From: frantz@netcom.com (Bill Frantz)
To: “C. Bradford Biddle” <biddle@pwa.acusd.edu>
Message Hash: e0874b279ea579e07ebb6df999d951f64ef02525274e2568e9ab5caeab61ae6a
Message ID: <199602222030.MAA04720@netcom7.netcom.com>
Reply To: N/A
UTC Datetime: 1996-02-22 21:51:54 UTC
Raw Date: Fri, 23 Feb 1996 05:51:54 +0800
From: frantz@netcom.com (Bill Frantz)
Date: Fri, 23 Feb 1996 05:51:54 +0800
To: "C. Bradford Biddle" <biddle@pwa.acusd.edu>
Subject: Re: Digital Signature Legislation (fwd)
Message-ID: <199602222030.MAA04720@netcom7.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
>---------- Forwarded message ----------
>
>DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
>
>[Copyright 1996 by Brad Biddle; permission granted for non-commercial
>electronic redistribution]
>
>...
>LIABILITY
>
>The Utah Act makes two policy choices concerning liability allocation
>Under the Utah Act, consumers are held to a negligence standard in
>guarding their private encryption key. Thus, if a criminal obtains a
>consumer's private key and commits fraud, the consumer is financially
>responsible for that fraud unless the consumer can prove that the consumer
>used reasonable care in guarding the private key. ...
One important point here is what is "reasonable care"? In a very real
sense, all consumer computer operating systems are not secure. I have
posted a theoretical virus born attack on PGP's secret key to the
cypherpunks mailing list (archives at http://www.hks.net/cpunks/).
Nathinal Borenstein of First Virtual has posted to the same list, a
description of a partially implemented attack on credit card numbers which
has received heavy response. If there is enough reward, these attacks will
occur.
The question I have is, does "reasonable care" include keeping your machine
"virus free"?
>There is a second troubling policy choice relating to liability. The Utah
>Act limits the potential liability of one actor in the infrastructure --
>the certification authority -- to a fixed amount (termed a "suitable
>guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants.
For both these problems, a relatively low liability limit would force
people to use other techniques (e.g. old style signed contracts) for large
transactions. While we are working the bugs out of a new technology, with
new standards of "reasonable care", everyone might win if the risks are
limited.
>PRIVACY
I believe the area of privacy is where the real problems lie. I will let
other, more qualified, people suggest alternatives to the Utah law
proposal.
>
>Brad Biddle, Legal Intern <biddle@acusd.edu>
>Privacy Rights Clearinghouse, Ctr for Public Interest Law
>http://pwa.acusd.edu/~prc
>
>[The views expressed in this article are not necessarily those of the
>Privacy Rights Clearinghouse or the Center for Public Interest Law.]
Regards - Bill
------------------------------------------------------------------------
Bill Frantz | The CDA means | Periwinkle -- Computer Consulting
(408)356-8506 | lost jobs and | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
Return to February 1996
Return to “frantz@netcom.com (Bill Frantz)”