[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
-----BEGIN PGP SIGNED MESSAGE-----
At 03:42 AM 7/1/98 -0700, Paul Leyland wrote:
>For a British lawyers' professional body's view on what should, should not
>and might be in digital signature legislation, I'd recommend taking a look
>at http://techpolicy.lse.ac.uk/csrc/sig/lawsoc.html
Paul,
this is a wonderful paper. How was it received?
I was especially fond of the paragraph:
"Electronic commerce will develop most effectively, in our view, between
parties with existing business and professional relationships. This has
already been shown by the use of banking payment systems like CHAPS and bank
communication systems like SWIFT, and the use of EDI in industry. These
systems do not require third party authentication and are more secure
without it."
- Carl
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQCVAwUBNZpMWRN3Wx8QwqUtAQE28QQAhFV7Wn+IHX5qul7+J8HQBv2upXm1MmmQ
lMBYTpAsKUpM5ROm9quqaJ8cDjxDyv/ToAM0jxYkD0ZkoIclfydesewbrBsH0Hrk
U0mYlnnZ51XCtMwxLQn/InaVsA9qz1kOAKQz+sAfIi8Qd5cMfU/+9ND/aS6zvIso
+TNjyKHG88A=
=Qdk5
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme |
| PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
+-Officer, officer, arrest that man. He's whistling a dirty song.--+
From ???@??? Wed Jul 01 11:52:37 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id LAA23830
for <cme@clark.net>; Wed, 1 Jul 1998 11:49:40 -0400 (EDT)
Received: from novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.acm.org (8.8.5/8.7.5) with SMTP id LAA154968 for <cme@acm.org>; Wed, 1 Jul 1998 11:41:37 -0400
Received: from INET-PRV-Message_Server by novell.com
with Novell_GroupWise; Wed, 01 Jul 1998 09:47:53 -0600
Message-Id: <s59a05c9.036@novell.com>
X-Mailer: Novell GroupWise 5.2
Date: Wed, 01 Jul 1998 09:47:25 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: Camillo.Sars@DataFellows.com
Cc: cme@acm.org, spki@c2.net
Subject: Legal aspects of certs (Was: Re: Final Year Thesis : SPKI)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ice.clark.net id LAA23830
Status:
Camillo,
The more basic problem is probably that people don't understand the applications.
We have a solution for which we are still seeking the problem.
Clearly, the dimes and low dollars applications (retail financial) that is everyone's
first model application is going to be handled by SET, to the extent that it will be
handled by PKI-related infrastructure at all. and issues of non-repudiation, etc.,
don't come up in that environment, except tangentially, for those people buying
(and attempting to repudiate) adult entertainment and other intangible goods.
The "real" PKI applications will be in non-financial e-mail, lawyers filing
court documents, people exchanging proposed contract amendments
for approval prior to the final ceremonial signing. Important but prosaic
stuff, but not the kind of thng that grandma will be very involved in.
he can continue to rely on Reg. E to protect her credit cards.
We're all being very prudent in trying to make sure that we personally,
and/or our customer, don't get screwed by something that we or they
don't understand. But it was exactly the same when direct deposit first
became popular. The people who were the most concerned were the
accountants and finance people, because they understood the risks better.
The same was true of ATM machines, and even credit cards themselves.
We need to give some credit to the system, and to the people who
operate it. Whether it is laws or technology, people aren't going to allow
innocent people to be victimized too often, or for too long.
>
>>>> "Camillo S (FÓrs" <Camillo.Sars@DataFellows.com> 07/01 4:38 AM >>>
>Bob Jueneman wrote:
>> But my point was really that that you as an individual, given a
>> reasonably definitive statement of the law (pick Utah, Illinois, or
>> what have you, but not, I would advise, one of the "minimalist' states
>> such as California), and at least you know what the ground rules are,
>> and what your reasonable expectations are.
>
>[...]
>
>> Everything can and should stay in balance if everyone understands the
>> rules.
>
>But I think that's the fundamental problem with most X.509-based systems
>envisioned today. Not everyone understands the rules. As a matter of
>fact, the rules themselves are so unclear that they can mean just about
>anything. As Ed Gerk has occasionally pointed out, the usual basic
>VeriSign CPSs are so obscure that they are virtually meaningless.
He's not the only one. I've made a few jokes about 80 pages of legalese myself.
But frankly, when I start to think about how I would write a CPS to protect
Novell if we were to start issuing certificates, all the saame thoughts and concerns
pop up.
Eventually, most of this stuff will be covered as background boilerplate by regs
such as the UCC. Can you imagine what a UPS shipping contract would be if such basic
terms as FOB had to be spelled out in detail?
