--- begin forwarded text
Date: Fri, 20 Aug 1999 02:27:15 -0400
Reply-To: Law & Policy of Computer Communications
<[EMAIL PROTECTED]>
Sender: Law & Policy of Computer Communications
<[EMAIL PROTECTED]>
From: Vin McLellan <[EMAIL PROTECTED]>
Subject: Nonrepudiation and what to do about it (Jueneman - FW)
To: [EMAIL PROTECTED]
Status: U
This is an excerpt -- a "history lesson" -- from a 8/19/99 proposal
by cryptographer, network security architect, and PKI guru Bob Jueneman of
Novell on the IETF's PKIX and S/MIME mailing lists. Please copy Mr.
Jueneman on responses at <[EMAIL PROTECTED]>. The full post can be found
at: <http://www.imc.org/ietf-smime/mail-archive/msg02933.html>. _Vin
ooooooooooooooooooo Begin Forwarded Text ooooooooooooooooooooooooooo
When the ABA Digital Signature Guidelines were being formulated within the
Information Security Committee, with lots of very bright, well-informed
attorneys and technologists contributing, there was a fundamental,
underlying assumption that PKI technology could be used to reduce some of
the uncertainty that was perceived to be a barrier to the efficient use of
electronic commerce.
Instead of having to use proprietary, value added networks and negotiate
N*(N-1) contracts between all of the trading partners, it was expected that
the use of a common PKI technology and appropriate legal frameworks would
eliminate most of that overhead.
It was recognized that a accretion of case law had resulted in a situation
where printed forms, letterhead, FAXs, telegrams and later Telexes, ordinary
e-mail, and who knows what else forms of communications could, under the
proper circumstances, be interpreted as being a legally binding signature.
The trouble was that the technology had moved much faster than the case law,
and the uncertainty was increasing at a compounded rate.
For example, back when printed forms were created on letterhead presses, and
were filled in using either handwriting or a typewriter, it was pretty
obvious what the difference was. And because going to a printer and having a
lot of standard forms printed involved some expense, time and effort, the
conventional use of such a form for purposes of trade might reasonably be
considered tantamount to a signature of the company. Unfortunately, a
technological decision that was rational at the time is no longer rational
in the age of laser printers, when preprinted forms have almost disappeared.
But the case law hasn't changed, so the question of what constitutes
signature becomes more of a risk, both for the relying party who thought it
was valid, and for the originator, who really didn't intend for it to be
anything more than a draft proposal.
In addition to these technical/legal issues, there was also the issue of
liability in the event of something going wrong, such as a key being
compromised.
One approach would be the very loose standard of care embodied in the US
credit card law (Regulation E), where even the most egregious carelessness
on the part of the subscriber could only result in a $50 loss. The problem
with that approach is that it effectively required the establishment of a
mechanism that would be very similar to the credit card industry to
centralize the reporting of every time
a certificate was used to verify a transaction, so that loss limits could be
enforced.
At the other end of the spectrum was "strict liability,' which is the
standard used between major financial institutions. Because of the volume
of the business, and the difficulty of backing out transactions in error
that might otherwise leave an innocent third party holding the bag for a
transaction gone wrong, inter-bank
transactions are generally governed by strict liability -- no matter what
the extenuating circumstances might be the bank was still liable for a
transaction that went out in its name.
In between these two poles were standards of simple negligence or gross
negligence as a possible defense.
The final decision that was incorporated in the Guidelines, Section 5.6
Presumption in dispute resolution, was to create a "rebuttable presumption"
that a digital signature verified by reference to the public key listed in a
valid certificate is the
digital signature of the subscriber listed in that certificate.
The effect of this presumption was to allocate the burden of proof to the
person who is challenge the validity of the signature. In the case of a
claimed forgery, for example, the burden of proof (independent of the risk
of loss) falls on
the subscriber, who would generally be in a much better position to know how
the keys were protected, etc., than the relying party.
The State of Utah, in their pioneering Digital Signature Act, didn't go
quite so far as that. Instead, they applied the rebuttable presumption
argument only to a special class of certificates created by so-called
"Licensed Certification Authorities" that were subject to a higher level of
assurance, involving inspection and audit and
financial viability controls that were intended to make the imposition of a
rebuttable presumption a more reasonable proposition. And these Licensed CA
certificates were strictly a voluntary opt-in provision. No one had to use
them, and if they didn't, the traditional common-law provisions regarding
signatures was explicitly stated to be unaffected. Some other states,
including Washington and Minnesota, and a large number of foreign countries,
also adopted this model.
Nonetheless, some elements of the legal profession were strongly opposed. A
law student by the name of Bradford Biddle published a law review article or
polemic bitterly attacking the Utah statute as an unholy interference in the
market by creating financial subsidies for a particular class of technology
while disadvantaging others (which others were being disadvantaged was never
explained.) A noted lobbyist for a company who was marketing a
biometric-based, digitized signature device managed to get the Secretary of
State of California to effectively gut their digital signature law by
completely redefining a "digital signature" to be something else entirely.
(At the sametime he has made a rather convincing case for a certain element
of "ceremonial" and "due caution" protection in any device or program that
applies a legally binding signature to a document, whether a digital
signature or not. In particular, he has effectively raised the issue of an
automaton or daemon applying a digital signature automatically, without
any human input at all. And of course that is precisely what S/MIME v3 "
Enhanced" Security Services with automatically signed receipts is intended
to do!)
