[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: matter of semantics

> this is an excellent point -- but I'm not sure about the terminology.
> The world has been using the term "non-repudiation" for some time.  I
>with the lawyer you cite that public key technology doesn't achieve it, but

>I agree for technical reasons.
> When public key K1 is used to verify a digital signature, then we know for

>a fact that its associated private key created the signature.  Therefore,
>definition, we know that (keyholder(K1)) caused that signature to happen.  
>The only question remaining is who that keyholder was at the time of the 
> That's something we have no control over.  No certificate definition can 
>influence who controls a given private key at some time in the future.  It 
>is possible that some law (e.g., Utah) might declare that if a certificate 
>is issued by a state approved CA to someone, then that person becomes 
>legally responsible for the actions of his/her private key (as a parent is 
>responsible for the actions of a minor child).  In such a case, I for one 
>would decline to accept a certificate from a qualifying CA.
> - Carl


You are precisely right. No certificate definition can control who _really_
controls a key at some time in the future.  The key could be compromised by
some third party, either by an attack against the computer system, or by
theft of the smart card and an over the shoulder video camera which captures
the key strokes necessary to unlock it.  Or someone might loan their key to
someone else for legitimate purposes, only to have it used against them in
some unexpected way.  Or another class of attacks is possible -- your system
(or the merchant's point of sale terminal, or the ATM) could be attacked so
that what you see and approve for signing is not what is really signed.

All of these possibilities are here, and have to be dealt with in the legal
infrastructure, one way or another.  One approach is to be completely
paranoid, to the point of paralysis, and to declare that the use of digital
signature is much too dangerous to even contemplate, especially if the risk
that is potentially associated with their use is essentially unbounded.

But that would seem to be excessively cautious, for even with these risks,
which I certainly concede, the probability of such a fraud successfully
taking place is much, much less than with the existing pen and paper
systems, and almost infinitely less than giving your credit card number over
the phone to someone.

The on-going debate within the legal community therefore revolves around two
central questions:

1.  Would society in general, and society's use of electronic commerce in
particular, benefit from shifting the burden of proof away from the relying
party in the case of certain classes of digital signature certificates, and
putting it on the subject/subscriber of a digital signature certificate? 
Obviously this places some burden of due care on the subscriber, in order to
provide adequate protection against misappropriation of his signature.

In general, the argument is that the efficiency of the system would be
greatly improved if relying parties were able to almost blindly rely on a
digital signature, at least within some delimited value or class of
transactions. In addition, it is argued that when participating in a
transaction at a distance, the relying party knows almost nothing about the
circumstances behind the signature, and thus is very ill-prepared to accept
the burden of proof in the case of a contended signature. On the other hand,
the subject/subscriber of a certificate is generally in an excellent
position to control the risk and to defend against a misappropriation of his
signature.  Conventional legal principles would therefor argue that the
person who is better able to control the risk should bear the burden of

2.  Independent of who bears what burden of proof of the fact of a digital
signature, who should bear the loss in the event that a compromise does
occur?  Suppose that someone is able to prove that there is no way possible
that he or she could have sign a document, yet the document was signed by
someone, using a private key nominally associated with that individual.
Should that person bear the liability for that signature?  Or should the
relying party, who accepted the signature in good faith, bear the loss?  

One of the governing principles has to be the principle of commercial
reasonableness.  If the transaction in question is for a few hundred
dollars, relying on the digital signature in the absence of better
information about the alleged purchaser is probably commercially reasonable,
where as relying on the same signature for the purchase of a house, much
less an oil tanker, is probably not reasonable -- at least without reference
to a higher class of certificate than is normally issued.

If the transaction is not commercially reasonable, and the relying party
goes ahead with it, then the RP bears the risk of loss.  But if it is
commercially reasonable, a good argument can be made that the subscriber
should bear the loss.  

As a matter of public policy, and presumably with input from the public,
lawmakers and regulatory policy setters get to decide where to draw the
line.  Should it be set at a $50 limit, like plastic credit cards?  Although
presumably beneficial to consumers, shifting the burden to the banks
essentially means redistributing the risk of loss to all of society, for the
banks are certainly not charitable institutions.  If they suffer losses,
they will have to raise the rates they charge the merchants to cover those
losses, and that in turn will be passed back to the society in general.

An argument against such a principle is that this tends to reward the few
who are the most careless with their credit cards, at the (low incremental)
cost to the res of society who are more careful.

But if you accept the general proposition that some sharing of the risk is
appropriate, just to protect against disproportionate and unaffordable
losses (a la a major medical plan for digital signatures) ,then it could be
argued that in insurance model is much better than legislatively spreading
the risk across the society.  If insurance is available (at a reasonable
cost) against errors and omissions by the CA, as well as for apparent theft
or compromise of a key, then the subscribers could decide for themselves how
much risk to take, what their deductible limits ought to be, or whether they
should self-insure. presumably the insurance company would have a good team 
of fraud investigators to investigate any suspicious circumstances, and,
like car insurance, I would assume that the rates might increase
significantly after a reported loss, an/d or the insurance policy might be
canceled entirely.

And finally, of course, you are, and should be, free to opt out of the
system by refusing to accept a certificate from a qualifying CA if you don't
feel that the risks are adequately controlled.  I don't know of any
jurisdictions who are even thinking about making the use of
liability-bearing certificates mandatory. Lots of people refused to accept
credit cards, ATM cards, or even have their checks deposited electronically
when those systems first came out, because of such fears.

Presumably, you can still pay cash.  However, even today I would not advise
that you plan on trying to rent a car without a credit card, no matter how
much cash you have.  And it may be that within a decade or so, trying to
live without conducting business on the Internet will become increasingly
inconvenient, to the point that opting out with be almost unthinkable, but
presumably by then the risks will be better understood, and better


Robert R. Jueneman
Security Architect
Novell, Inc.
Network Services Division
122 East 1700 South
Provo, UT 84604

"If you are tring to get to the moon, climbing a tree, 
although a step in the right direction, will not prove 
to be very helpful."

"The most dangerous strategy is to cross the chasm in two leaps."