Even so, as accreditation guidelines and so forth get hashed out, the CPS will be
read only by the professionals, the same way that SEC filings are read. When was
the last time you actually read the fine print ont he back of your car rental contract,
or even read your car or house insurance policy?
Then, the CPS can be reduced to a few simple and hopefully parameterized terms,
incorporating the rest by reference.
Right now, in the absence of agree-upon industry practices and/or authoritative
accreditation, every subscriber and every relying party has to be his own accreditor.
It like it must have been before the FAA (or the older CAB) started issuing
Airworthyness Certificates. Right now, it's like we had to review Boeing's
design documents before taking a trip, in order to be sure the airplane is safe.
Have a little patience, guys. When I first demonstrated a digital signature package
to marty Ferris at Treasury, telling him how I thought this technolgoy could be used to
file income tax returns and save all sorts of money, I thought that mayvbe three years
would be enought time to roll out a system. That was about 1988, as I recall.
We'll get there, but it won't be quite as fast a trip as we might like.
>
>I hold a production-use SET certificate, and for once I actually feel that
>the CPS does carry some signifigance. However, I'd be much more
>comfortable if the same policy would be coded in the cert itself in a way
>that is *meaningful* to a computer.
It could be. Alan Asay, the author of the Utah Act, had in mind that a CPS
could be written in SGML and parsed automatically. But the certificate would be huge,
at least until all of the terms of rreference can be completely standardized.
>
>> It's like the old adage -- good fences make good neighbors.
>
>Yes, but on the Internet today, I can't even recognize a fence, yet alone
>determine who's a good neighbor and who's not.
>
>Cheers,
>Camillo
bob
From ???@??? Wed Jul 01 12:21:12 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id LAA27248
for <cme@clark.net>; Wed, 1 Jul 1998 11:54:10 -0400 (EDT)
Received: from novell.com (prv-mail20.Provo.Novell.COM [137.65.40.4]) by mail.acm.org (8.8.5/8.7.5) with SMTP id LAA170500 for <cme@acm.org>; Wed, 1 Jul 1998 11:46:06 -0400
Received: from INET-PRV-Message_Server by novell.com
with Novell_GroupWise; Wed, 01 Jul 1998 09:52:22 -0600
Message-Id: <s59a06d6.037@novell.com>
X-Mailer: Novell GroupWise 5.2
Date: Wed, 01 Jul 1998 09:52:09 -0600
From: "Bob Jueneman" <BJUENEMAN@novell.com>
To: cme@acm.org, pleyland@microsoft.com
Cc: spki@c2.net
Subject: Re: RE: RE: Final Year Thesis : SPKI
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ice.clark.net id LAA27248
Status:
>The Subject: of this thread really has very little to do with its subject,
>but for the sake of continuity...
>
>> But my point was really that that you as an individual, given
>> a reasonably
>> definitive statement of the law (pick Utah, Illinois, or what
>> have you, but not,
>> I would advise, one of the "minimalist' states such as
>> California), and at least
>> you know what the ground rules are, and what your reasonable
>> expectations
>> are.
>
>For a British lawyers' professional body's view on what should, should not
>and might be in digital signature legislation, I'd recommend taking a look
>at http://techpolicy.lse.ac.uk/csrc/sig/lawsoc.html
>
>Paul
Interesting, and reflective of some approaches being taking or espoused in the US.
But for an opposing view, look at the German digital signature legislation.
Laws that are actually passed and implemented count for more than pontificating by
learned societies and individuals (myself included).
bob
From ???@??? Wed Jul 01 13:05:51 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id NAA15495
for <cme@clark.net>; Wed, 1 Jul 1998 13:00:04 -0400 (EDT)
Received: from jekyll.piermont.com (jekyll.piermont.com [206.1.51.15]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id MAA170310 for <cme@acm.org>; Wed, 1 Jul 1998 12:51:59 -0400
Received: from jekyll.piermont.com (localhost [[UNIX: localhost]]) by jekyll.piermont.com (8.8.8/8.6.12) with ESMTP id MAA07088; Wed, 1 Jul 1998 12:58:28 -0400 (EDT)
Message-Id: <199807011658.MAA07088@jekyll.piermont.com>
To: "Bob Jueneman" <BJUENEMAN@novell.com>
cc: cme@acm.org, pleyland@microsoft.com, spki@c2.net
Subject: Re: Final Year Thesis : SPKI
In-reply-to: Your message of "Wed, 01 Jul 1998 09:52:09 MDT."
<s59a06d6.038@novell.com>
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Wed, 01 Jul 1998 12:58:27 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Status:
"Bob Jueneman" writes:
> Interesting, and reflective of some approaches being taking or
> espoused in the US. But for an opposing view, look at the German
> digital signature legislation. Laws that are actually passed and
> implemented count for more than pontificating by learned societies
> and individuals (myself included).
