From: Robert Hettinga <rah@shipwright.com>
Date: Thu, 25 Sep 1997 22:36:10 +0800
To: cypherpunks@cyberpass.net
Subject: American Banker - National ID - addendum
Message-ID: <v03110759b050212353be@[139.167.130.248]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


X-Sender: rhornbec@counselpop.com
Mime-Version: 1.0
Date:         Thu, 25 Sep 1997 05:59:31 -0500
Reply-To: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
From: Rick Hornbeck <rhornbec@COUNSEL.COM>
Subject:      American Banker - National ID - addendum
To: DIGSIG@VM.TEMPLE.EDU

Either the Temple listserve is automatically limiting the length of my
posts (<gr>)
or I discovered a new e-mail bug. Here is the balance of the
excerpt from the American Banker article I intended to post earlier.

====================

What actions should a certificate authority be required to take in this
imperfect system to certify that X's public key actually is being used by
X? To allow the electronic marketplace to operate effectively and
efficiently, at a minimum certificate authorities must be able to achieve
some level of certainty that if they have prudently conducted the due
diligence required, they cannot be held responsible for fraud or
malfunctions. National Identification Verification Standards-NIVS-would
underscore that there should be only a limited range of actions for which a
certificate authority should be held responsible in an electronic
transaction.

These standards eventually would need to be truly universal because of the
globality and borderlessness of cyberspace. Moreover, such standards could
level the playing field vis-a-vis the different levels of trust that might
otherwise be accorded certificate authorities of various sizes, financial
capacity, name recognition, and national origin.

What should the elements of these national verification standards be? The
more that the system relies on primary "root" documentation (paper or
electronic) certified by the originator, the greater the certainty, albeit
imperfect, that the certificate authority can achieve.

The adoption of an integrated certification data base accessible to all
certificate authorities must also be explored. A network that will allow
each certificate authority to cross-reference digital certificates and
confirm the issuance of multiple certificates to the subscriber will allow
the digital signature market to function more efficiently and safely.

>From a legal point of view, a digital certificate is a form of warranty.
Warranties ascribe and allocate rights in a transaction, a business that
commercial banks happen to understand quite well. But a digital certificate
is not meant and should not be viewed as unlimited insurance for the use of
the certificate or the successful completion of an electronic transaction
facilitated by that certificate.

In that regard, the adoption of these standards might facilitate the
development of a national market for certificate authority errors-and-
omissions insurance. It might also facilitate the creation and operation of
what one observer has called "cybernotaries."

Without uniformity in the authentication process, the efficiencies of
certificates and the effectiveness of electronic commerce will be undercut.
Richard N. Hornbeck
Electronic Commerce Services

"The most important step in arriving at the right answer, is asking the
right question." Albert Einstein ("Al").

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/