A PROPOSED CODE OF PROFESSIONAL RESPONSIBILITY FOR CERTIFICATION AUTHORITIES 1999 The John Marshall Law School The John Marhall Journal of Computer & Information.

A PROPOSED CODE OF PROFESSIONAL RESPONSIBILITY

FOR CERTIFICATION AUTHORITIES

1999 The John Marshall Law School The John Marhall Journal of

Computer & Information Law

Spring, 1999

17 J. Marshall J. Computer & Info. L. 1003

by Dina Athanasopoulos-Arvanitakis & Marilynn J. Dye

Cyber Notaries

• Certification Authorities are equated to Cyber Notaries in this text.

• Lays out 10 Guiding Principles or Commandments that should be satisfied to become a Certification Authority.

Need to be trusted both Nationally and Internationally

• Compare US to Foreign Notaries

• Nature of the internet makes boarders irrelevant so US Certification Authorities need to meet standards that will be accepted internationally.

• Pass international notary test.

The Certification Authority is a Licensed

Attorney Who Has the Duty to be Competent • Attorney will satisfy Trustworthy issue• “Licensed” Technically - IE know computers,

encryption, security, ABA Science and Technology Committee

• CPE - to remain up on technology• Competent - If no longer have requisite attributes

(skills) give up practice.

THE CERTIFICATION AUTHORITY SHALL BE COMMISSIONED IN EVERY

STATE

• Internet makes boarders meaningless, so a Cyber Notary shall be licensed in every state and be accepted world wide.

THE CERTIFICATION AUTHORITY

SHALL BE A FIDUCIARY • Be a Public Officer

• Fiduciary to clients and relying third parties. If private key escrow take extra actions.

THE CERTIFICATION AUTHORITY OWES A STANDARD OF CARE TO

THEIR CLIENTS • Confirm Facts of transactions - verify identity of

people issuing certificates too and other facts that might be necessary. Vary by type and use of Cert.

• Safeguard private key• Maintain Records of Transactions• Maintain confidences - any info from process• Disclose Material Facts• Avoid conflict of Interests• Have Sufficient Recourses to compensate for breech.

THE CERTIFICATION AUTHORITY HAS A DUTY TO GUARD AGAINST FRAUD

AND PROMOTE TRUTHFULNESS

INTRANSACTIONS • Criminal Background check no Fraud• ID certificate seekers , digital thumb print• Verify Info provided related to certificate issuance

guess type of business• Time Stamp Certificates• Revoke Certificates when key compromised• Report Fraudulent Activity

THE CERTIFICATION AUTHORITY SHALL REFRAIN FROM CYBERNOTARIZING HIS OR

HER OWN TRANSACTIONS AND FROM

ACCEPTING IMPROPER GAINS • Can’t certify their own transactions -

appearance

• Should not exploit their office for personal gain. Reasonable fee.

THE CERTIFICATION AUTHORITY SHALL NOT PURPOSEFULLY AND

KNOWINGLY ENGAGE INMISCONDUCT • No Action against public interest

• Not issue certificate they know to have false misleading, deceptive information

• Criminally liable

• Civilly Liable

THE CERTIFICATION AUTHORITY

SHALL TREAT ALL PEOPLE EQUALLY • No Discrimination- race, religion, national

origin, gender, age, physical disability or sexual orientation.

THE CERTIFICATION AUTHORITY

SHALL CHARGE REASONABLE FEES • Based on their background, the service

provided, the amount of work required.

• No other waive based on performing a transaction.

• Fee can’t be excessive or illegal

• Can’t base fees on race, religion, national…

THE CERTIFICATION AUTHORITY HAS A DUTY TO MAINTAIN THE INTEGRITY

OF THE PROFESSION • Conduct business proffesionally not to

discredit profession

• Report Misconduct by self others

• Ads

• No endorsements

The Essential Role of Trusted Third Parties

in Electronic Commerce Copyright (c) 1996 University of Oregon

Oregon Law Review

Spring, 1996

75 Or. L. Rev. 49

by MICHAEL FROOMKIN

Digital Certificates are Meaningless without

Certification Authority - who can provide assurance that the certificate relates to the person it claims to.

