Encryption, Digital Signatures & Trust Acc680 Jim Nellegar Notaries Public – Lost in Cyberspace or key business professionals of the future? A Proposed.

Encryption, Digital Signatures & TrustAcc680 Jim Nellegar

Notaries Public – Lost in Cyberspace or key business professionals of the future?

A Proposed Code of Professional Responsibility for Certification Authorities

Legal and Technological Infrastructures for Electronic Payment Systems

The John Marshall Law School (1997)

Notaries Public:Lost in Cyberspace or key business

professionals of the future?

Michael L. Closen, Professor of Law, J.D.

R. Jason Richards, Law Student

Encryption, Digital Signatures & Trust

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Focus:

Notary’s status in U.S. and Remediation through Cybernotary Presents similarities between notary professions and that of

Certification Authorities (a.k.a cybernotaries) Barriers Recommendations to Implement

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Authority of Notaries

* Administer oaths

* Attest to authenticity of signatures on documents

* Weddings, abandoned deposit boxes, produce certified

copies

Liability of Notaries* Negligent, reckless of willful conduct

* Not guarantors

* Not liable when acting in good faith

Notaries Public:Lost in Cyberspace or key business professionals of the future?

“I have but one lamp by which my feet are guided, and that is the lamp of experience. I know no way of judging of the future but by the past.”

- Patrick Henry (1775)

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Status of Notaries in the U.S. * Prestige not equivalent to other countries

* Few qualification (education, background)

* Proliferation (4.5m) diminishes importance

* Clerical task requiring minimal fee

* Test is nominal, few continuing education programs

* Sound notarial practices not promulgated

* No records (journal or logs) required

* Little legislative recognition of notaries financial risk

* No formal code of ethics

…contrasts value of transactions effected

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Advantages of Cybernotarization * Cost-effective:

- No need to personally appear - 24 hour availability

* Gery (Verification of signature)* Cybernotaries can be entities* Notaries & Cybernotaries can coexist

Barriers to implementation * Significantly higher costs (Systems, software, training) * Higher risk/exposure to litigation & defense costs * Continued desire to use paper * Inadequate “model” legislation * System only as good as security over keys

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Shortcomings of Utah Model Legislation Recommends asymmetric systems only Law only requires “reasonable care” in controlling keys No qualification for cybernotaries (age, experience, training) No testing requirement (technological,legal, ethical, statutory

procedures, liability) Felonies preclude practice, not civil convictions (fraud) Financial liability not identified (Only “reliance limits”), surety bonds

limits & liability insurance not included. No record maintenance requirement Does not address inter-state transactions Shortcoming propagate: Many other states have used Utah legislation

as a model

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Using software program, sender uses software to encrypt document using "private" key

Software places "signature" into document, result is a string of digits representing document and code produced by signer

String of digits representing document and signature to cybernotary’s (certification authority) repository. Repository also holds public key held by intended recipient.

Cybernotary determines if sender’s private key as sent matches public-key of recipient

If private-key and public-key match, cybernotary issue a certificate of authenticity

Assymetric Digital Signature Verification

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Recommendations (Corrective & Implementive) Federal legislation be written to address shortcomings Cybernotaries should understand that parties are financially

responsible and legally enforceable

…the role of CA be “undertaken exclusively by attorneys.”

Cybernotaries should understand that parties are financially responsible and legally enforceable

Notaries Public:Lost in Cyberspace or key business professionals of the future?

Conclusion:

I am not an advocate for frequent changes in laws and institutions. But laws and institutions must go hand-in-hand with the progress of the human mind. As that becomes more developed, more enlightened, as new discoveries are made, new truths discovered and manners and opinions change, with change of circumstances, institutions must advance also to keep pace with the times.

- Thomas Jefferson (1816)

John Marshall Journal of Computer & Information Law

A Proposed Code of

Professional Responsibility for Certification Authorities

Dina Atanasopoulos-Arvanitakis

Marilynn J. Dye

A Proposed Code of Professional Responsibility for Certification Authorities

Focus:

Propose guidance to CA’s where laws or directives are silent.

A Proposed Code of Professional Responsibility for Certification Authorities

Background

Role of CA will taken on added importance in “paperless society. CA will be a position of public trust demanding extensive skill and

understanding of trusted systems Standards do not carry force of law CODE = 10 Guiding Principles (composed of Directives) Designed with model acts in mind, harmonization with (more rigid)

notary standards in other countries

A Proposed Code of Professional Responsibility for Certification Authorities

Guiding Principle IThe CA shall be be a licensed attorney

- Notary should be able to substantiate validity of contract

The CA shall be licensed in information technology- Qualified to act per specialization rules by ABA- No American “license” to date

The CA shall update and continue his education in IT- Recommend establishing governing body to ID mandatory programs- Recommend 20 hours per year

