[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "Lie in X.509, Go to Jail", part 3

>AlphaTrust.com First in the Nation to Offer Legally Valid Digital


Just a few questions...

1) What on earth does 'legally valid' mean?

	Does it mean 'enforceable in a court of law'? If so to what

	A PGP signature clearly has some degree of 'legal validity',
even though PGP is designed primarily as a privacy framework rather
than an identification framework.

2) How does the AlphaTrust product claim to be 'first'?

	The product description does not differentiate the product
in any way from those that have existed for 5 years or more.

3) How does an AlphaTrust Membership agreement differ from a
	VeriSign Relying Party agreement? How does it differ from
	a Bolero Rule book approach?

	The problem that AlphaTrust appears to be pointing to is
the 'relying party problem'. This is an interesting legal problem in
a PKI. Consider the case in which Alice gets a certificate from Carol
and uses the cert to sign a message to Bob.

	The relying party problem is that Bob does not necessarily
have a prior contractual agreement with Carol, thus the contractual
obligations of Carol to Bob and Bob to Carol may not be clearly
defined. This is problematic in an E-Commerce situation.

	Note that this problem is not about the 'validity' of the
signature. Nothing Alice or Carol does can possibly force Bob to
accept the digital signature if he does not want to.

	Essentially there are two solutions to the relying party
problem. Either you insist that Bob sign a contract before Alice
can do business with him, or you don't. Insisting on a contract
cleans up the legal issues very neatly but for obvious reasons
restricts the speed that the network can grow. An 'open' PKI
on the other hand can grow very rapidly but must use sophisticated
risk management to control liability, - e.g. through insurance,
this increases the incremental cert cost.

	All in all a complex and interesting problem that should
probably not be used to support such a blunt marketing message.

	As the title of this thread suggests, it may not be the case
that absolutely guaranteed validity with no chance of repudiation
is even desirable. PKI is the interface between technology and
the real world. The real world is analogue and the issue is never
going to be who has the 'first' legal framework but who has the
_best_ - a quality that will depend on the specific application.