[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: legal question about certs

On Wed, 25 Jun 1997, Nick Szabo wrote:

> Carl Ellison:
> >However, there is a theory that for each transfer of rights in one direction,
> >there is a transfer of responsibility in the other direction.  

A common lawyer could read the above either of two ways.  One makes sense,
the other doesn't quite.  If all you mean is that if I contract to create
a "right" for another party against me, then I acquire a legal duty to
that party, it is trivially, definitionally, true.  If, on the other hand,
you mean that by contract I create a right for another party, and THEY
therefore have acquired some duty, this is not in any way axiomatic. 

> >....
> >Ron Rivest argues that as cryptographers, all we care about is the rights
> >transfer...that the responsiblity transfer is the domain of lawyers.
> (Disclaimer: the following observations are U.S.-centric, and IANAL).

Disclaimer: US, but IAAL  (it may be that it's possible to impose rights
on a counterparty who knows you are dealing with him under some Civil Law
systems since they have much more heroic ideas of legally required fair
dealing than we do; I just don't know.)

> In most cases rights and responsibilities are symmetric -- if 
> Alice has the responsibility to do something for Bob, then Bob has the 
> right to have that done.  But there are wrinkles; for example: a 
> contract between Alice and Bob might specify Alice has the responsibility 
> to perform for a third party Charles.  Counterparty Bob still holds the 
> right to have that part of the contract performed; Charles does not.  

Um. Wait.

> (The legalese here is that Bob is "in privity" to the contract whereas 
> Charles is not: Bob can sue Alice for breach of contract but Charles, who 
> is merely a beneficiary, cannot).  To further complicate matters, 
> there are certain exceptions to the doctrine of privity, which vary 
> between jurisdictions.

A privity requirement is increasingly rare.  New York state clings to it; 
most other states have abandoned it in whole or part.  Charles often has
legally enforceable rights from a third-party beneficiary contract, but
not always.  For examples relating to Certificate Authorities see

> One of the major purposes of security, IMHO, is to minimize
> the need for expensive legal intervention, and secondarily to
> make that legal intervention as reliable as possible in the 
> event it is needed.  So we shouldn't just fob off major problems to 
> the domain of lawyers, but rather strive to give the investigators 
> and lawyers clear evidence to work with before we pass our bits
> off to them.
> > 	For example, an attack is envisioned.  Bad company, Acme, finds your 

[..fun stuff..]

> Counter-signatures seem quite desirable, but I don't see a 
> legal principle requiring them.  Furthermore, we can foresee applications 

I agree.

> where counter-signatures would be too large a performance hit (e.g., if 
> the subject is offline when the certificate must be generated), and
> applications where issuer, verifier, and subject all agree
> that the subject should have plausible deniability.
> I conclude that SPKI should make counter-signatures easy to do, 
> and perhaps strongly recommend them as normal practice, but not require 
> them.

Sounds good to me.  Of course, if counter-signatures become really
routine, the absence of them may count against you in some cases, as a
lack of due care....

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | "Cyberspace" is not a place.
U. Miami School of Law     | froomkin@law.miami.edu
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's @%#$%$# hot here.