A PROPOSED CODE OF PROFESSIONAL RESPONSIBILITY FOR CERTIFICATION AUTHORITIES 1999 The John Marshall Law School The John Marhall Journal of Computer & Information.
Post on 20-Jan-2016
216 Views
Preview:
Transcript
A PROPOSED CODE OF PROFESSIONAL RESPONSIBILITY
FOR CERTIFICATION AUTHORITIES
1999 The John Marshall Law School The John Marhall Journal of
Computer & Information Law
Spring, 1999
17 J. Marshall J. Computer & Info. L. 1003
by Dina Athanasopoulos-Arvanitakis & Marilynn J. Dye
Cyber Notaries
• Certification Authorities are equated to Cyber Notaries in this text.
• Lays out 10 Guiding Principles or Commandments that should be satisfied to become a Certification Authority.
Need to be trusted both Nationally and Internationally
• Compare US to Foreign Notaries
• Nature of the internet makes boarders irrelevant so US Certification Authorities need to meet standards that will be accepted internationally.
• Pass international notary test.
The Certification Authority is a Licensed
Attorney Who Has the Duty to be Competent • Attorney will satisfy Trustworthy issue• “Licensed” Technically - IE know computers,
encryption, security, ABA Science and Technology Committee
• CPE - to remain up on technology• Competent - If no longer have requisite attributes
(skills) give up practice.
THE CERTIFICATION AUTHORITY SHALL BE COMMISSIONED IN EVERY
STATE
• Internet makes boarders meaningless, so a Cyber Notary shall be licensed in every state and be accepted world wide.
THE CERTIFICATION AUTHORITY
SHALL BE A FIDUCIARY • Be a Public Officer
• Fiduciary to clients and relying third parties. If private key escrow take extra actions.
THE CERTIFICATION AUTHORITY OWES A STANDARD OF CARE TO
THEIR CLIENTS • Confirm Facts of transactions - verify identity of
people issuing certificates too and other facts that might be necessary. Vary by type and use of Cert.
• Safeguard private key• Maintain Records of Transactions• Maintain confidences - any info from process• Disclose Material Facts• Avoid conflict of Interests• Have Sufficient Recourses to compensate for breech.
THE CERTIFICATION AUTHORITY HAS A DUTY TO GUARD AGAINST FRAUD
AND PROMOTE TRUTHFULNESS
INTRANSACTIONS • Criminal Background check no Fraud• ID certificate seekers , digital thumb print• Verify Info provided related to certificate issuance
guess type of business• Time Stamp Certificates• Revoke Certificates when key compromised• Report Fraudulent Activity
THE CERTIFICATION AUTHORITY SHALL REFRAIN FROM CYBERNOTARIZING HIS OR
HER OWN TRANSACTIONS AND FROM
ACCEPTING IMPROPER GAINS • Can’t certify their own transactions -
appearance
• Should not exploit their office for personal gain. Reasonable fee.
THE CERTIFICATION AUTHORITY SHALL NOT PURPOSEFULLY AND
KNOWINGLY ENGAGE INMISCONDUCT • No Action against public interest
• Not issue certificate they know to have false misleading, deceptive information
• Criminally liable
• Civilly Liable
THE CERTIFICATION AUTHORITY
SHALL TREAT ALL PEOPLE EQUALLY • No Discrimination- race, religion, national
origin, gender, age, physical disability or sexual orientation.
THE CERTIFICATION AUTHORITY
SHALL CHARGE REASONABLE FEES • Based on their background, the service
provided, the amount of work required.
• No other waive based on performing a transaction.
• Fee can’t be excessive or illegal
• Can’t base fees on race, religion, national…
THE CERTIFICATION AUTHORITY HAS A DUTY TO MAINTAIN THE INTEGRITY
OF THE PROFESSION • Conduct business proffesionally not to
discredit profession
• Report Misconduct by self others
• Ads
• No endorsements
The Essential Role of Trusted Third Parties
in Electronic Commerce Copyright (c) 1996 University of Oregon
Oregon Law Review
Spring, 1996
75 Or. L. Rev. 49
by MICHAEL FROOMKIN
Digital Certificates are Meaningless without
Certification Authority - who can provide assurance that the certificate relates to the person it claims to.
