mailing list archives
IP: Digital Signatures
From: David Farber <farber () cis upenn edu>
Date: Sat, 18 Oct 1997 20:27:10 -0400
Content-Type: text/plain; charset="us-ascii"
Date: Sat, 18 Oct 97 14:12:13 EST
From: "Stewart Baker" <sbaker () mail steptoe com>
To: farber () cis upenn edu
Subject: Digital Signatures
I've written a long piece about some serious legal and international
problems I see emerging in the area of digital signatures. Here's the
summary from my web page:
Governments around the world are embracing digital
signatures. Everybody loves this technology. Oddly,
that's the biggest obstacle it faces. Digital signature
technology may be loved to death before it ever gets to
really take off. Stewart Baker looks at growing
international regulation of digital signatures, predicts
serious problems for the technology as a result of
conflicting national laws, and evaluates possible fora for
reaching agreement on more coordinated and
technology-friendly international rules for digital
signatures and certificates.
The web citation is: http://www.steptoe.com/digsig2.htm. If you
decide you'd rather send out the entire piece, it is attached as a
The following is an attached File item from cc:Mail. It contains
information that had to be encoded to ensure successful transmission
through various mail systems. To decode the file use the UUDECODE
--------------------------------- Cut Here ---------------------------------
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="digsig.txt"
International Developments Affecting Digital Signatures
Stewart A. Baker
Steptoe & Johnson LLP
Governments around the world are embracing digital signatures. Everybody loves this technology.
Oddly, that's the biggest obstacle it faces. Digital signature technology may be loved to death before
it ever gets to really take off.
Public key cryptography was first described publicly in 1975. In essence, it relies on the difficulty
of reversing certain mathematical functions. For example, multiplying to find a product is easy; factoring to find the
numbers that were originally multiplied together is hard. With big enough numbers, I can even keep one number secret
and publish the other -- without any fear that the secret number can be guessed by an adversary. Then, everyone in the
world can look up my public number and use it to encrypt a message that only I can read. That's the part of the
public-key revolution that gives NSA and the FBI nightmares.
But the flip side of that process is just as intriguing -- and may yet become the predominant use of
public key technology. If I encrypt a message with my private key, anyone in the world can decrypt it using my public
key. That's no way to keep secrets, but it's a great way to tell the world that I and I alone could have sent the
message. Since I'm the only one in the world who knows what my private key is, no one else could have written a
message that can be decrypted using my public key.
It doesn't take a genius to see how useful this technology could be in cyberspace. It allows us to put highly
sensitive material on a network, then use digital signatures to restrict access. What's more, with only a modest
infrastructure, strangers can do business with strangers all across the globe, using a few digital signatures to
establish their bona fides.
What's needed to make this scenario come true is a "trust infrastructure." In the simplest case,
suppose a bank issues digital signatures to every one of its customers that has maintained a $10,000 checking balance
over the past year. If I want to do business online with another customer of the bank and he sends me a copy of his
bank-issued digital signature, I can be pretty sure his $5,000 offer is good.
As a practical matter, the bank will probably issue a public-private key pair to its customers, then
tell them to store the private key somewhere safe (a 3.5-inch floppy would be good; a chip card would be better). The
bank could publish the public key (as well as its own) on the Internet and elsewhere. However, since they won't want
to identify their clients as targets for scams or worse, it's more likely that the bank will privately issue a
certificate, saying "As of October 1, the holder of this private key has maintained a $10,000 checking balance for the
past year, signed, His Bank." The customer could then send that certificate to people who needed to know his credit
was good, and they could rely on it as long as they knew the bank's public key and trusted the bank to tell the truth.
Why the technology requires new legal rules
The efficiencies and security that this system allows are tremendously exciting, but there are a few
problems. First, suppose the customer is sloppy with his private key. He writes the password to his smart card on the
card and then leaves the card in the washroom. Now anyone who has the card can use his identity -- and his credit. To
deal with that problem, the bank needs to maintain an easily accessible list of stolen or compromised public-private
key pairs. This is known as a Certificate Revocation List (CRL). And to make the system work, anyone who relies on
digital signatures should check the CRL.
But this is the real world. Some people won't check the CRL. They'll get burned. They'll blame the
bank, because it has the most money to pay damages. They'll sue. (Thank God, a role for lawyers after the digital
Without a law on digital signatures and certificates, no one knows how such a suit will come out. The
bank can write a contract with the customer, demanding that he be careful with his private key, perhaps even making him
liable for his negligence. But consumer groups would oppose enforcement of such contracts (digital signature buffs
call this the "Grandma picks a bad password and loses her house" problem). Even worse from the bank's point of view,
it doesn't have a contract with the guy who got burned by the compromised signature. He's just an innocent third party
who lost money -- by relying on the word of the bank, his lawyer will say.
Without more legal certainty about how to protect themselves (or how much insurance to buy), companies
with deep pockets will not want to take that risk. They'll stay out of the business of issuing digital signatures and
digital certificates for such transactions. In fact, for a decade or more, that's pretty much been the story: Cool
math confronts corporate legal department; cool math loses.