Public/Private Key Description

Digital Signatures

Certification AuthoritiesChain or Flat

Certificate

• Identifies CA issuing it

• Names, identifies or describes an attribute of the subscriber

• Contains the subscriber’s public key

• Is Digitally signed by the CA

Certificate Types

• The certificate’s email address is unique

• 3rd party verified name, address other data

• Appear in person

• Investigated the Subject

Authorizing Certificate

• Assure more than just identity

• Address, age, profession, membership

Transactional Certificate• Attest that some fact was witnessed by the

issuer.

• ABA- CyberNotary- certify fact and what level of verification performed by CA. This provides more assurance than digital signature.

• Time stamped

• Less liability because it’s a one transaction certification

Digital Time Stamping Service

• Digitally stamp hash of a document and you can know it was created before that date.

• Digital hash and time stamp in CA private key plus the hash of some prior and later documents hashed plus contact data. Could publish list in newspaper weekly.

Simple Sales - Merchants Desire• Authentication - to ensure payment & marketing• Certification - meet purchase requirements• Confirmation - to credit card company order real • Nonrepudiation - unjust claim purchaser didn’t

• Payment

• Anonymity•

Simple Sales - Buyer Desires• Authentication - genuine goods and

warranties

• Integrity - no unauthorized payments

• Recourse - if seller fails their parts

• confirmation - Receipt

• Privacy - how much info to third parties• Anonymity - how much info to merchant

Face to Face• Can examine goods

• Store can see ID

• Pay Cash little data shared

• Know where store is if problems

• Indicate what court to use if have to

• Generate receipts a copy for each party

Telephone• Now number you called, not where 1(800)

• Can’t see merchandise

• Caller ID & database - store can know a lot

• Can use credit card rules for disputes

Internet Sales - without some authentication can’t tell who you deal with at least you had phone number phone company

• Tangible Goods - similar to phone sales but less data.

• Information - immediate like face to face but no data. If get the data all the other concerns consideration, delivery, breech, remedy, title, security and fraud still exist.

Payment

• Credit or Debit Cards - no innovation - encryption can provide security and nonrepudiation.

• Micro-payments- Credit cards transaction costs are too high.

Electronic Cash

• Digital Easy to copy - either need immediate clearing or digital signature so if spent twice there is recourse, put that hurts privacy.

• Credit cards leave a trail to find parties

Other Transaction

• Stock Brokerage Account -

• Broker needs to know it is actually the customer. Privacy

• Customer needs to know they have their broker. Privacy

• Certificate Authority, certificates, verification and CRLs

Certificate Authority Liability

• Unclear

• Utah Digital Signature Law limits it for licensed CA.

Burden of Proof

• Utah’s Digital Signature Law changes the burden of proof regarding digital signature from a CA.

• Liability for compromised private key falls on owner of the key. Liability timeframes once aware, reported and published on certificate revocation list.

CA sell Goods

• Good - warranty, implied or warranty of merchantability, fitness for a particular purpose, statute of limitations generally all UCC Article 2

• Liability to person or members of family

• Any natural person expected or reasonable foreseen affected by reliance

• Any artificial or natural person who can reasonably have been expected to rely

CA Sells a Combination Good/Service• Decide which rules apply based on

preponderance

• Final Product - after transaction what is left over

• CRL and Certificates on a web site might indicate a service

CA Sells a Service

• Contract Law – intended third party– Foreseeability – Restatement - Known to issuer– Privity - got certificate from CA or not ?

Strict Liability

• No Privity - Liability Follows the goods

• Not safe for a use that can be expected of them and which no warning has been made.