What actually counts, Bob, is business practice. Businesses don't use
third party liability guarantors in the way that the various PKI
legislative efforts pretend they would want to.
Commercial law evolves from practice -- it is almost unheard of for a
new way of doing business to spring forth fully formed from the head
of the legislature. The Lex Mercatoria and its descendants have a
history that goes back for many, many centuries, and they do not point
at a business model that looks anything like the one some have been
pushing through various state capitols.
In the end, a PKI cannot tell a merchant he is going to be paid, no
matter how many pages long the law gets. The PKI at very, very best
can tell something about identity, and merchants don't care about that
-- they care about their money. The bank that pays the merchant cares
about your identity, but you already have a bilateral relationship
with them.
The law I like is the Massachusetts model, where the codes are (more
or less) just amended by "a signature may be electronic". No fuss, no
mess, no impediments to natural growth of the market.
Anyway, I think we've gone over this territory about 800 times
now. We'll have fun debating it at the Usenix commerce conference
later in the summer.
Perry
From ???@??? Wed Jul 01 13:10:37 1998
Received: from mail.acm.org (mail.acm.org [199.222.69.4])
by ice.clark.net (8.8.8/8.8.8) with ESMTP id NAA24123
for <cme@clark.net>; Wed, 1 Jul 1998 13:11:04 -0400 (EDT)
Received: from dfw-ix15.ix.netcom.com (dfw-ix15.ix.netcom.com [206.214.98.15]) by mail.acm.org (8.8.5/8.7.5) with ESMTP id NAA11784 for <cme@acm.org>; Wed, 1 Jul 1998 13:02:58 -0400
Received: (from smap@localhost)
by dfw-ix15.ix.netcom.com (8.8.4/8.8.4)
id MAA23164; Wed, 1 Jul 1998 12:09:09 -0500 (CDT)
Received: from sjc-ca5-02.ix.netcom.com(207.94.249.162) by dfw-ix15.ix.netcom.com via smap (V1.3)
id rma023136; Wed Jul 1 12:08:50 1998
X-Sender: frantz@netcom5.netcom.com
Message-Id: <v0311079eb1c029d512c8@[207.94.249.99]>
In-Reply-To: <3.0.3.32.19980701063827.0337d8c8@pop3.clark.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 1 Jul 1998 10:10:00 -0800
To: Carl Ellison <cme@acm.org>, "Bob Jueneman" <BJUENEMAN@novell.com>
From: Bill Frantz <frantz@netcom.com>
Subject: Re: Digital Signature laws
Cc: spki@c2.net, Sheri Bischoff <sjb8@BYUGATE.byu.edu>
Status:
At 12:46 AM -0800 7/1/98, Ben Laurie wrote on a different thread:
>Perhaps we should get back to barter. After all, money is just a token
>for goods, services, etc. Hmmm ... eBarter. Tell you what, for a hundred
>eChickens, I'll give you an eDay of programming :-)
Ah, you're breaking into the eChicken market. :-)
At 2:38 AM -0800 7/1/98, Carl Ellison wrote:
>In the glorious future I see before us, with relationships forming on the
>net rather than in 3D space, there will be some bits-only version of this
>process. However, that process does not involve a CA and especially not an
>ID certificate. The use of a name as identifier is limited to small
>communities. Furthermore, it's not a name businesses care about when
>deciding whether or not to enter into a contract with someone else. They
>care about past performance, financial stability, quality of products, etc.
>These are facts that can be certified by digital signature, in the bits-only
>world, but the authorities on such facts will not be commercial CAs [unless
>you decide to defend a pre-decided announcement that CAs are necessary and
>so call any of these intermediaries "CAs"].
I currently use the VeriSign certificates to make a binding between my
meatspace trust in well established institutions and their electronic
presences. Before I send off my credit card number, I check the
certificate on the page to see if it looks like it was issued to the
company I think I am dealing with.
On the other hand, that company has no need for a certificate from me.
They have a different reputation agent, my credit card company.
In the dim and murky future, when I meet companies entirety online, I will
want reputation agents that vouch for them. I envision some online
Consumer's Reports organizations, conservation in news groups and mailing
lists etc. acting as reputation agents. Given the high costs of going
after a failed transaction with the legal system, particularly
internationally, meatspace ID will only be useful for high value
transactions.
-------------------------------------------------------------------------
Bill Frantz | If hate must be my prison | Periwinkle -- Consulting
(408)356-8506 | lock, then love must be | 16345 Englewood Ave.
frantz@netcom.com | the key. - Phil Ochs | Los Gatos, CA 95032, USA