A dot-com era story about digital signatures
Here's a dot-com era story that I was telling one of our engineers this morning. They suggested that I put it here, so here it is.
Back in the dot-com era, I worked for the information security group at a large accounting firm. It was called a "Big 5" accounting firm back then, before the troubles at Arthur Andersen reduced it to the Big 4. At this accounting firm we used Lotus Notes for email and other forms of collaboration, and Notes happened to give you the ability to sign or encrypt emails. This capability wasn't actually that useful because it really only worked inside the company, but that's a limitation that pretty much any email encryption product that uses digital certificates to manage public keys has.
In any event, the partner who ran the security group was very concerned that by digitally signing emails we were creating legally-binding contracts. Everyone in his group tried to explain to him how this wasn't true, but he either didn't understand what we were saying or decided not to follow our advice.
The result was a policy forbidding us to use digital signatures.
And because it can be hard to get policies changed at large organizations, I wouldn't be at all surprised if this particular organization is still forbidden from using digital signatures.
Maybe that's not quite true.
The people in this particular organization seemed to quickly figure out that their management didn't quite understand information security and there was soon a mass exodus of very talented people. I seem to recall that the group went from roughly 30 people to less than 10 people over a period of a month or two as people quickly quit and moved on to other jobs. The partner in charge of the group was quickly reassigned to a position that focused on just accounting, so it's entirely possible that his policy on digital signature use disappeared with him. But you never quite know with these sorts of policies.