I’ll take a shot at this:
A) Does it work? - yes.
B) Is it worth anything? - yes, although quantifying the value is much more difficult.
C) Is it “proof”? - no, but it can be evidence, legally.
Well, let me elaborate on that last one. I am not a lawyer, and have very little understanding of UK law. However, I have some experience in dealing with these issues as a layperson.
There are a number of legal concepts that become intertwined. You have common law, but common law doesn’t deal with email and electronic “signatures”. It does deal with contracts, evidence, and proof however. You have statutory law, and in the UK, I am unaware of the status of statutory law regarding electronic signatures (and/or related topics). And then you have case law. Folks with legal minds I respect remind me that statutory law shouldn’t really be relied on until case law supports it. And I sincerely doubt there is much case law developed on any statutory law that might exist.
From here on, I’ll talk with the perspective of US law, which I assume to be very similar to UK law. Let’s first review the “real world” analogs. If you were to send a document (a notice, for instance) via the postal service with a return receipt, you first need to understand what that receipt really says. Does it simply imply that the package was delivered? Or that the intended recipient received it? And if they received it, did they open it? Read it? Understand it? Acnknowledge it’s message?
What if it is a contract, and they sign it, and send it back. Does their signature “prove” that they accepted the contract? No…
They can still dispute it, in court. But all of those factors, including lots of other context, is used as evidence. And preponderance of evidence is used to make the case. Someone else (judge or jury) will decide if it is proof enough.
The electronic counterparts are the same. They do not “prove” anything. But they can significantly contribute to the value of the evidence.
The concept I think you are after is non-repudiation, which would prevent someone from denying being party to a specific transaction. A very good (and reasonably brief) discussion of these issues can be found here.
I am not familiar with the specific implementations you linked to. Just looking at the homepage of ReadNotify, I can confirm that they make at least one untrue claim. But that doesn’t mean that they can’t add value. I am familiar with PGP and Timestamping services, but I have no insight into that specific implementation. Think about it - it is easy to see how technology could prove email was delivered to the appropriate server, that the server delivered it to a specific client (although not a specific user), even that it was opened, and stayed opened for some time. But how could technology “prove” that is was read? Did it give a comprehension quiz? Beginning to see the problem?
I’ll avoid a dissertation public key cryptography, but that technology is the only one I am aware of that even tries to offer non-repudiation (at least in a generally accepted manner). The technology issues are extremely complicated, and I won’t go into them here, but suffice it to say, the real underlying problems aren’t with the technology. They are how people interact with the technology.
So here is where I differ (perhaps slightly) with Micco’s statement about inclusion in the protocol layers and client/server enforcement. The challenging problems to overcome aren’t really down in the technology, they are at layer seven of the OSI model - where users (people) interface with the technology.
For public key cryptography to be helpful in this context, one must be very sure that the initial binding of the secret key to a specific individual is done with high assurance. This is a critical step, and usually cannot be effectively performed in any way besides “in person”. This is usually the killer for the sorts of things you are discussing. But even if that step is completed with high assurance, other issues are equally important. Can you prove that only that individual retained access to the secret key?
The bottom line: Business decisions always come down to managing risk. Technology solutions may provide a way to minimize the risk, but you will still have to decide whether you can accept the remaining risk. And because of the “newness” of these electronic solutions (and lack of statutory and supporting case law), quantifying the risk is also very difficult.