• Least Cost Avoider - Subject of a certificate least, CA is next least and both can be liable to a Relying Party

• CA’s will try to limit their liability with contract language

Is Legislation Needed• Liability might cause CA to not issue

certificates to many and to limit their representation and liability so as to make them useless.

• Utah Model - pass strict criteria have little liability, required to have insurance to cover liability.

• Handle CA going out of business

Case Against Legislation

• No real illustration of what needs to be addressed.

• Market forces might provide

• No guidance on what a CA should do to meet reliability

ABA Guidelines

• Address lack of best practices

• Educate judges and lawyers about field

Conclusion

• CA role is important to E-commerce• Lack of rules and case law could impede E• A period with no such rules might allow

market forces to shape approach• Delaware Corporate Rule might result or

harmonization of state laws• Possible benefit of Federal or International

rules might arise as E becomes globa.

THE UTAH DIGITAL SIGNATURE ACT AS "MODEL" LEGISLATION:

A CRITICAL ANALYSIS

Copyright (c) 1999 The John Marshall Law School

The John Marhall Journal of Computer & Information Law

Spring, 1999

17 J. Marshall J. Computer & Info. L. 873

by R. Jason Richards

Utah Digital Signature Act

• First in nation

• Other States are modeling on it• Comprehensive Laws

• Brief Guidelines

• Defects In Utah Act Need to Be Addressed!

Record Keeping• Amendment requires record keeping but only

about revocations, suspensions or expired• Author makes case that records to support that

issuance rules were followed have should be required by law.

• Evidence - that rules were followed, that certificate has not been tampered with

• Only required for three years

Reasons to Keep Records

• To authenticate signed messages

• Evidence of CA proper practices

• Satisfy Legislative Requirements if enacted• I think this misses business requirements driving

record keeping by CA but that the three year requirement has merit.

Licensing Requirements

• Require knowledge of computers and digital signature technology but no licensing of individual staff

• No age requirements

• No experience requirements

• No required Understanding of Liability

Criminal Convictions

• Bars both “real” criminals and other felons

• Should also bar people with civil or administrative fraud rulings against them.

• Disclose and allow decision based on information.

Recommended Reliance Limits

• Attempt to limit liability

• Protection against their own failed actions

• As public officers can we limit their liability

Suitable Guarantee

• Bond, irrevocable letter of credit but no minimum coverage proscribed.

• Bond is not insurance and does not protect CA Bond issuer would seek repayment of payouts for error or omissions.

Residency Requirements• A place to Serve Process

• Means what? in interstate/international market

• This adds to confusion about where a CA has authority.

Trustworthy System• Computers

• Reasonably secure from intrusion and misuse

• reasonable level of availability, reliability and correct operation

• suited to the intended operations

• Law Public and Private Key - technology neutral approach won’t stifle

Limited Liability for CA by Law• Liability limited up to suitable guarantee

• This was to foster industry - should have allowed profit motive to create market despite liability

• By limiting liability it moves risk to subscribers and third parties who rely on certificates

• Public Officers should bear higher risk

• Proximately Caused Injury coverage

Reasonable Care• Private key holders should be held liable for

use.

• Would be more careful.

• Would seek insurance coverage.

Evidentiary Presumptions • Generally in other laws Signature is presumed invalid

• Utah if signed with Private key listed with a licensed CA presumed legal - Key holder must prove otherwise.

• Based on Notary Public if stamped assume liability but if show wrong doing shifts to Notary but no witness of key use.

• Author misses point of what a digital signature is intended to provide assurance of id.. Further by verifying signature to CA relier takes the first step and key holder is in best position to make case that key stolen or not mine.

Conclusion - address these issues

Digital vrs Electronic Signature

• Electronic Signature - any mark that is intended to be a parties signature. Burden is on relier to prove that it is valid

• Digital - refers to private/public key encryption. Can be relied on

• Certificate Authorities critical to acceptance of Digital Signatures.

Cyber-Notary

• Requires knowledge of computer technology.

• Does not have to be present at signing

• Role is to bind identity to signature or key.