[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: legal question about certs
On Wed, 25 Jun 1997, Nick Szabo wrote:
> Carl Ellison:
> >However, there is a theory that for each transfer of rights in one direction,
> >there is a transfer of responsibility in the other direction.
A common lawyer could read the above either of two ways. One makes sense,
the other doesn't quite. If all you mean is that if I contract to create
a "right" for another party against me, then I acquire a legal duty to
that party, it is trivially, definitionally, true. If, on the other hand,
you mean that by contract I create a right for another party, and THEY
therefore have acquired some duty, this is not in any way axiomatic.
> >Ron Rivest argues that as cryptographers, all we care about is the rights
> >transfer...that the responsiblity transfer is the domain of lawyers.
> (Disclaimer: the following observations are U.S.-centric, and IANAL).
Disclaimer: US, but IAAL (it may be that it's possible to impose rights
on a counterparty who knows you are dealing with him under some Civil Law
systems since they have much more heroic ideas of legally required fair
dealing than we do; I just don't know.)
> In most cases rights and responsibilities are symmetric -- if
> Alice has the responsibility to do something for Bob, then Bob has the
> right to have that done. But there are wrinkles; for example: a
> contract between Alice and Bob might specify Alice has the responsibility
> to perform for a third party Charles. Counterparty Bob still holds the
> right to have that part of the contract performed; Charles does not.
> (The legalese here is that Bob is "in privity" to the contract whereas
> Charles is not: Bob can sue Alice for breach of contract but Charles, who
> is merely a beneficiary, cannot). To further complicate matters,
> there are certain exceptions to the doctrine of privity, which vary
> between jurisdictions.
A privity requirement is increasingly rare. New York state clings to it;
most other states have abandoned it in whole or part. Charles often has
legally enforceable rights from a third-party beneficiary contract, but
not always. For examples relating to Certificate Authorities see
> One of the major purposes of security, IMHO, is to minimize
> the need for expensive legal intervention, and secondarily to
> make that legal intervention as reliable as possible in the
> event it is needed. So we shouldn't just fob off major problems to
> the domain of lawyers, but rather strive to give the investigators
> and lawyers clear evidence to work with before we pass our bits
> off to them.
> > For example, an attack is envisioned. Bad company, Acme, finds your
> Counter-signatures seem quite desirable, but I don't see a
> legal principle requiring them. Furthermore, we can foresee applications
> where counter-signatures would be too large a performance hit (e.g., if
> the subject is offline when the certificate must be generated), and
> applications where issuer, verifier, and subject all agree
> that the subject should have plausible deniability.
> I conclude that SPKI should make counter-signatures easy to do,
> and perhaps strongly recommend them as normal practice, but not require
Sounds good to me. Of course, if counter-signatures become really
routine, the absence of them may count against you in some cases, as a
lack of due care....
A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law | "Cyberspace" is not a place.
U. Miami School of Law | firstname.lastname@example.org
P.O. Box 248087 | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's @%#$%$# hot here.