How digital signatures are actually being implemented today
But the technology is too good to be locked up by lawyers forever. Companies that wanted to use
digital signature technologies began looking for places where this open-ended liability wasn't a big problem. They
found at least two.
1. Cheap certificates. First, they offered certificates with a sweeping disclaimer of any
liability. These certificates aren't much good for high-value transactions, but they can be used in a lot of
circumstances where even a no-liability signature is better than no signature at all.
Millions of "cheap," liability-free certificates are already in circulation. The SSL encryption that
everyone uses for secure Web connections relies in part on digital signatures to identify the server and the browser to
each other. No one really guarantees the server's public key, but if it's the same one every time I log on, I can be
pretty sure that I am dealing with the same server, belonging to the same store, rather than to an online con artist.
Other Internet-based "cheap" certificates include the "authenticode" certificates used to identify the authors of
Java-like ActiveX programs. The certificates offer a modest, but better-than-nothing, security precaution for Internet
users who are understandably reluctant to let code written by strangers gain access to their computer's operating
2. Closed system certificates. Second, some digital signature proponents have begun creating
their own law, by contract. Any group of companies or individuals that does business in accordance with one or more
agreements setting forth the liability and other rules that govern their relationships; many of these communicates can
create a self-contained set of rules to cover digital signatures. IBM, for example, can issue digital identity
certificates to all its employees; it can say that they are good for email attribution and for petty cash requests but
not for private transactions unrelated to work -- or whatever rules it is comfortable with. Or, in a more exciting
use, Visa can issue certificates to all its member banks, and they can issue certificates to all their cardholders and
merchants. Suddenly, shoppers don't have to type their credit card numbers onto the screen at Amazon.com, and they
don't have to worry about Internet card number theft.
Within the preexisting Visa relationships, all those tough liability problems become easy. Visa simply
says that using a digital signature won't substantially change the existing liability rules for any of the system
participants. Liability is already covered by an elaborate set of agreements and rules, some driven by long-standing
government regulations. (Remember Grandma and her house? For credit cards, the rule is clear enough inside the United
States: if she picks a bad password, she may lose fifty bucks but she won't lose her house.) In fact, Visa and
Mastercard have built digital signatures into a Secure Electronic Transaction protocol (SET) that is already being
implemented in several countries.
Lawyers to the rescue?
While all this was going on, the lawyers themselves began to look for legislative solutions. A
committee of the American Bar Association led by Michael Baum (now the top lawyer at Verisign) designed a comprehensive
model law to deal with all the new legal issues arising from digital signatures. While that work was underway, the
state of Utah took the plunge, enacting a variant of the ABA draft. Within three years, more than forty state
legislatures were contemplating digital signature laws. So were numerous countries; indeed, by the fall of 1997
Germany, Malaysia, and Italy already had their own laws, and many more bills were in legislative hoppers around the
This should be good news -- lawyers and lawmakers working together to solve a legal problem and enable
the birth of a new technology. But it's not.
As we'll see, it is posing a growing threat to the burgeoning use of low-value certificates and closed
Digital signature laws are often sold to legislators as a way to bring written signature requirements
into the computer age. An image is conjured up of computer signatures being rejected by courts insisting on something
executed with a quill pen. This is an overstated problem, at least in the United States and for most commercial
transactions. Courts have been treating printed telegrams as "signed" documents for a century. There's nothing about
a digital signature that makes it a harder legal problem than telegrams -- or telexes, or typed letters, or faxed
signatures, or a dozen other ways in which real-world commercial actors have lawfully "signed" contracts over the last
What digital signatures need -- uniquely -- from the law is certainty about the obligations and rights
of three parties:
(1) the keyholder who is identified by the public key and who controls the private key,
(2) the certifying authority who vouches for the public key and ties it to the identity (or
creditworthiness, or chess club membership, or whatever) of the keyholder, and
(3) the relying party who gets the public key and the certificate and who decides to trust the
The Utah law, and the ABA guidelines, decided to spell out all of these duties in great detail. In
particular, to make sure that relying parties could trust certifying authorities (CAs), the Utah law and the ABA called
for government licensing. The government would make sure that prospective CAs are trustworthy and that they remain so.
It would check the technical and other security measures that CAs use to protect keys and would enforce rules about
documents CAs should demand before certifying someone's signature. (Can the CA issue an identity certificate based on
one piece of identification or must it see three? Does it have to check the keyholder's address? And so on.)
By and large, the Utah bill is also pretty tough on keyholders. If they aren't careful with their
private keys, they will lose their houses. Early boosters of the technology, however, thought the alternative was
worse: Relying parties and certifying authorities might refuse to participate in digital signature transactions if
keyholders could invalidate transactions after the fact by making up a story about having been negligent with their
How many lawmakers does it take to screw up an infrastructure?
Two problems with the Utah approach only became apparent as digital signature laws began to sweep
through legislature after legislature.
1. Conflicting obligations. First, not every lawmaker saw the policy issues the way Utah did.
And the more detailed the legislation, the more room there was for fatal conflicts between state laws, sometimes on the
most inconsequential points.