Meanwhile, a young but influential attorney in the Massachusetts state
government, responding the electoral "mandate" of their Libertarian
governor, Gov. Weld, strongly opposed the "regulatory burden" that might be
imposed by State licensing of CAs, leading to the rather ironic situation of
arch-conservative Utah sponsoring a regulatory regime, while ultra-liberal
Massachusetts was trying to privatize CAs and let the lawyers fight it out
in court. In addition, some of the computer industry was also opposed to any
kind of regulatory regime -- they didn't want the government, any
government, telling them what they could do, ever. So the establishment of
some kind of a rebuttable presumption faced serious political difficulties.
And then another segment of the academic legal community raised a consumer
protection issue that quickly became even more of an political hot potato.
If a digital signature was presumed to be valid, then, since "everybody
knows" that operating systems are not secure and that the Internet is a
cesspool of viruses, etc., poor Grandma is going to lose her house someday
because her keys were compromised. (This is q variation on the
"death-penalty" certificate theme.)
>From this perspective, what was desired was not more nonrepudiation, but
LESS! Or to be more precise, a better way to control exactly when and how a
signature might reasonably be viewed as being intended to be legally
binding, and when it might be restricted to being used for more benign
applications.
Restricting such usages to a certificate issued by a Licensed CA might have
been a reasonable option – Grandma should never apply for or accept such a
certificate if she never wanted to be legally bound, especially for a
high-value transaction such as selling her house, and the CA would
presumably be obligated to make sure that she understood the possible risks
and need to adequately protect her keys before accepting such a certificate.
Unfortunately, since statutes enabling the use of a Licensed CA are not yet
common and are being opposed by some, this may not be a viable approach.
Another approach MIGHT be to very carefully spell out the terms and
conditions of use for a certificate in the CAs Certification Practice
Statement. But despite the general belief in the PKIX community of the
efficacy of a CPS to cure all ills, there are very grave doubts about
whether a CPS is really all that helpful in this case.
First of all, there is not necessarily any requirement for a relying party
to even read the CPS. Granted, if the relying party does not conform to the
terms of the CPS, it may have a more difficult time suing the CA for
damages, but even this is arguable.
Second, no matter what the CPS states with respect to what the subscriber is
obligated to do with respect to the CA, and no matter what the CPS might
imply with regard to the relying party, (assuming it can be demonstrated
that an enforceable contract even exists between the CA and the RP), there
is absolutely no privity of contract between the subscriber and the relying
party that is caused by the CA and the CPS. The RP can't sue the CA because
of something the subscriber did or didn't do, and likewise the subscriber
can't sue the CA for something the RP did or didn't do. The RP can sue the
CA if it misrepresented the subscriber to the RP, and the subscriber can
likewise sue the CA if it misrepresented the subscriber to the RP, but that
is about it.
So relying on the CPS to protect the subscriber against a claim that she
signed a legally binding document when she never intended to do so is a
rather shaky legal premise. Of course, like the fabled chicken soup remedy
for a cold, it probably won't hurt, either, and so CPS's tend to include all
sorts of things just in case they might help.
What is really needed, given the lack of legal consensus as to how to
approach these issues, is an unambiguous, standards-based way of indicating
whether even a relatively naive consumer did or did not intend to be legally
bound, ever, by a particular public key and certificate, and in particular
by any kind of a high-value transaction that might allegedly be signed by
that person. (In a certain ironic sense, we really need a positive,
"repudiation" bit in a certificate, rather than the absence of a
nonrepudiation bit.) Insofar as possible, this indication must not depend
on the existence or nonexistence of digital signature laws, especially laws
providing a rebuttable presumption to certain classes of certificates,
because of the uncertainty of passage of such laws and the possibility that
they might be preempted by federal legislation.. The desired effect
therefore must be clearly stated in the semantics of the indicator itself,
and interpreted as such by application programs, so that there can be very
little doubt.
Secondly, in the case where a knowledgeable subscriber is in fact willing to
be legally bound by a digital signature, it seems highly advisable to define
a means of explicitly indicating, on a case by case, document by document
basis, the subscriber's human consent and intent to be so bound, and to
ensure that such an indication could not reasonably be interpreted as
applying to any kind of an automatic or programmed generation of a digital
signature by a human user. (A server or automated process may automatically
generate a digital signature on behalf a subscriber such as an organization,
but it must NOT be applied in such as way as to indicate human consent on a
case by case basis.)
My proposal, therefore, is that the text of the nonrepudiation key usage bit
in the PKIX RFC (and hopefully in X.509) be revised to unambiguously state
that the defined semantics of this bit is to indicate the willingness of the
subscriber to be legally bound by a digital signature which can be verified
by a certificate that can be established to have been valid at the time of
signature.
In addition, I propose that we create an additional indicator of a human
being's conscious and willful intent to be legally bound by a digital
signature that would be applied on a message by message basis. This
additional indicator would require, as an integral part of its semantic
definition, that an explicit computer-to-human interaction be required to
provide some reasonable level of ceremonial and due caution warning be
provided to the user. In addition, the semantics of this indicator should
specify that its use must be ENABLED by the NR bit ( as redefined) in the
certificate which includes the corresponding public key. If the certificate
does not have the bit turned on, the application is not obligated to request
the ceremonial, due caution approval; and relying party software should
ignore a per-message indicator even if present in that case.
The obvious, but not necessarily the only, place to put such a message by
message indicator would be in the Cryptographic Message Syntax used by
S/MIME V3, in particular as a new . Since signedAttributes is a SET of
self-describing attributes, adding an additional one would be very simple.
Comments?
Bob [Robert R. Jueneman <[EMAIL PROTECTED]>]
--- end forwarded text
-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
