[2643] in cryptography@c2.net mail archive
digital signatures at Solomon Smith Barney?
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Thu May 7 14:32:32 1998
Date: Thu, 7 May 1998 08:17:18 -0400
To: cryptography@c2.net
From: Robert Hettinga <rah@shipwright.com>
--- begin forwarded text
MIME-Version: 1.0
Date: Thu, 7 May 1998 00:17:00 -0400
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Ben Wright <Ben_Wright@COMPUSERVE.COM>
Subject: digital signatures at Solomon Smith Barney?
To: DIGSIG@LISTSERV.TEMPLE.EDU
Does anyone know how Wall Street traders who use digital certificates are
actually doing it? The May 4 issue of Network World, page 57, describes a
system in which Solomon Smith Barney has distributed X.509 certificates to
250 employees and 25 large trading partners. The certificate technology
comes from Entrust.
A person executing a trade must invoke two certificates (and presumably the
private keys associated therewith). First, the trader invokes a
certificate in his web browser to give him access to SSB's secure web site.
Second, to transact the trade itself, the trader must invoke a certificate
using a SecurID card from Security Dynamics. Then, according to the
article, the trader fills out a form, evidently to state the terms of the
trade.
The article does not say what happens after the form is filled out. It
does not state how the trader knows that the form is correct, or cancelled
or what.
I wonder whether in this system the trader is consciously applying a
"digital signature" (in the sense contemplated by the ABA Digital Signature
Guidelines) to identified terms. I wonder whether there is a point where
the system informs the trader anything like "your digital signature is now
being applied to these terms and you are becoming legally bound, do you
approve?"
The system might in fact NOT be applying a digital signature to a clearly
demarcated group of terms. It might just be confirming that all the
communication from the client to the server is authenticated as having come
from a client operating in tandem with an authorized SecurID card. I don't
know, but maybe someone here can enlighten us on how this or similar
systems actually work.
--Ben Wright
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
