[Cryptography] EFF amicus brief in support of Apple

[ianG]

On 5/03/2016 19:07 pm, Ron Garret wrote:
>
> On Mar 5, 2016, at 8:50 AM, Allen <allenpmd at gmail.com> wrote:
>
>>> There’s no difference between a digital signature and a regular signature.


The only thing in common between digital signatures and human manuscript 
signatures is the word 'signature'. Calling reverse RSA encryptions as 
signatures was probably one of the worse mistakes cryptography has ever 
made.


>>> Both have the same semantics: endorsement of the content being signed.
>>
>> Well, that a huge stretch right there.  Who says a digital signature implies endorsement of the content?
>
> Apple does.  Apple has put in significant (one might even call it extraordinary) engineering effort to create technological infrastructure in which their digital signature can be relied upon to mean: we, Apple, certify that this content is safe for you to run on your device.


I doubt.  If you look at the legal thrust of the usage, it's likely 
no-where presented that Apple has signed over a document for you to read 
and verify and then rely upon.

E.g., if Apple were to open up the walled garden to other suppliers, 
would there likely be a change?  Very unlikely, it would just be 
announced one day in the tech media and users would not notice the 
difference.

Another example - if Apple's alleged "intent" to meet their contract 
goes sour, would you be able to sue for damages?  Extremely unlikely. 
They've had their lawyers working those agreements for a long time, and 
the liability will be set to zero.  It's not even clear that there is a 
real contract there for all those free programs.

Another - if they were really signing, wouldn't they sign their T&C?

In contrast, what Apple has done is to use an authentication and 
authorisation technology to deliver an approved piece of code to the 
phone, which relies on that tech to know the code came from the mothership.


>> as a legal construct--which is what matters here--it consists of whatever the courts say it does.
>
> No, that’s not true.  There is quite a bit of existing law — both common and statutory — around signatures, both digital and analog.


Which isn't that much used.  A failed experiment in society.  Which is 
why the world is now seeing finger or pen signing electronic devices. 
It's not because the users are stupid and won't adopt the smartcard 
science fiction stuff, it's because the plastic-pen-on-screen devices do 
actually capture intent.  Something no smartcard thing could really manage.


> The courts are not free to just make shit up.  IANAL but based on what I know about the existing law of signatures it is quite clear that Apple’s digital signature meets all of the criteria for being a legal signature under both statutory and common law.  (The principal criterion for being a legal signature is that it is the intent of the signer that it be a legal signature.  This is why someone who can’t write can legally sign a document with an “X”.)


Right - it may well have the legal standard of a signature.  But it 
doesn't make any sense for Apple to use the technology for signing. 
It's quite fine being used as an authentication and authorisation device 
from Apple central to the phone.  No user needs to see it.  And if no 
user sees it, is it really a signature?

iang