[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RE: Final Year Thesis : SPKI
Oh, well, at least we have fun. No personal insult intended.
But my point was really that that you as an individual, given a reasonably
definitive statement of the law (pick Utah, Illinois, or what have you, but not,
I would advise, one of the "minimalist' states such as California), and at least
you know what the ground rules are, and what your reasonable expectations
are.
I believe that sometimes we tend to personalize these systems too much,
thinking too often as to how they would affect us as consumers, rather than
(wearing a different hat) as business-people.
For the ordinary consumer, the consumer protection legislation will protect us
adequately, especially since SET is only using the digital signature in order to
protect against the consumer repudiating the order and delivery of intangible goods.
I would argue that the Utah and similar laws were really intended to protect and
facilitate business to business interchange, including interactions that were not
directly financial in nature, such as contracts, amendments, invoices, receipts, etc.
So maybe the machine you describe as "yours" as opposed to "my company's"
shouldn't be used for such purposes. Presumably your company can afford a
higher level of risk than you can personally, so maybe they can afford to use the same
machine, or maybe they can take stronger precautions.
And my point was that Utah law in particular does NOT force you to accept any
unintended consequences, and neither does the VeriSign CPS. If you don't want
to take that risk and/or share inthe reward, buy a lower quality certificate, which will
have the effect of changing the level of commercial reasonableness that the
relying party has to prove.
Everything can and should stay in balance if everyone understands the rules.
It's like the old adage -- good fences make good neighbors.
Bob
>>> Carl Ellison <cme@acm.org> 06/30 2:06 PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 10:05 AM 6/30/98 -0600, Bob Jueneman wrote:
>Carl, I have to confess that I lose my patience with this kind of whining.
>If your system isn't secure enough for the intended purpose, don't use it!
Bob,
I'm sorry you hear this as whining.
My system is secure enough for me, for the moment, and I work to make it
more secure.
Specifically, it's secure enough for *my* intended purpose. It's just not
secure enough for the Utah law's or even ABA-ISC's intended purpose.
I don't intend to achieve non-repudiation. Under those rules, I'm fine
with what I have. So are MasterCard, VISA and AMEX -- so I can get purchases
done. I have no intention of signing or accepting contracts (like buying a
house, for example) over the net based on anything loose like the Utah law,
so that's no problem. I can envision a full EDI solution, electronic
checking, etc., all without the non-repudiation assumption, so frankly I
don't see any reason to expand my intended purpose.
Meanwhile, thanks for the file and the rest of your message. I haven't
read them yet, but wanted to reply to this opening shot in your mail while
the mood was hot.
- Carl
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQA/AwUBNZlFXJSWoQShp/waEQIGHgCfejNDVWcsQvPlGGsuNV8KKJp9n8sAnjox
PDpkpw6ZUpwP6KQOvu65Ms7q
=Jo9e
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme |
| PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+
From ???@??? Wed Jul 01 05:35:44 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id EAA21803
for <cme@clark.net>; Wed, 1 Jul 1998 04:51:18 -0400 (EDT)
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id EAA46562 for <cme@acm.org>; Wed, 1 Jul 1998 04:43:12 -0400
Received: from freeby.ben.algroup.co.uk (freeby.ben.algroup.co.uk [193.133.15.6]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id IAA04078; Wed, 1 Jul 1998 08:47:22 GMT
Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id JAA00293; Wed, 1 Jul 1998 09:47:01 +0100
Message-ID: <3599F77C.1C97FEB0@algroup.co.uk>
Date: Wed, 01 Jul 1998 09:46:52 +0100
From: Ben Laurie <ben@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.05 [en] (WinNT; I)
MIME-Version: 1.0
To: Carl Ellison <cme@acm.org>
CC: Bob Jueneman <BJUENEMAN@novell.com>, hallam@ai.mit.edu, spki@c2.net
Subject: Re: Final Year Thesis : SPKI
References: <3.0.3.32.19980630162800.03249cb0@pop3.clark.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status: O
Carl Ellison wrote:
> I contest the claim that in order to facilitate commerce it is necessary
> even to have a CA, much less to do anything in law to consider the risks and
> rewards a CA might face.
>
> I agree that there is much to be done before we have commerce in cyberspace
> as fully as we have it in 3D space, but I don't believe CAs and identity
> certificates are *the* necessary step. There is even a strong case that CAs
> and ID certs are not *a* necessary step.
Exactly. For example, eMoney gives a way to do eCommerce without any
identity certs (well, perhaps a few for central banks). It also has the
potential to offer much better privacy protection.
Of course, banks are unlikely to be keen on good eMoney - where do they
get to charge their percentages if people can just go around doing
transactions without any middlemen?