The CA shall be competent at all times- Refer or recuse

A Proposed Code of Professional Responsibility for Certification Authorities

Guiding Principle IIThe CA has International Jurisdiction

- Addresses fact that Internet activities transcend boundaries

The CA Shall be commissioned in every state- Reciprocity

The CA shall pass an international notary exam- If candidate wishes to issue certificates for international business- Structure similar to the U.S. International Patent Bar

A Proposed Code of Professional Responsibility for Certification Authorities

Guiding Principle IIIThe CA shall be a public official

- Notaries are in a position of public officer

The CA shall be a fiduciary- Acknowledges cybernotary has a public trust (sans contract)

The CA shall be a fiduciary to his/her subscriber & 3rd parties- Acknowledges cybernotaries duties to sender/recipient as provided by contract or law

A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle IVThe CA owes a standard of care to their clients

- Confirm facts related to the transactionThe CA shall safeguard private keys

- Including information contained within the keysThe CA shall maintain proper records

- Shall maintain a record of each transaction, details, adequate time periodThe CA shall maintain confidences

- Related to the transaction and partiesThe CA shall disclose facts that adversely or materially affect reliance

- Any facts or circumstances impacting reliance on certificate- Any facts that would indicate an actual or potential conflict of interest ~ Risk~

The CA shall have sufficient financial resources- Resources sufficient to bear risk of liability. Surety bonds, liability insurance, etc. (may differ by jurisdiction) .

A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle VThe CA shall pass a criminal background check

- includes civil convictions for fraudThe CA must procure proper identification

- Deterrent. Photo/thumbprint/tele. Must maintain identifications in e-journalThe CA shall verify information

- Information relative and critical to transactions. E.g., intent to engage in a transaction.

The CA shall time stamp certificates- Including person that created the certificate

The CA shall suspend/revoke a cert. if private key is compromised- May include taking action for sender, requires “public” notice, parties

The CA shall report fraudulent activity- To “appropriate” law enforcement or disciplinary authority

A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle VIThe CA shall refrain from notarizing his own transactions and from accepting improper gains

- Avoid appearance of impropriety- Cannot use information gained (directly or collaterally) for personal gain

Guiding Principle VIIThe CA shall not purposefully and knowingly engage in misconduct

- No false, deceptive, inaccurate or incomplete information.- Criminal and civil liability may result

Guiding Principle VIII The Certification Authority Shall Treat All People Equally

- Race, religion, national origin, age, physical disability, gender, etc.

A Proposed Code of Professional Responsibility for Certification Authorities

Guiding Principle IX The Certification Authority Shall Charge Reasonable Fees

- Does not define reasonable or how market will be set (legislated fee schedule, free competition, etc.) - No CA’s shall enter into an agreement charging an excessive fee.

Guiding Principle X The CA shall maintain the integrity of the profession

- Act in accordance with role of a public officialThe CA shall report misconduct

- Of colleagues. Statement does not include clients.The CA shall make dignified advertisements

The CA shall refrain from making endorsements

A Proposed Code of Professional Responsibility for Certification Authorities

Conclusion:

Valuable as a first step and framework* Requires further development* May require regular practice statements (public trust) ,

certifications* Objective not dissimilar to WebTrust* Requires wide-spread adoption (international acceptance)* Organizations must be self-policing

Questions:* Attorney language focuses on prestige, ethics, technical Too limited?

Rutger Computer and Technology Law Journal (1996)

Legal and Technological Infrastructures for Electronic Payment Systems

Henry H. Perritt, Jr.

Legal and Technological Infrastructures for Electronic Payment Systems

Focus

Infrastructures necessary to ensure Internet Payment Systems include:

Acceptor of credit card or cybercash has a claim against the issuer

An assured funds against which redemption can be made

Legal and Technological Infrastructures for Electronic Payment Systems

Acceptor of credit card or cybercash has a claim against the issuer

Risk of forgery is primary risk giving rise to dishonor: - Digital signatures protect vendor from spoofing of customer or forgery or

spoofing with respect to the issuer- Acceptance of PKI as solution: an appropriate legal framework must be adopted.

Legal and Technological Infrastructures for Electronic Payment Systems

An assured funds against which redemption can be made

- Legal infrastructure for forgery and dishonor in traditional commerce

* Banking regulations impose capital requirements, insurance

* Much of Internet business will be conducted out of reach of banking regulators

Legal and Technological Infrastructures for Electronic Payment Systems

Focus Risk of Forgery

- Technology: IETF standard X.509, RFC 1422, VISA/MC promulgates standards for management and use of PKI.- Legal: Technology complemented by VISA/MC framework, Model legislation (greater adoption needed)- More CA’s created and marketed

Risk of Dishonor– Risk greater: Not controlled– Banking-type regulation more difficult by Internet– Clearinghouse mechanisms better solution than banking mechanism

* faster to create, set up administration* faster response to problems, technological changes* Can regulate across national boundaries (Overreaching risk)* Exists in credit card model