[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificates/Anonymity/Policy/True Names

To: Michael Froomkin <[email protected]>
Subject: Re: Certificates/Anonymity/Policy/True Names
From: Andrew Loewenstern <[email protected]>
Date: Wed, 23 Aug 95 11:30:27 -0500
Cc: [email protected]
Sender: [email protected]

Michael Froomkin writes:
[...hypothetical screwups by CA leading to lawsuits snipped...]
>  Since (in the absence of any rules given the newness of the
>  technology) it is very likely that a rich CA would get nuisance
>  suits every time a deal in which it particiapted went sour, the
>  absence of rules will either raise costs CAs have to charge (e.g.
>  to buy insurance) or will keep rich folk out of the industry (which
>  isn't good either, since you want CAs to buy security and to last).
>  Thus the need for clear liability rules.

What about when the CA signing key is stolen, factored, or otherwise falls  
into the wrong hands, thereby possibly making every signature made by the CA  
worthless, or at least questionable?

I assume liability will be based on the CA's efforts to ensure the integrity  
of the signatures it makes (and therefore the confidentiality of the secret  
key components), but what constitutes due diligence?  As we all know,  
security measures cover a very wide range and can reach ridiculous  
proportions on both ends of the spectrum...  How much security will be  
'enough' from a legal standpoint...?

andrew

Prev by Date: Personal: Any relation to Dan Farkas?
Next by Date: The End of the Ecash Trial?
Prev by thread: Re: Certificates/Anonymity/Policy/True Names
Next by thread: Re: Certificates/Anonymity/Policy/True Names
Index(es):
- Date
- Thread