I concur. The problem is that the most prevalent e-mail program (Outlook) requires no user intervention as a default when signing and/or encrypting a message with S/MIME. One can override the default to "High Security" (requiring password) only while the X.509 certificate is being installed.
I also agree that alternative authorization mechanisms (or combination thereof) are entirely appropriate: smartcards, flashcards, biometric readers, magnetic strips, bar codes, etc. Different schemes will work provided the hardware is available and adequate authentication can be assured. Curt --- David Howe <[EMAIL PROTECTED]> wrote: > Partially agreed - a user doesn't have to know *how* it > works, but must have to take a positive step (eg, type in a > password, answer "yes" to a "are you really sure you want to > do this" message, that sort of thing) for it to be binding > under most e-sig legislation. However, the law of contract > assumes every dotted i and crossed t is read and fully > understood to the full measure of the law. Enough people get > caught out this way each year (they find the contract they > signed isn't what they negotiated but (eg) binds them to a > full term of service (say, two years) when they wanted a > three month trial... > There is a balance to be had here. it should be impossible > for a random user to walk up to their powered off pc, power > it on, then sign a document. It should be extremely difficult > for a random user to walk up to a pc that has been left > logged on (but which hasn't been used to sign documents for > five minutes or so) and sign a document; it should be easy > for the user to sign a large number of documents in rapid > succession, without having to type in a complex password > every single time. If this involves remembering the password > for a specified "idle" time, or using a smartcard to auth > (rather than a manual password or in addition) that the user > can remove when he takes a coffee break then fine - but > whatever you do must almost certainly use no other hardware > than is already fitted to the machine, so a usb dongle could > be ok for a home user but a credit-card style smartcard > almost certainly won't be (although if anyone knows a decent > floppy-adaptor for smartcards, I would love to know about it) ===== Curt end eof . Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
