[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Laws recognizing digital signatures
At 09:24 AM 10/23/1997 -0400, Vincent Cate wrote:
>I have talked to people in government and the offshore private sector here
>and think Anguilla has a very good chance of passing a law making digital
>signatures legally recognized, at least for corporations. I think we
>would be the first taxhaven to do so. Currently companies use corporate
>seals. [....]
>I mentioned that there were a few other jurisdictions that had passed some
>laws like this and they would like me to try to pin down which and, if
>possible, get copies of the laws.
Cem Kaner <[email protected]> gave a good presentation on the legal climate
surrounding digital signatures at is month's Cypherpunks meeting.
There's a lot of bad legislation being proposed in various UN and US
working groups, where "bad" includes "inflexible" and
"favoring specific models of what a signature means" and
"favoring the certificate authority rather than the merchant or customer
in a transaction using certified signatures" and
"limiting who can be a CA, possibly including licensing".
He's got information available at www.kaner.com and www.badsoftware.com.
You might also want to talk to Carl Ellison about his views on signatures.
The basic problem is
- Person Alice may have a key
- Merchant Bob has an online store
- Customer X presents Bob with a key K, certified by CA Charlie,
claiming that she's Alice, K is Alice's key,
and downloads the merchandise from Bob.
- Alice says it wasn't her and refuses to pay Bob the bill.
So who gets stuck with the bill? Alice? Bob? Charlie?
In most commercial transactions, there's a legal tradition that defines
the liability when a signature is misused or a transaction fails badly.
With forged checks or counterfeit Federal Reserve notes, the merchant loses.
With checks written against insufficient funds, Alice is liable,
though if she doesn't have any money to collect, the merchant still loses.
With credit cards in the US, the credit card company is liable to the merchant,
whether the credit card was stolen or Alice doesn't pay; in case of theft
Alice is liable to the credit card company for $50, but it's not Bob's problem.
This is a benefit to the merchant, since he can almost always accept a payment
and make a sale, and it's a benefit to the consumer, because the merchant
will accept her payment so she can get her stuff, and it's a big pain to the
credit card companies, who lose a lot of money to fraud every year, though
of course their fee to the merchant includes that cost, as does the merchant's
price to the consumer which is higher to cover the credit card fees.
In most of the new digital signature legislation, it's being pushed by the
Certificate Authority companies, who want to make sure they're not liable,
and who generally want to stick the consumer Alice with the bill,
since it's her fault if she let her public key get misused.
Not only is consumer getting the short end of the stick on these laws,
which is Cem's interest in this topic, but so is the merchant,
because if Alice is liable, he's got to collect from her if he can;
Cem is surprised that the Sears Roebuck and similar large merchant types
haven't been actively participating in these meetings.
>From a Cypherpunks and PGP perspective, there are a bunch of problems here.
One is "what does a signature mean, and how do we represent it",
which sidetracked much of the discussion during Cem's talk.
Another is that there's a preference toward a hierarchical model of CAs,
rather than the everybody's-a-CA web-of-trust model used by PGP;
in particular, regulations on digital signatures often require CAs
to meet some set of licensing requirements, which would mean you couldn't
sign anybody's key without a license, or at least without acquiring some
liability for how they used it. (Then of course, once CAs are licensed and
findable, they're a regulatory target - even if you can't force them to
escrow their users' keys, you can at least use them for traffic analysis,
especially if you're using certificate revocation lists.)
An entertaining problem Cem also brought up is that if he doesn't
get his keys signed by anyone, they're just keys, and mean whatever
he agrees contractually with his clients that they mean.
On the other hand, if he gets his keys signed by someone,
there's some definition of liability that may obtain from that action,
not only based on the contracts he makes with the CA, but potentially
on any regulations on CAs and digital signatures that get adopted.
Thanks! Bill
Bill Stewart, [email protected]
Regular Key PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
[I'm currently having hardware problems with my main email;
send Cc: [email protected] if you need to reach me in a hurry.]