From: "Robert A. Costner" <pooh@efga.org>
Date: Sun, 29 Jun 1997 15:05:09 +0800
To: Eric Murray <ericm@lne.com>
Subject: Re: Secure Authentication
In-Reply-To: <3.0.2.32.19970627134844.03400910@mail.atl.bellsouth.net>
Message-ID: <3.0.2.32.19970629025104.033fe46c@mail.atl.bellsouth.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

At 01:26 PM 6/27/97 -0700, Eric Murray wrote:
>And another question is should government be involved at all?
>My answer to that is no, not for the setting of CA policy.
[CA is Certification Authority]

While I wholeheartedly and forcefully agree with Eric's sentiment, the 
business reality is that the gov't will be involved in setting CA policy.  If 
for no other reason, simply because CA's will be used by the gov't.  Even 
from a hands off, pro business viewpoint, few CA's will ignore the wishes of 
their largest customer, the gov't.

The gov't will be involved in CA policy for several reasons.  I'll lightly 
glance on some of them.

 * Beeps and chirps.  Signatures on paper have legal meaning.  This is why 
there is a push to use digital signatures - to give them legal meaning.  
While contract law can be somewhat applied to this concept, many would agree 
that official acknowledgement of digital signatures is a key element of using 
digital signatures in commerce.  A recent case in Georgia's supreme court 
ruled that electronic messages were beeps and chirps, and had no legal status 
as a "writing".  The law continually refers to signatures and writings.  
There must be a law, or interpretation of law to allow for this to be updated 
to electronic writings.  Even if mutual consent could be used between 
corporations, as the state moves to the cost savings of electronic commerce 
the state will have to impose laws to enable itself to take advantage of 
these technologies.

At 01:26 PM 6/27/97 -0700, Eric Murray wrote:
>The biggest problem with CAs and the law is legal liability.  The liability
>of being a CA is currently unknown until there is case law on the topic.

 * Resolving legal liability.  Some of the proposed laws for enabling digital 
signature technology do in fact solve the liability problem for CA's by 
legislating it out as long as the CA performs due diligence.  To enforce due 
diligence, some laws also provide for government auditing of CA procedures 
and for injunctive relief to shut down a "rogue" Certification Authority.

A copy of one such overly bureaucratic 22 page Certification Authority law 
can be found at http://www.efga.org/digsig/lawdraft.html  This is the 
original draft of Georgia's Digital Signature law.  This draft was thrown out 
and rewritten from scratch to form a much better law.  (assuming any law can 
be good)

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQBVAwUBM7YF00GpGhRXg5NZAQGnEAH+JRioBgJi2UIK1SkBBtaACNHCsd6nYbyU
Q5/57jni0VV1AejCK7tOCFN1KfPe43dKlnsplBrO+spBf7Lt9j90Mw==
=pAgj
-----END PGP SIGNATURE-----

  -- Robert Costner                  Phone: (770) 512-8746
     Electronic Frontiers Georgia    mailto:pooh@efga.org  
     http://www.efga.org/            run PGP 5.0 for my public key