l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2005 Jan 20 12:05

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Are GPG signatures legally binding signatures in California?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Are GPG signatures legally binding signatures in California?

--- "Robert G. Scofield" <rscofield@afes.com> wrote:

> On Monday 17 January 2005 16:23, Jan W wrote:
> > >From the little that I know, I think so.
> I would urge caution.  My problem in all of this is that I don't
> understand 
> digital signatures.  And I don't understand the significance of the 
> difference between a signature and a certificate.  The the issue of 
> certificates needs to be addressed for these reasons.

A certificate can be used multiple times to sign something.  E.G. -- an
S/MIME certificate can be used to send several emails that have
different signatures, because all the emails have different content.  A
digital signature is used to verify the contents just as much as it's
used to verify the sender.

Here's the snippet of regs regarding digital sigs:

   (1) It is unique to the person using it.
   (2) It is capable of verification.
   (3) It is under the sole control of the person using it.
   (4) It is linked to data in such a manner that if the data are
changed, the digital signature is invalidated.
   (5) It conforms to regulations adopted by the Secretary of State.

But this all has to do with using digital signatures that would be
accepted by "Public Entities".  So if Bob and Alice want to each
digitally sign their contract between each other (both private
entities), then it's perfectly legal; they can even use whatever
signatures they want, if they want to stamp their hands in mud and
smear the papyrus as a signature, then it would still hold up as a
legal contract.  

But if Alice wants to submit a proposal to the California Dept. of
Motor Vehicles (the public entity), and wants to use a digital
signature, then she has to get a certificate to sign her proposal from
one of the approved CA's.  Whether you used S/MIME or PGP or whatever,
it would be under the control of whatever public entity you were
submitting your material to.

> Government Code section 16.5 states that digital signatures have to
> conform to 
> regulations issued by the Secretary of State.  Those regulations are
> set out 
> in Title 2 sections 22000 to 22005 of the California Code of
> Regulations.  I 
> have not studied those regulations.  Maybe your in house counsel can.
> Here's my concern.  Title 2 section 22003 states in part:  "although
> not all 
> digitally signed communications will require the signer to obtain a 
> certificate, the signer is capable of being issued a certificate to
> certify 
> that he or she controls the key pair used to create the signature"
> Under Title 2 section 22003(a)(6): 
> "(A)The California Secretary of State shall maintain an 'Approved
> List of 
> Certificate Authorities' authorized to issue certificates for
> digitally 
> signed communication with public entities in California. 
> (B) Public entities shall only accept certificates from Certification
> Authorities that appear on the "Approved List of Certification
> Authorities" 
> authorized to issue certificates by the California Secretary of
> State. "
> Here is the approved list:  http://www.ss.ca.gov/digsig/digsig.htm
> So I guess Ken's question might be supplemented with this one:  "Is a
> person 
> using a PGP signature capable of being issued a certificate by one of
> the 
> agencies on the approved list?"

Yes, no reason why not.  Here is a short thing on using s/mime and pgp


But whoever is accepting your digital signature would have final say on
the type of signature (x509/pgp).

So my question now is:  "what party would accept this digital

If it's a private party, then you could use just about anything as a
signature (thumb print, XYZ-generated digital sig, etc), and if it's a
'public entity' then you need some sort of reputable (like verisign)
cert to sign your stuff.  Does that clarify the issue?  I hope so, and
I hope that i got all this stuff right (it's been awhile since I was
playing with this stuff)...



> I repeat: (1) I don't understand digital signatures; and (2) I have
> not 
> studied all of the regulations.  I'm just raising a question.
> Bob
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox

I believe that unarmed truth and unconditional love will have the final word in reality. That is why right, temporarily defeated, is stronger than evil triumphant.
    Martin Luther King Jr., Accepting Nobel Peace Prize, Dec. 10, 1964

Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.