Public/Private Key Description
Digital Signatures
Certification AuthoritiesChain or Flat
Certificate
• Identifies CA issuing it
• Names, identifies or describes an attribute of the subscriber
• Contains the subscriber’s public key
• Is Digitally signed by the CA
Certificate Types
• The certificate’s email address is unique
• 3rd party verified name, address other data
• Appear in person
• Investigated the Subject
Authorizing Certificate
• Assure more than just identity
• Address, age, profession, membership
Transactional Certificate• Attest that some fact was witnessed by the
issuer.
• ABA- CyberNotary- certify fact and what level of verification performed by CA. This provides more assurance than digital signature.
• Time stamped
• Less liability because it’s a one transaction certification
Digital Time Stamping Service
• Digitally stamp hash of a document and you can know it was created before that date.
• Digital hash and time stamp in CA private key plus the hash of some prior and later documents hashed plus contact data. Could publish list in newspaper weekly.
Simple Sales - Merchants Desire• Authentication - to ensure payment & marketing• Certification - meet purchase requirements• Confirmation - to credit card company order real • Nonrepudiation - unjust claim purchaser didn’t
• Payment
• Anonymity•
Simple Sales - Buyer Desires• Authentication - genuine goods and
warranties
• Integrity - no unauthorized payments
• Recourse - if seller fails their parts
• confirmation - Receipt
• Privacy - how much info to third parties• Anonymity - how much info to merchant
Face to Face• Can examine goods
• Store can see ID
• Pay Cash little data shared
• Know where store is if problems
• Indicate what court to use if have to
• Generate receipts a copy for each party
Telephone• Now number you called, not where 1(800)
• Can’t see merchandise
• Caller ID & database - store can know a lot
• Can use credit card rules for disputes
Internet Sales - without some authentication can’t tell who you deal with at least you had phone number phone company
• Tangible Goods - similar to phone sales but less data.
• Information - immediate like face to face but no data. If get the data all the other concerns consideration, delivery, breech, remedy, title, security and fraud still exist.
Payment
• Credit or Debit Cards - no innovation - encryption can provide security and nonrepudiation.
• Micro-payments- Credit cards transaction costs are too high.
Electronic Cash
• Digital Easy to copy - either need immediate clearing or digital signature so if spent twice there is recourse, put that hurts privacy.
• Credit cards leave a trail to find parties
Other Transaction
• Stock Brokerage Account -
• Broker needs to know it is actually the customer. Privacy
• Customer needs to know they have their broker. Privacy
• Certificate Authority, certificates, verification and CRLs
Certificate Authority Liability
• Unclear
• Utah Digital Signature Law limits it for licensed CA.
Burden of Proof
• Utah’s Digital Signature Law changes the burden of proof regarding digital signature from a CA.
• Liability for compromised private key falls on owner of the key. Liability timeframes once aware, reported and published on certificate revocation list.
CA sell Goods
• Good - warranty, implied or warranty of merchantability, fitness for a particular purpose, statute of limitations generally all UCC Article 2
• Liability to person or members of family
• Any natural person expected or reasonable foreseen affected by reliance
• Any artificial or natural person who can reasonably have been expected to rely
CA Sells a Combination Good/Service• Decide which rules apply based on
preponderance
• Final Product - after transaction what is left over
• CRL and Certificates on a web site might indicate a service
CA Sells a Service
• Contract Law – intended third party– Foreseeability – Restatement - Known to issuer– Privity - got certificate from CA or not ?
Strict Liability
• No Privity - Liability Follows the goods
• Not safe for a use that can be expected of them and which no warning has been made.
