Do you have a question? Post it now! No Registration Necessary. Now with pictures!
January 4, 2005, 2:25 pm
rate this thread
Re: Digital Signature Software
:users to sign a EULA online and would be an inforcable digital
:signature? Any ideas?
In some countries, *no* EULA are enforceable except as part of
a written contract that the user signs -before- they pay.
You did not indicate the country of jurisdiction for your needs.
Your posting headers indicate a posting host within the USA;
in the USA, "click-wrap" licenses -are- enforceable if I recall
A problem with any click-wrap license is in proving who it was that
"signed" the agreement. IP addresses are more or less useuless
for the purposes of proving that a particular -person- agreed
to anything. Even if the IP address happens to be a static one,
and even if the ISP involved has kept sufficient secure records
to be able to prove months/years later that the IP was assigned
to a particular customer, you would have to be able to show that
it was that particular -person- who was "sitting at the computer"
at the time and not their spouse or child or whomever... and not
someone who had trojan'd their computer and was using it to
remotely access your site.
You could go further by requiring that the person "write" their
signature with the mouse. That's an unfamiliar operation for most
people and usually comes out looking fairly poorly as ink signatures
are at a much higher resolution than the typical computer screen and
people aren't going to be used to drawing their signature in large.
And you run into the problem of demonstrating that it wasn't someone
else tracing a copy of the signature. (This is why contracts
often must be 'witnessed'!)
So... if you want your EULA to be enforceable in any meaningful way,
then you probably want to insist that the users sign up with a
Public Key Infrastructure (PKI) vendor that you trust. The PKI vendor
requires that the person prove their identity to the satisfaction
of the PKI vendor (e.g., by bringing their driver's license in person
to the office of the PKI vendor), and the PKI vendor issues them
a digital certificate that can thereafter be used as an electronic
I should point out that most people will go elsewhere rather than
go through the trouble of signing up with a PKI vendor (e.g., I
never use any service that requires a driver's license because I've
never learned how to drive, and I'm not about to learn how to drive
just to get a license just to authenticate myself to an online service.)
Unless you are planning mostly B2B (Business to Business) operations or
you have a product that individuals *really* want, then you risk
alienating nearly all of your potential audience if you insist on
an authentication method that would hold up in court.
It's easier to deal with credit cards than to deal with enforceable EULAs:
credit cards are not considered to be be absolute proof of identity,
but there are well defined procedures for dealing with disputes over
credit purchases. Indeed, sometimes what people do as an authenticator
is to require a credit card and place a nominal purchase (e.g., $1
or $10) against the card; if the purchase is not refused by the
card company and is not disputed by the card-holder, then courts
would often consider that to be strong -evidence- that the cardholder
authenticated the purchase.
Will you ask your master if he wants to join my court at Camelot?!
- » AWLP turns your PC into web-managed wireless access gateway
- — Previous thread in » General Computer Security