[geeks] Three heads

David Cantrell geeks at sunhelp.org
Wed Aug 8 10:03:13 CDT 2001 

On Wed, Aug 08, 2001 at 09:12:17AM -0400, joshua d boyd wrote:
> On Wed, Aug 08, 2001 at 10:43:28AM +0100, David Cantrell wrote:
> > I haven't read up on the details, but I can tell you that two companies I
> > have dealt with have been happy to accept PGP-signed documents from me
> > instead of bits of paper.  In one case it was an employment contract (not
> > my current job) and in the other, an NDA.
> 
> Interesting.  There has been some speculation here about exactly how legal
> NDAs are.  I think they are probably on firmer ground though that digisigs
> are.

Obviously some people will try to sneak unenforceable clauses into NDAs,
just as they will sneak them into employment contracts.  However, that
doesn't (at least in .uk) invalidate the entire thing.

Thinking about it, I too can see no way that an NDA could be seen to be
enforceable (there's no payment, so no benefit to the person signing it)
but tie it in with an employment contract or something similar and it has
weight - confidentiality becomes one of the deliverables.  This particular
NDA I digitally signed is for some freelance work I'll be doing.  Haven't
agreed the rest of the contract yet cos we're arguing about money, but
obviously, if I break the NDA before then they'll walk away and even if
the NDA is unenforceable, I can't afford to pay a lawyer to find out, so
it is de facto enforceable.

IANAL, and I thank all the gods for that.

> > Clearly anyone who transmits the passphrase for their private key
> > in-the-clear deserves pain.  Consider having to prove the invalidity of
> > a signature to be their punishment for the crime of gross stupidity :-)
> 
> Yes, but here the invalidity of the signature would effect the reciever
> more.  And in the vase of ebay, it effects whoever doesn't want out of the
> deal the most, but ebay is the entity that accepted a clear text password
> (they don't accept phrases, I think).
> 
> And even WRT encryption, how many bits does your web browser support?

128, but for anything important I'll use email and pgp, or if I need
privacy without necessarily needing proof of identity, I'll tunnel
through ssh.

I agree with you, that the sort of identification you go through on the
vast majority of websites is insufficient to count as a signature.

> If you are using IE (which I'm sure a lot of your countrymen are) it
> shouldn't have more than 64bits (well, it should be, but mickeysoft
> supposedly isn't allowed to give it to you due to our brain dead
> munitions laws.)

I think you're somewhat out of date there - it used to be 40 bits
(routinely broken by using open http proxies to appear to be from the
Land Of The Oppressors and download the US domestic release :-) but
has been 128 bits for some time now.

> In general I prefer the US to what I know of the EU politcally speaking,
> but when it comes to software and technology, the US can be so pathetic.

If only we could pick and choose.  I like some aspects of EU politics and
some of US politics, likewise technologically.  I have to confess to
being incredibly biassed towards Europe culturally though, although this
is quite probably due to not being exposed to any US culture worthy of
the word - I'm sure it exists.

-- 
David Cantrell | david at cantrell.org.uk | http://www.cantrell.org.uk/david

Do not be afraid of cooking, as your ingredients will know and misbehave
   -- Fergus Henderson

More information about the geeks mailing list