From: frantz@netcom.com (Bill Frantz)
Date: Fri, 23 Feb 1996 05:51:54 +0800
To: "C. Bradford Biddle" <biddle@pwa.acusd.edu>
Subject: Re: Digital Signature Legislation (fwd)
Message-ID: <199602222030.MAA04720@netcom7.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At  20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
>---------- Forwarded message ----------
>
>DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
>
>[Copyright 1996 by Brad Biddle; permission granted for non-commercial 
>electronic redistribution]
>
>...

>LIABILITY
>
>The Utah Act makes two policy choices concerning liability allocation
>Under the Utah Act, consumers are held to a negligence standard in
>guarding their private encryption key. Thus, if a criminal obtains a
>consumer's private key and commits fraud, the consumer is financially
>responsible for that fraud unless the consumer can prove that the consumer
>used reasonable care in guarding the private key. ...

One important point here is what is "reasonable care"?  In a very real
sense, all consumer computer operating systems are not secure.  I have
posted a theoretical virus born attack on PGP's secret key to the
cypherpunks mailing list (archives at http://www.hks.net/cpunks/). 
Nathinal Borenstein of First Virtual has posted to the same list, a
description of a partially implemented attack on credit card numbers which
has received heavy response.  If there is enough reward, these attacks will
occur.

The question I have is, does "reasonable care" include keeping your machine
"virus free"?  


>There is a second troubling policy choice relating to liability. The Utah
>Act limits the potential liability of one actor in the infrastructure --
>the certification authority -- to a fixed amount (termed a "suitable
>guarantee" and determined by a complex formula or by administrative rule).

The historic precedent is the liability limit on nuclear power plants.

For both these problems, a relatively low liability limit would force
people to use other techniques (e.g. old style signed contracts) for large
transactions.  While we are working the bugs out of a new technology, with
new standards of "reasonable care", everyone might win if the risks are
limited.


>PRIVACY

I believe the area of privacy is where the real problems lie.  I will let
other, more qualified, people suggest alternatives to the Utah law
proposal.


>
>Brad Biddle, Legal Intern <biddle@acusd.edu>
>Privacy Rights Clearinghouse, Ctr for Public Interest Law
>http://pwa.acusd.edu/~prc
>
>[The views expressed in this article are not necessarily those of the 
>Privacy Rights Clearinghouse or the Center for Public Interest Law.]

Regards - Bill


------------------------------------------------------------------------
Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA