is not opposed to digital signatures as far as I know, the Department of Health and Human Services and the Department of Commerce are moving forward with their proposed electronic signature standard (142.310 I think) that would bring legal weight to digital signatures.

    IMHO this is all a good thing. The legistlation however needs to be watched as this is a potential window for something of a "national id" to be instituted in the form of digital certificates.
  • Well, it's useless until someone funds a national or global PKI. Until that point, it seems incredibly easy to corrupt it. Say i make 20 false signatures, then make 20 more and sign them all with the first 20, then make one genuine one, get it signed by someone widely regarded as "trusted" and then use my signed key to sign the first 20... I now have 20 signatures that are "signed" by a trusted party and are at the same time two steps away from me... Add a few more people to the scheme to get more signatures from other "trusted" people and you've got slews of false signing keys out there...

    Both the good and the bad thing about realworld signatures is that you can't revoke them. It also takes a HUGE amount of skill to replicate them infront of someone else. It's one thing to sit at home and try over and over until you get a reasonable facsimile, it's entirely another to be able to do it on the fly.

    I can't really see how we could as a country or world create a sufficiently secure system of key management. It's got to be a lot better than the current notary system, but that would tend to leave the handling of it in the hands of the government, which would probably be the NSA, FBI, or Secret Service...
  • A company may distribute a recall notice to connected consumers. The consumer thinks it is junk mail and deletes it. Who is responsible for a future situation where the product defect caused an accident? The consumer could be asked to digitally sign the copy they were sent acknowledging reciept of the recall, but was something this basic included in the bill?

    And what if I think that it's just more junk mail from Honda or Dell and I throw it away today? They only have to make a reasonable effort. I don't have to (they ask for it, but I never do it) sign and return anything today. They don't know that I got it.

    Data Integrity Issues: What happens when a consumer's data is lost and it contained contracts in electronic form? Can he get a copy from the other party?

    It would be helpful to the other party to just do so, since a subpoenae is all that is required. Same thing applies if the office burns to the ground today. You should keep your copy, but the agreement is just that... the paper is only a physical means for remembering it later.

    What happens when the corporation loses their copy? If it's a contract that I have the only copy left, may I say I don't have a copy either and stop taking actions for which the agreement applies if the terms are later found to be unfavorable?

    But what about the fact that they've been doing the same things for several years? That's the legal precedent anyway (at least partially, in terms of establishing how the contract was actually implemented). And yes, you could say you lost it. But if they subpoenae your copy and you lie... well, you've committed a number of felonies. Again, same issues as the non-digital world.

    We would be forcing the courts to decide the question... Would you trust that the outcome in determining such basic facts to be favorable?

    Yes. Our current Supreme Court is very pro-individual.

    For the past few years, I and several other people I know, have been using Microsoft Word documents with a scan of my signature in the appropriate place. I've never had a problem with this, and though it's never been taken to court, I've issued invoices to state agencies via e-mail and been paid. It doesn't seem dramatically different than using a fax machine to finish the contract.

    Have a little more faith. Our society, believe it or not, still operates on the premise of individuals not really screwing other individuals. The exceptions are always a bit interesting and sleazy. (Like forged signatures or ambigous contract language.)

    -Derek

"If value corrupts then absolute value corrupts absolutely."

Working...