[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reasonableness

To: Bob Jueneman <BJUENEMAN@novell.com>
Subject: Re: Reasonableness
From: Ed Gerck <egerck@laser.cps.softex.br>
Date: Wed, 1 Jul 1998 17:52:37 -0300 (EST)
cc: cme@acm.org, spki@c2.net
In-Reply-To: <s59a357d.070@novell.com>
Reply-To: Ed Gerck <egerck@laser.cps.softex.br>
On Wed, 1 Jul 1998, Bob Jueneman wrote:

>>On Wed, 1 Jul 1998, Bob Jueneman wrote:
>>
>>>And my point was that Utah law in particular does NOT force you to accept any 
>>>unintended consequences, and neither does the VeriSign CPS.  If you don't want 
>>>to take that risk and/or share inthe reward, buy a lower quality certificate, which will
>>>have the effect of changing the level of commercial reasonableness that the 
>>>relying party has to prove.
>>
> Ed Gerck wrote:
>>
>>Bob:
>>
>>Perhaps there was a slip in your text above, since there is
>>absolutely no relationship between: 
>>
>>(a) Bob's certificate quality that Bob pays for, as a CA subscriber,
>>and which binds Bob's key and purported name, with
>>
>>(b) the commercial reasonableness that the relying party Alice (ie, a
>>certificate user -- Bob's client) has to prove.
>
>I beg to differ.
>
>[snip]
>So as a relying party, if I see a certificate class that is around 1 or 2 on a scale of 
>0 to 255, I cannot "commercially reasonably" decide that this is good and sufficient 
>evidence for me to sell him a oil tanker or the Chrysler Building, with nothing but 
>a digitally signed promise to pay.  Even if I can repossess the building if the sale goes
>bad.

A $10 dollar certificate or a $500 dollar certificate from Verisign
still have zero content regarding the subscriber's assets -- X.509
certificates bind keys to names (I beg not to cite X.509 on that, but
that is so as we all know) and so much is written in the CPSs, for
example.

So, my point stays: there is absolutely no relationship between (a) 
and (b). The relying-party has no logical reason to infer that behind
a $500 cert sits a richer person...or, an honest one. Or, that the
deal will be paid for. These are all outside the domain of Verisign's
CPS... or, Utah's law... as the law cannnot enforce fortune-telling. 

You seem to be confusing two completely different issues here: who
versus what.

SPKI can help on that.

>>
>>
>>I must also question the reasonableness of the initial argument as a
>>whole. Can legislation really make digital signatures binding and
>>incapable of repudiation over the Internet? I doubt so, and on
>>several counts as given below:
>
>Yes, they can, by fiat, just as the UCC makes some similar 
>assertions with respect to holographically signed documents.

Not the same subject, by a wide margin -- holographic signatures
exist for more than 350 years and are an established practice. But
since neither of us are lawyers nor this list is dig-sig, I propose
to skip this whole legalese part in this list. 


>>
>>- who warrants what to whom? In spite of CA folklore, a CA warrants
>>nothing to a relying-party (one end of the deal) and nothing besides
>>its own faults to the subscriber (the other end of the deal). 
>
>I'm not sure that I would go that far.


And yet, so it is. See below.

>  Understandably, the CA is motivated
>to avoid warranting anything to the relying party, to reduce their liabibility.
>But in doing so, they may also be limiting their business, for obviously 
>the only reason for the subscriber to purcase the certificate is with the 
>expectation that someone will rely on it. If the relying party can't rely on 
>the CA, the certificate is worthless, and hence the subscriber will want
>his money back.
>

Tell this to the press, please. This is *exactly* the case. These
arguments were already bookmarked as "Common Misconception #3" and
"Common Misconception #4", from a series that is up to #16 now.  As
given below for #3 and #4. 

CM#13: "CAs do warrant their certificates, objectively or at least
        intersubjectively". Wrong, CAs only warrant certificates
        subjectively to themselves:

 In legal reliance terms, one may trust the confirmation procedures
 of the CA during certificate reliance, but one cannot  rely
 upon them for other than their value as a representation of the CA's
 authentication management act expressed in the CA's own terms and
 rules -- therefore, a X.509 certificate is neither necessarily
 meaningful nor valid in a user's reference frame or for the user's
 purposes. [http://www.mcg.org.br/cert.htm]



CM#4. "CAs do have contract liability to Users". Wrong, CAs have zero
       contract liability to users:

 Since the certificate's users (ie, historically known as the
 relying-parties) are not the ones that paid for the certificate to
 the CA (ie, the certificate was paid for by the subscriber), this
 means that the CA has no responsiblity or contractual obligation
 whatsoever to the certificate's users, hence zero liability. [ibid]

>
>>Here, SPKI with a null CPS and null liability is exactly equivalent
>>to Verisign's CPS if you think about the relying-party and even the
>>subscriber. Isn't it better then ... to favor truth in advertising
>>and forget about legislating over unprovable assumptions??
>
>I disagree that the cases are the same, by a long shot, as I do not accept the
>argument that the VeriSign CPS is worthless

I did not say that Verisign CPS is worthless. I said it was made
worthless to the user and only protects the subscriber against the
CA's own faults.

>, or successfully disclaims all liability. 

It disclaims all liability to all users worldwide and that is legal.
It disclaims all liabilities to all its subscribers except in those
cases where the CA itself was provably at fault.

>They can't disclaim liability in the case of negligence, for
example.

If you can prove they were negligent, no. I never said otherwise.

A different question is: can you prove they were negligent? can you
audit CAs? To what extent?

>They might try, as software vendors often argue the validity of shrink-wrapped
>licenses.  But let's see what holds up in court.
>

As above, if you can prove they were negligent, then they
were....but, you will never be able to get an objective measure on
that -- at most a good legal dispute over possible viruses, potential
hacker attacks, UCC's denial on warranting results, etc..


>That said, yes, there is a very great deal to be said for truth in advertising, and in fact 
>I hope to have up on our web site in the near future a very extensive treatise
>on exactly what we are doing within Novell to provide that kind of truth in advertising
>label in our certificates. Stay tuned, or beg me individually for a draft copy if 
>you can't stand the suspense.
>

When CAs have to (as figuratively said) "put their money where their
mouth is" I have often said that they soon find out that the whole
issue is indeed simple and that they have only two options: either
license Verisign's CPS or bootleg it...

Further, one does not have to be clarvoyant to perceive that the
early entrants to the CA market are most likely to make a windfall
... but, as the CA market matures at a rate accelerated by Moore's
law, the industry will realize its limitations and move on to a next
generation solution, leaving the late entrants (who?) holding the
bag, and a disproportionate amount of the blame. 

Which will be just reasonable.


Cheers,

Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
http://novaware.cps.softex.br
    --- Meta-Certificate Group member, http://www.mcg.org.br ---
Prev by Date: Reasonableness
Next by Date: Re: Digital Signature laws
Prev by thread: Reasonableness
Next by thread: Re: Reasonableness
Index(es):
- Main
- Thread