Digital Signatures Concepts and Regulation

1
Digital Signatures Concepts and Regulation

• Rohit Khare
• Computer Law
• June 9, 1998

2
Digital Signatures Concepts and Regulation

• 1. Electronic and Digital Signatures
• 2. Legal Conception of Signature
• 3. Identifying Apportioning Risk
• 4. Legal Models of Certification Authorities
• 5. Deployment Adoption Scenarios

3
1. Electronic and Digital Signatures

• Digitized Signatures
• Check imaging, Faxed contracts
• Electronic Signatures
• Stroke capture
• Biometric data
• System artifacts (email addresses)
• Digital Signatures
• Asymmetric-key cryptography

4
2.1 Legal Conception of Signature

• General Purposes of Signing
• Evidence a distinctive mark of the signer
• Ceremony calls attention to the act
• Approval implies approval and binding intent
• Efficiency prima facie validation of the
  instrument
• Laws cite unnecessarily specific means

5
2.2 Legal Conception of Signature

• Requisite Attributes of Signatures
• Signer Authentication proof of identity
• Document Authentication proof of subject
• Approval nonrepudiable act should require
  conscious intervention
• Efficiency provide maximum assurance with
  reasonable effort

6
2.3 Legal Conception of Signature

• A new need for a trusted 3rd partyCertification
  Authorities (CAs)
• Certificates bind a key to a subject
• Identity Certificates
• Attribute Certificates
• Transactional/Authorization Certificates
• Requisite service online verification/
  Certificate Revocation Lists (CRLs)

7
3. Identifying Apportioning Risk

• Hierarchical trust management
• Cross-certification and the Web of Trust
• Purposes of an assertion and Liability
• Open PKI can be unlimited liability
• Closed PKI apportions by contract
• Types of Fraud
• Misrepresentation by subject
• Negligent investigation of subject
• Violation of terms of service (e.g. overbroad use)

8
4. Legal Models of Certification Authorities

• Certificates as a hybrid good/service
• Which portions of UCC Article 2 apply?
• Rights of 3rd Parties
• Privity can they be parties to the contract?
• Tort is the CA liable to forseeable users?
• Fails the Ultramares test public attestation
• Jurisdiction
• Can the means of publication affect controlling
  authority?

9
4.1 The Utah Model

• Limits liability of licensed CAs
• None have petitoned such status to date
• Reverses the presumption of authenticity
• Signer must prove the signature was forged
• Promulgates a hierarchical model
• Coevolved with Key Escrow ideas
• UK Trusted Third Parties conflates both roles

10
4.2 The Massachusetts Model

• Merely undefines obsolete paper-only references
• Silent on liability
• Proposed for government use only
• Allows Secretary of State / Chief Information
  Officer to approve various technologies
• California law follows this model
• Defined for a variety of public records since 1995

11
5. Deployment Adoption Scenarios

• CAs already out there (without benefit of
  legislation!)
• Broad disclaimers like the Verisign Certification
  Practice Statement
• unknown validity of webwrap usage licenses
• Larger market opportunity in closed or
  private-label CAs
• Narrow certificates proliferating
• Credit-card specific, corporate registration,
  mobile code testimonials

12
6. Resources (1/3)

• C. Bradford Biddle, Esq.
• http//www.acusd.edu/biddle/LMW.htm
• Prof. Michael Froomkin, Esq.
• http//www.law.miami.edu/froomkin/articles/truste
  dno.htm
• Verisigns Code Signing Certificates
• http//www.verisign.com/developers/info.html

13
6. Resources (2/3)

• Electronic Privacy Information Center
• http//epic.org/crypto/dss/
• Computer Software Industry Association
• http//www.SoftwareIndustry.org/issues/1digsig.ht
  ml
• W3J Weaving a Web of Trust
• http//www.w3j.com/7/

14
6. Resources (3/3)

• ABAs Digital Signature Guidelines
• http//scratch.abanet.org/scitech/ec/isc/dsgfree.h
  tml
• Proposed Massachusetts statue
• http//www.magnet.state.ma.us/itd/legal/mersa.htm
• Survey of States DigSig Legislation
• http//www.magnet.state.ma.us/itd/legal/sigleg7.ht
  m