What is a signature?
3 comments · 400 words · read ~473 times.
This is one of my favourite anecdotes from wordsmith Neil Gaiman:
I'm not quite famous enough to have my autograph plastered all over the Internet - but I do have a JPG copy of my signature stored in a convenient location.
Hand-signed documents - so called "wet signatures" - are a totem. People think that they represent an infallible and unbreakable pact. They don't, of course. So I just paste-in my JPG at the bottom of important documents.
This has only caused me a problem once. I electronically completed a document only to be told that they would only accept hand-signed version. Bollocks to that! I opened the document in a photo editor, rotated it 7 degrees clockwise, and added a paper texture background image. The company accepted it with thanks.
Similarly, I recently had a company tell me they needed a copy of a utility bill to "verify my identity". Like most of the modern world, I only receive bills online. They were happy to accept a screenshot. Now, I'm no artist, but it would be easy for me to digitally manipulate a screenshot or a PDF. So what does it prove?
I suppose I could cryptographically sign my messages. Although I doubt most organisations have the ability to accurately access their authenticity. Heck, I doubt most geeks do, either!
There are some things people do to sort of validate I am who I say I am.
- Check I have access to an online account by asking me to post a specific message from it.
- Check I have access to a physical address by sending me a token in the post.
- Check I have access to knowledge about my first school, favourite sports team, and other security questions probably known by close family and friend.
They are all quite weak indicators. So we fall back on an inky squiggle that's easy to copy and easy to replicate.
We've reached a weird inflection point with identity. There's very little I can do to prove who I am. There's almost zero things you can do to validate what little proof I can offer.
Things For Which Cryptographic Signing Would Be Useful
Andrew McGlashan says:
In Victoria, AU if you don't have a copy of your full birth certificate by the age of 21, it can be very difficult to get one -- if you are under 21, then a parent can help, but not if you reach 21. The births, deaths and marriages department will take "copies" of documents, but the driving license authority (Vic Roads) will not accept any document unless it is a bonafide original; it can't even be a certified copy!
Ordinarily a certified copy of a document can be done by a member of the local police force or a justice of the peace and it is generally well accepted in place of originals.
So, if you haven't got a learner's or driver's license for a motor vehicle and you have limited access to proper original documents, then it might be impossible to fix.
As to electronic signatures, I've always thought it was a joke to accept an image from a computer file as a signature or a rubber stamp of your signature. I think the only valid way with paper documents is to use a pen and sign it in person with a valid witness, anything less is always going to be questionable from a contract perspective.
Proper electronic signing can be an issue too as anybody can create a GPG key pair for any "email address" they like and if it doesn't pass the web of trust then it will still likely be accepted... and the WOT is flawed in itself as people will sign any old key just like they click okay, okay, okay during an installation and install malware that they were even told about by simply clicking through.
In the electronic age, you still get asked for a letter head for a business, which most people never have these days. Just about anything can be dodgied up if you need it, especially in the world of PDfs that are over trusted to be bonafide, but they are just a plain old electronic computer file with a source that is easily adjusted in most cases. Photoshopping is also a very real thing. Heck, these days you can't even trust a video with a voice of someone you "know" ... http://www.bbc.com/news/technology-43639704
NigelM says:
I'm sure the government will be keen to step in and provide this "service".
I'd have thought WoT would be the solution, but as pointed out, it's only as strong as the "trust" assertion. IIRC PGP recommended "you only sign in someone's physical presence".
I wonder if a solution might be similar to that, but with "accrual of evidence". I.E: we don't trust just your gas bill, these people were asking for a number of items to cross an internal threshold. It might be "these people say you are edent. And your id is signed with your website EV certificate. And the energy company asserts they have had transactions with you. And the bank says. And government gateway says. Etc".
@Edent Patio11 pointed out to me once on Twitter that signatures fulfil two functions—authentication (can I verify the person who signed this is the person they say they are) and solemnisation (did the person who signed this perform an action indicating they accept the terms laid out in the document.) Signatures are bad at the former and dragging a jpeg of a signature onto a pdf is bad at the latter.