[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Digital Signature Legislation (fwd)
At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <[email protected]> wrote:
>---------- Forwarded message ----------
>
>DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
>
>[Copyright 1996 by Brad Biddle; permission granted for non-commercial
>electronic redistribution]
>
>...
>LIABILITY
>
>The Utah Act makes two policy choices concerning liability allocation
>Under the Utah Act, consumers are held to a negligence standard in
>guarding their private encryption key. Thus, if a criminal obtains a
>consumer's private key and commits fraud, the consumer is financially
>responsible for that fraud unless the consumer can prove that the consumer
>used reasonable care in guarding the private key. ...
One important point here is what is "reasonable care"? In a very real
sense, all consumer computer operating systems are not secure. I have
posted a theoretical virus born attack on PGP's secret key to the
cypherpunks mailing list (archives at http://www.hks.net/cpunks/).
Nathinal Borenstein of First Virtual has posted to the same list, a
description of a partially implemented attack on credit card numbers which
has received heavy response. If there is enough reward, these attacks will
occur.
The question I have is, does "reasonable care" include keeping your machine
"virus free"?
>There is a second troubling policy choice relating to liability. The Utah
>Act limits the potential liability of one actor in the infrastructure --
>the certification authority -- to a fixed amount (termed a "suitable
>guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants.
For both these problems, a relatively low liability limit would force
people to use other techniques (e.g. old style signed contracts) for large
transactions. While we are working the bugs out of a new technology, with
new standards of "reasonable care", everyone might win if the risks are
limited.
>PRIVACY
I believe the area of privacy is where the real problems lie. I will let
other, more qualified, people suggest alternatives to the Utah law
proposal.
>
>Brad Biddle, Legal Intern <[email protected]>
>Privacy Rights Clearinghouse, Ctr for Public Interest Law
>http://pwa.acusd.edu/~prc
>
>[The views expressed in this article are not necessarily those of the
>Privacy Rights Clearinghouse or the Center for Public Interest Law.]
Regards - Bill
------------------------------------------------------------------------
Bill Frantz | The CDA means | Periwinkle -- Computer Consulting
(408)356-8506 | lost jobs and | 16345 Englewood Ave.
[email protected] | dead teenagers | Los Gatos, CA 95032, USA