The question is, can you forge your own signature? If both parties agree that the document is legally binding it seems a bit unlikely that the document would fall under the forged label.
Though I am not a lawyer.
It's also worth noting that digital signatures throughout the european union have legal status.
Digital signatures also have legal status in the US.
Until society catches up and uses cryptographic primitives provided by a national ID smart card (such that Estonia has) for authorizing intents, this is a satisfactory method to make document execution less painful.
This project is already doing the easy part (“place pretty signature picture here”). Depending on your jurisdiction and their tolerance, you could also render a true crypto signature in ascii-armored format to assist in proving legitimacy (perhaps generated as a small print signature line under the signature).
Sidenote: Some transactions require a "wet" signature (as in, actual ink on actual paper from an actual pen). This doesn't get around those transactions unfortunately.
All the more baffling why some countries are moving away from national identification and other digital signing initiatives to prove identity. E.g. the UK that introduced and then subsequently dismantled a national ID card and database (apparently it was a "privacy" issue for the government to have a record of citizens?). Imagine this, a first world country, living in the dark ages essentially when it comes to identity.
>These ID cards are, however, preparing the way. The more people get used to some new government regulation, restriction, or provision, the more they tolerate it and eventually just learn to live with it. What may at first seem unthinkable and raise howls of protest, later becomes accepted by a few, then many, then most. And that’s how the Antichrist and his agents will capitalize on these compulsory ID cards to prepare the world for what’s next.
Dominionism is not a clearly defined practice/group/sect/etc. The most inclusive definition is basically just "people with strong beliefs want to run the democracy they live in according to those beliefs", which doesn't seem like a surprising way for anyone to behave.
Yet, take even the most expansive and uncharitable definition, and still "dominionism" =/= "the end times are at hand and there are signs everywhere of the coming anti-christ, such as national ID cards".
If you support national ID systems, please do your part to advocate for such systems whenever possible (as well as the necessary privacy and oversight controls). Progress is a function of effort. I'm working on the US side.
> (apparently it was a "privacy" issue for the government to have a record of citizens?)
That's because there's a 95% chance they'll sell it to the likes of Equifax and Experian - what minister could resist the temptation to 'make the system pay for itself' while 'reducing fraud' and 'working with the private sector' - and a 100% chance one of them will then lose it in a breach.
Just for what it's worth, a big part of the backlash against the national ID is that firstly we have a couple of decent proxies, for example driving licence and passport, and secondly we were being asked to pay for the privilege.
National ID systems are an incredibly bad idea. You can already get the entire authentication benefit from using decentralized ID systems (your bank authenticates you with your bank card, your employer authenticates you with your employee ID), so all a national ID adds is the ability for corporations to correlate all your different identities without your knowledge or consent, which is nothing but a privacy-invasive misfeature. Note that without a centralized ID they could still do it with your knowledge and consent by having you authenticate using multiple decentralized IDs.
Centralized identity is also a huge single point of failure and compromise. It would attract far higher resources from attackers than non-monoculture ID systems do, have far reaching consequences when vulnerabilities are discovered, and take far longer to respond when changes are necessary because of the scope of use.
I think you're forgetting the part where those existing so-called "decentralized" ID systems are by-and-large using a centralized system (your SSN) which is magntitudes worse than a cryptographic card.
Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both. The status quo is that any service which requires identity validation is requiring you to provide your SSN, which in internet terms is like authenticating with only a username (no password) on all websites, AND you have to use the SAME username for every different site.
Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
> I think you're forgetting the part where those existing so-called "decentralized" ID systems are by-and-large using a centralized system (your SSN) which is magntitudes worse than a cryptographic card.
It's orders of magnitude worse at authentication because that's not what it's for and everyone should immediately stop trying to use it for that. For that matter it would be better if they would stop using it for anything other than its original purpose as a tax ID.
> Now compare that to public-key encryption. Not only is it better assuming you only have access to a single private key (because you are still authenticating with the output of the key, not the key itself as with SSN), but also because a cryptographic card could store MULTIPLE private keys, allowing you to authenticate with a different "identity" to different providers, making it impossible for them to cross-reference you in that way.
But that's exactly the point. That isn't a national ID, it's ordinary public key cryptography which anyone can use right now already. You don't need a national ID for this, just create a new public-private key pair whenever you first interact with a new entity and use it to authenticate yourself to that entity going forward.
> Your bank knows that you are the same John Smith as your employer has on record, because you needed to use the same SSN for both.
But there is no good reason they need to know this, because having a bank account has really nothing to do with having an employer. All your employer should need is your bank account number so they can deposit your paycheck -- or not even that, just to give you a signature authorizing their bank to transfer money to you, where "you" means the person who can prove they hold the private key corresponding to a public key you gave your employer.
Banks shouldn't even need to know your name if things were being done securely, much less your SSN. Having them is nothing but a liability because someone who doesn't know what they're doing could mistake them for an authentication method.
You do need the SSN to match up with the name and other personal information like age, gender, address, etc. In that way, it's a bit like authenticating with a common username and a password that is publicly available with the username obfuscated (except in the case of data leaks).