Perhaps we should get back to barter. After all, money is just a token
for goods, services, etc. Hmmm ... eBarter. Tell you what, for a hundred
eChickens, I'll give you an eDay of programming :-)
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
From ???@??? Wed Jul 01 07:16:29 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id GAA15765
for <cme@clark.net>; Wed, 1 Jul 1998 06:43:39 -0400 (EDT)
Received: from laser.cps.softex.br (laser.cps.softex.br [143.106.29.34]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id GAA12282 for <cme@acm.org>; Wed, 1 Jul 1998 06:35:31 -0400
Received: from laser.cps.softex.br (laser.cps.softex.br [143.106.29.34])
by laser.cps.softex.br (8.8.7/8.8.7) with SMTP id GAA21531;
Wed, 1 Jul 1998 06:58:42 -0300
Date: Wed, 1 Jul 1998 06:58:42 -0300 (EST)
From: Ed Gerck <egerck@laser.cps.softex.br>
Reply-To: Ed Gerck <egerck@laser.cps.softex.br>
To: Bob Jueneman <BJUENEMAN@novell.com>
cc: cme@acm.org, spki@c2.net
Subject: reasonableness, was Re: RE: Final Year Thesis : SPKI
In-Reply-To: <s59983a2.028@novell.com>
Message-ID: <Pine.LNX.3.95.980701045909.13732o-100000@laser.cps.softex.br>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:
('twas 'bout time to change the subject...)
On Wed, 1 Jul 1998, Bob Jueneman wrote:
>And my point was that Utah law in particular does NOT force you to accept any
>unintended consequences, and neither does the VeriSign CPS. If you don't want
>to take that risk and/or share inthe reward, buy a lower quality certificate, which will
>have the effect of changing the level of commercial reasonableness that the
>relying party has to prove.
Bob:
Perhaps there was a slip in your text above, since there is
absolutely no relationship between:
(a) Bob's certificate quality that Bob pays for, as a CA subscriber,
and which binds Bob's key and purported name, with
(b) the commercial reasonableness that the relying party Alice (ie, a
certificate user -- Bob's client) has to prove.
I must also question the reasonableness of the initial argument as a
whole. Can legislation really make digital signatures binding and
incapable of repudiation over the Internet? I doubt so, and on
several counts as given below:
- please see Munden's case in UK and then answer how do you intend to
prove that a given digital signature was really made by the purported
signer *and* with the purported intent?
- and, if the law recognises a digital signature as a signature, then
the law must also release the signer from his obligations in the same
cases as the law now releases the signer -- signature under the
threat of unlawful force being just one example. How do you intend to
prove that the signer was not forced to click "submit", on the other
side of the line?
- further, as in the UK, certainly for cheques and probably for other
documents, a forgery is not binding on the person whose signature is
forged -- notwithstanding the reasonableness of the forgery. Thus,
how do you intend to make grandma forfeit her house just because her
password was stolen by an ActiveX control and her digital signature
was forged? Don't hackers also get into Pentagon computers? Why
should the law think that grandma's computer ought to be more secure
than the Pentagon's?
- who warrants what to whom? In spite of CA folklore, a CA warrants
nothing to a relying-party (one end of the deal) and nothing besides
its own faults to the subscriber (the other end of the deal).
Here, SPKI with a null CPS and null liability is exactly equivalent
to Verisign's CPS if you think about the relying-party and even the
subscriber. Isn't it better then ... to favor truth in advertising
and forget about legislating over unprovable assumptions??
That would be reasonableness ...
Cheers,
Ed Gerck
>
>>>> Carl Ellison <cme@acm.org> 06/30 2:06 PM >>>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>At 10:05 AM 6/30/98 -0600, Bob Jueneman wrote:
>>Carl, I have to confess that I lose my patience with this kind of whining.
>>If your system isn't secure enough for the intended purpose, don't use it!
>
>Bob,
>
> I'm sorry you hear this as whining.
>
> My system is secure enough for me, for the moment, and I work to make it
>more secure.
>
> Specifically, it's secure enough for *my* intended purpose. It's just not
>secure enough for the Utah law's or even ABA-ISC's intended purpose.
>
> I don't intend to achieve non-repudiation. Under those rules, I'm fine
>with what I have. So are MasterCard, VISA and AMEX -- so I can get purchases
>done. I have no intention of signing or accepting contracts (like buying a
>house, for example) over the net based on anything loose like the Utah law,
>so that's no problem. I can envision a full EDI solution, electronic
>checking, etc., all without the non-repudiation assumption, so frankly I
>don't see any reason to expand my intended purpose.
>
> Meanwhile, thanks for the file and the rest of your message. I haven't
>read them yet, but wanted to reply to this opening shot in your mail while
>the mood was hot.
>
> - Carl
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.5.3
>
>iQA/AwUBNZlFXJSWoQShp/waEQIGHgCfejNDVWcsQvPlGGsuNV8KKJp9n8sAnjox
>PDpkpw6ZUpwP6KQOvu65Ms7q
>=Jo9e
>-----END PGP SIGNATURE-----
>
>
>+------------------------------------------------------------------+
>|Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme |
>| PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
>+-Officer, officer, arrest that man. He's whistling a dirty song.--+
>
>
______________________________________________________________________
Dr.rer.nat. E. Gerck egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
--- Meta-Certificate Group member, http://www.mcg.org.br ---