[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: legal question about certs

Carl Ellison wrote:

> Dave,
>         we have a gentle war brewing on the SPKI list.
>         The question is whether the subject of a certificate should
> sign it.
> Normally, the issuer signs the cert -- giving some permission or
> access rights
> to the subject.  The subject doesn't need to sign the cert to receive
> those
> rights.
>         However, there is a theory that for each transfer of rights in
> one direction,
> there is a transfer of responsibility in the other direction.
> Therefore, the
> subject should sign the cert accepting the responsibility that goes
> along with
> the rights.
>         Ron Rivest argues that as cryptographers, all we care about is
> the rights
> transfer...that the responsiblity transfer is the domain of lawyers.

I argue differently to Ron (perhaps because like almost all parties at
the IETF, and every
lawyer Ive ever met,  Im not a cryptographer), based on evidence of
prior art, or as
perhaps local lawyers would phrase it - there is existing relevant usage
of trade, or, responsibility  is a (technical) term of art. X.435 is a
rights AND responsibility transfer protocol, issues by the same force of
combined techno-socio ITU forces which crafted X.400 and X.500. Bigotry
and religion aside, these forces are not so different to those
which drive and fund IETF, and thus I introduce the material here as a
friendly brief!

X.435 definitions of service, and its attempt to formulate a protocol,
have as their
goal the agreement that rights are indicated/enforced, and responsiblity
passed, in thecontext
of one EDI provider's handover of message transfer, content
transformation, and delivery responsibilities/duties to another
provider, or the end-system. Signatures are involved, much as with the
SPKI debate. The technical protocol attempts to automate
some of the legal protocol messenging which is  ormally present itself
during and
in bilateral settlement agreement formulatations, whose a priori nature
somewhat deters open EDI; in attacking prioir agreement practices, the
designers were seeking techncically promote open EDI (with on-the-fly
passing frameworks.)

As with all advanced work, it was ahead of its time. Perhaps much could
reused. One can obtain a combined ITU/IETF standards disk in stores
which sell public
domain software for a few dollars. The X.400 security model also defined

services and protocol elements for proof of delivery, proof of
submission, and indeed
X.435 extended said model to specify elements for "proof of receipt"
the sometime  legal need for determining a msg's status as an
which the consequential legal handling which follows.