TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Damien Braniff wrote:
>
> Some time ago I was asked by our legal bod about ways to tie down a
> contract so that it couldn't be tampered with (at least easily!).
Basically, what you need is digital signatures, likely along with some
other mechanisms like timestamps.
Passwords do not provide anything that is remarkably useful legally.
Say you are suing me. You produce a document, I deny its validity.
It was password-protected on your server. You had the password. How
do you convince a court you haven't tampered with it, after I produce
a different version and claim yours is altered?
You might win this, but your lawyers have some work to do. I hope
your corporate security policies are well documented, meticulous
logs of server activity are kept, and so on. Without that, you may
lose even if you're right.
If you have a document I've digitally signed, the problem is quite
different. Unless the cryptography involved has been broken, the
existence of that document proves that whoever signed it knew my
personal secret key and that not one bit of the doc has changed
since it was signed.
I can claim you knew my signing key, but that could happen only if
I was hopelessly irresponsible in my security practices (oops, my
shareholders are suing me..), or you'd completely subverted my
computer (the judge would need some evidence on that point, and my
shareholders might sue again ...).
I can claim the crypto's been broken, but I might have quite a time
substantiating that. There are several digital signature techniques
that all the experts agree are (barring remarkable breakthroughs in
the attack techniques) secure, and one the US gov't has certified
for commercial use. http://csrc.nist.gov/fips/fips186-2.pdf
Canada changed the laws a couple of years back, giving digital signatures
the same legal status as written signatures. I heard a gov't lawyer who'd
been involved explain this. As I recall, the key legal point was that they
create a "rebuttable presumption". If I produce in court some document with
your signature, the court will accept it as evidence that you agreed to the
contents. You can rebut with a claim of forgery or "I signed under duress"
or whatever.
There's been talk on the crypto mailing lists of similar moves in both
the US and Europe, but I cannot recall details. If you need those and
cannot find them, mail me off list.
This also gives you email encryption. The commercial PGP product from
NAI (www.pgp.com) also provides file encryption and secure remote access
(VPN) features.
Other methods are currently enjoying something of a vogue in business
circles. The buzzword is "PKI", Public Key Infrastructure. This involves
a hierarchy of public keys where, for example, I can trust that your
signature is valid because you give me a certificate signed by your
company's corporate key and my software automatically checks if the
company has revoked the certificate and ...
I'm inclined to think the whole PKI notion is somewhat over-marketed
and some of the products more complex and expensive than they need
to be. PKI-building requires extra-carefully secured servers, quite
a bit of work on policies and procedures, ... Great for folks selling
the servers and consulting services, not as clearly always great for
the client.
That said, PKI is certainly a powerful idea, and there are some very
good reasons why it has become trendy. It offers to solve important
business problems in a unique way. I'd suggest nearly any company at
least get a basic familiarity with the technology, enough to evaluate
whether and how it applies to them.
Carlisle Adams and Steve LLoyd (both from Entrust) have written a
fine book, "Understanding Public-Key Infrastructure", MacMillan,
1999, ISBN 1 57870 166 x.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Develop HTML-based Help with Macromedia Dreamweaver! (STC Discount.)
**NEW DATE/LOCATION!** January 16-17, 2001, New York, NY. http://www.weisner.com/training/dreamweaver_help.htm or 800-646-9989.
Sponsored by SOLUTIONS, Conferences and Seminars for Communicators
Publications Management Clinic, TECH*COMM 2001 Conference, and more http://www.SolutionsEvents.com or 800-448-4230
---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit http://www.raycomm.com/techwhirl/ for more resources and info.