Instead of a unique ID like a SSN, we should be using an identity provider to support such use cases. Imagine instead that you would authenticate with https://login.gov (ideally with your credentials and a hardware 2FA device), which would then attest to whatever service you were logging in to that you are you.
You can't rotate a social security number with reasonable effort, and we can longer treat it as a secret, because it isn't one. It's time to move past it as an identifier.
Now imagine that for whatever reason you suddenly become persona non grata, and https://login.gov/ refuses to attest that you are you to any of the services you have come to depend on.
Or just imagine https://login.gov/ passively collecting information about all the services you're logging into.
I wouldn't be opposed to common login protocol—preferably a distributed or federated one—where the government and other parties can add their own signatures to attest that a particular identity belongs to a certain real-world person, and you can choose which of those signatures you present to any given service. However, having the login itself go through a government server would be an incredibly bad idea.
We're already at that point (driver's licenses, passports) and it hasn't happened yet. Yes, you can get blacklisted by the TSA for air transport, but they have an exception process for that (redress control number).
Proper functioning of democracy and government requires eternal vigilance (apologies to Jefferson).
You don't need your driver's license or passport to log in to your e-mail or Facebook account and communicate with your friends, or to buy groceries. Revoking your driver's license and passport affects your ability to travel long distances and not much else, at least in the short term. It's bad enough that you need a current government ID for domestic flights; we don't need to make it mandatory for everything.
> Proper functioning of democracy and government requires eternal vigilance
Indeed, and part of that vigilance is pushing back against government involvement in areas they have no business in, such as authentication for non-government services.
Nobody is proposing a system where you need to authenticate with some national ID in order to do any of the things you mentioned.
We are talking about having better authentication (both more privacy-aware and more flexible) for situations where it's needed. You don't need to validate your identity for email, facebook, or groceries, so obviously this wouldn't apply there. This would apply to things where some ID auth is already taking place (e.g. anything that asks for your SSN, KYC processes in general, etc).
It's interesting to see a mention of the ability "to correlate all your different identities" as a feature, which probably illustrates fundamental conceptual differences in different legal/social systems.
In European continental civil law (as opposing to common law e.g. USA and UK, as far as I understand UK law) there's no such legal concept as "different identities" or legal aliases - you have one identity, and that's it. You must have an official identity (it's a crime for adults to not have that official ID registered/issued) and you can't have more than one. There's no right to assume or use a different identity, doing so for any benefit is fraud or forgery. If you change your name, then that must be published so that it's trivial for anyone to link these "identities", or, more accurately, know that the same identity used a different name until a particular day.
That has some disadvantages (e.g. lack of pseudonymity - either you're not identified at all, or you're fully identified) and some advantages e.g. in commerce it's generally useful to have a strong identification of your counterpart rather than a weak one; and it eliminates a whole class of "identity confusion" for people with matching names and other features - there's a single "source of truth" for identity, and it can reliably distinguish all the different John Smiths.
If we're looking at the risk of compromise, it's worth noting that the whole concept of 'identity theft' is widespread in countries with weak ID systems like USA and not widespread in places with strong centralized IDs like continental Europe. A chain is as strong as its weakest point; if it's plausible that you might be using some weak form of ID (or even just 'something you know' like social security number/mother's maiden name/etc), then someone else can pretend to be you using that weak form of ID.
You have to realize that the entire concept of "identity theft" comes from having centralized identity to begin with, otherwise there is nothing to "steal".
Suppose you want to take out a mortgage on a house. If you take it out in someone else's name, this is a problem. But suppose that didn't even enter into it. Instead you prove title to the house, i.e. you authenticate to the city title office as owner of that property using the authentication method you established when you bought it, and that proves to the bank that you own the property. You, having authenticated to the city, approve the bank to take a lien out on the house. They accept the lien as collateral for the mortgage loan, and you get a mortgage loan. Your name doesn't enter into it at all, so nobody could use your name to take out a loan. If you don't pay the loan, they don't care one bit what your name is, they just foreclose on your house.
That's one identity, but the owner of the house would have other identities. The fact that you know that the owner of the house approved the lien would not automatically tell you that, for example, the person living in the house approved the lien. Or that a certain employee of a certain company approved it. These would all be separate identities, even if they all refer to the same person.
Even in countries with unique, centralized identities, you don't go around handing your government ID to everyone you meet. You use it for official legal business only. In other contexts you still have less formal identities which remain separate from your official identity.
You seem to be conflating the two different, incompatible meanings of "digital signatures" here.
This article is about digital signatures as in digital pictures of a signature. There's some support of them in, for example, some PDF tools. These do not have a legal status in EU.
And there are "digital signatures" as in cryptographic digital verification of documents using private/public key cryptography. This is the type of digital signatures for which EU has a legal status, and in many countries a support for verifying identity - for example, I can cryptographically sign documents using the chip on my gov't ID card, and if I receive such a document, then I can securely verify the identity of the signer without needing any preexisting relationship with them. But this has nothing to do with the pictures of signatures that this article is talking about, that seems to be more like a USA thing.
Though I am not a lawyer.
It's also worth noting that digital signatures throughout the european union have legal status.