Re: Drop the Copyright Assignment requirement for Emacs

[Philippe Vaucher]

> > OK, that is very convenient for the signer, but how can the recipient
> > of such a signed document verify this signature? If it is taken at
> > face value, I can’t see anything that prevents an adversary from
> > typing your name and signing away some of your possessions.

Just to enhance a little bit on that, from what I read on digital
signatures what counts more is "the intent to sign" rather that the
form. I am pretty sure that if Adobe Sign decide it's a valid way of
signing they it probably is.

> With hand-written signatures, the assumption is that your signature is
> sufficiently complex that another person cannot duplicate it in a way
> that a graphologist wouldn’t detect.

I think that was the original intent but it's not really valid
anymore. For example if there is a camera showing me signing a
document but signing "John Smith" instead of my real name, I guess the
signature would still be valid despite not being "verifiable" using
the graphologist method. What counts more is being able to capture the
"intent to sign". When doing this online, there are several ways to
capture that intent (2-step identifications, confirmations, etc).

> With GPG, the assumption is that
> you control your private key and that it cannot be brute-forced in a
> realistic time frame.

Just to be clear I'm not against adding a little GPG dance, especially
since it can help identify commits authors later on. Maybe that can
even replace the "complicated" PDF display and make the
print-scan-email cycle more simple, that'd already be an improvement.

Philippe