• Least Cost Avoider - Subject of a certificate least, CA is next least and both can be liable to a Relying Party
• CA’s will try to limit their liability with contract language
Is Legislation Needed• Liability might cause CA to not issue
certificates to many and to limit their representation and liability so as to make them useless.
• Utah Model - pass strict criteria have little liability, required to have insurance to cover liability.
• Handle CA going out of business
Case Against Legislation
• No real illustration of what needs to be addressed.
• Market forces might provide
• No guidance on what a CA should do to meet reliability
ABA Guidelines
• Address lack of best practices
• Educate judges and lawyers about field
Conclusion
• CA role is important to E-commerce• Lack of rules and case law could impede E• A period with no such rules might allow
market forces to shape approach• Delaware Corporate Rule might result or
harmonization of state laws• Possible benefit of Federal or International
rules might arise as E becomes globa.
THE UTAH DIGITAL SIGNATURE ACT AS "MODEL" LEGISLATION:
A CRITICAL ANALYSIS
Copyright (c) 1999 The John Marshall Law School
The John Marhall Journal of Computer & Information Law
Spring, 1999
17 J. Marshall J. Computer & Info. L. 873
by R. Jason Richards
Utah Digital Signature Act
• First in nation
• Other States are modeling on it• Comprehensive Laws
• Brief Guidelines
• Defects In Utah Act Need to Be Addressed!
Record Keeping• Amendment requires record keeping but only
about revocations, suspensions or expired• Author makes case that records to support that
issuance rules were followed have should be required by law.
• Evidence - that rules were followed, that certificate has not been tampered with
• Only required for three years
Reasons to Keep Records
• To authenticate signed messages
• Evidence of CA proper practices
• Satisfy Legislative Requirements if enacted• I think this misses business requirements driving
record keeping by CA but that the three year requirement has merit.
Licensing Requirements
• Require knowledge of computers and digital signature technology but no licensing of individual staff
• No age requirements
• No experience requirements
• No required Understanding of Liability
Criminal Convictions
• Bars both “real” criminals and other felons
• Should also bar people with civil or administrative fraud rulings against them.
• Disclose and allow decision based on information.
Recommended Reliance Limits
• Attempt to limit liability
• Protection against their own failed actions
• As public officers can we limit their liability
Suitable Guarantee
• Bond, irrevocable letter of credit but no minimum coverage proscribed.
• Bond is not insurance and does not protect CA Bond issuer would seek repayment of payouts for error or omissions.
Residency Requirements• A place to Serve Process
• Means what? in interstate/international market
• This adds to confusion about where a CA has authority.
Trustworthy System• Computers
• Reasonably secure from intrusion and misuse
• reasonable level of availability, reliability and correct operation
• suited to the intended operations
• Law Public and Private Key - technology neutral approach won’t stifle
Limited Liability for CA by Law• Liability limited up to suitable guarantee
• This was to foster industry - should have allowed profit motive to create market despite liability
• By limiting liability it moves risk to subscribers and third parties who rely on certificates
• Public Officers should bear higher risk
• Proximately Caused Injury coverage
Reasonable Care• Private key holders should be held liable for
use.
• Would be more careful.
• Would seek insurance coverage.
Evidentiary Presumptions • Generally in other laws Signature is presumed invalid
• Utah if signed with Private key listed with a licensed CA presumed legal - Key holder must prove otherwise.
• Based on Notary Public if stamped assume liability but if show wrong doing shifts to Notary but no witness of key use.
• Author misses point of what a digital signature is intended to provide assurance of id.. Further by verifying signature to CA relier takes the first step and key holder is in best position to make case that key stolen or not mine.
Conclusion - address these issues
Digital vrs Electronic Signature
• Electronic Signature - any mark that is intended to be a parties signature. Burden is on relier to prove that it is valid
• Digital - refers to private/public key encryption. Can be relied on
• Certificate Authorities critical to acceptance of Digital Signatures.
Cyber-Notary
• Requires knowledge of computer technology.
• Does not have to be present at signing
• Role is to bind identity to signature or key.
top related