To take one example, both Utah and Washington require a CA to suspend a certificate if the CA gets a
call from the keyholder saying the private key has been compromised. (In Utah, the keyholder has a big incentive to
act fast; he wants that compromised key suspended before somebody sells his house.)
But to guard against fraud or pranks ("Hey, guys, let's call up the bank and suspend our gym teacher's
public key."), the CA can't suspend for long without checking to make sure the suspension request really came from the
keyholder. Under Utah law, the check has to be done within two days, but the certificate is automatically suspended
whenever the CA gets a request from someone claiming to be the keyholder. Under Washington law, the caller can ask for
a four-day suspension, but the CA can only suspend the certificate if the CA is pretty sure the caller really is the
Same basic idea in both states. But what if you are a CA doing business in both states and you get a
suspension request from someone who doesn't sound very much like the keyholder? In Utah, you must suspend; in
Washington, you can't. Or suppose the caller asks for three days to come in and verify his identity? In Utah, you
can't wait that long; in Washington, you must. CAs simply can't obey the laws of both states.
Other states have tried to avoid such problems by writing less detailed laws, leaving a lot to
regulatory authorities. But that just postpones the conflicts, and perhaps makes them harder to find. It does not
eliminate the likelihood of conflicting regulations. After all, many of the questions addressed by the Utah law have
no easy answer. How much risk should the keyholder bear and how much should fall on the CA? Different states, and
certainly different countries, will arrive at different answers to such questions. But, if CAs must change their
practice in each country or each state, there will be very few CAs in ten years, and digital signatures will not live
up to their promise.
2. State licensing. An even bigger potential problem is the solution Utah used to ensure the
quality of CAs. Having CAs obtain licenses from the state in exchange for accepting regulation by the state is very
appealing in many ways. It is flexible, it allows the state to "back up" the digital signature of a licensed CA with a
state-issued certificate, and it gives unhappy parties somewhere to go with complaints.
But what if licensing is mandatory? Suddenly, many cheap but useful certificates could become too much
trouble to bother with. Take the example of a merchant that wants to improve online shopping security by issuing
customer certificates: "This certifies that the holder has purchased more than five books at Amazon.com using the name
'Stewart Baker'." If Amazon.com can't issue a simple customer certificate without registering in fifty states and
complying with all the security rules that apply to the high-trust certificates, it will just stop using certificates
like this. And we will all have a little less security when we shop online.
So far, in the United States, licensing has remained voluntary. If a CA wants the imprimatur of the
State of Utah, it must register there. If not, not. Either way, the CA can lawfully issue certificates to Utah
residents. (Actually, there are still some disadvantages that will push many firms into registering in most states,
but I am ignoring them for simplicity.)
Not so abroad. Germany's law contains no savings clause for cheap certificates. It implies that no
one may issue certificates without meeting strict standards for security; these standards include a requirement that
private keys be stored only on a smart card -- they can't be sent over the Internet, and they can't be stored on a
magnetic stripe card or 3.5-inch floppy.
If pressed, German authorities sometimes say that they will not punish those who issue "unauthorized
certificates." (That seems to be what they are telling the European Commission, which is worried about the
trade-restricting impact of the German law.) But privately, some officials say that within three years the licensing
regime will be mature and unauthorized CAs will be stamped out.
In Malaysia, that future is now. Malaysia's recently enacted digital signature bill makes it clear
that anyone who issues certificates must register in Malaysia.
And it is not just cheap but useful certificates that will be affected. SET, arguably the most
sweeping and important use of digital signature technology to actually see the light of day, is also harmed by the
proliferation of registration requirements. Neither Malaysia nor Germany was willing to make a clear exception in its
law even for entirely private and consensual uses of digital signatures.
Why conflicting rules won't go away by themselves
What's going on here? Partly, of course, it's just that some governments choose regulatory solutions
for everything. In Europe, the idea of letting the market take care of things is viewed with suspicion in the best of
times. It sounds even less plausible coming from the same Internet advocates who cheerfully proclaim that national
borders are just speed bumps on the information highway and that important national policies -- on distribution of
pornography, on wiretapping, and a host of other issues -- will soon be rendered unenforceable by a global market.
Worse, many other nations fear that such statements are just a disguised bid for American domination:
"Leave it to the market, where our companies have an enormous lead." So government regulation looks to these nations
as a cheap way to even up the odds; whatever competitive problems local technology companies may have in other arenas,
they surely know more than Americans about working successfully with local authorities.
Then, too, the case for regulation gets stronger as the stakes get higher. If the main use for digital
signatures will be for a national identity card that includes bank account access, the companies issuing those
certificates had better be watched closely. If legislators don't know much about other uses of digital signature
technology, or if a digital signature law is being jammed through the legislature by a few interested parties under the
guise of "modernizing signature requirements," it isn't likely that closed systems or inexpensive certificates will get
much attention from the legislative drafters.
Whatever the motivation for this outburst of regulatory zeal, the results will likely be a disaster for
implementation of a public key infrastructure. Even if they might be able to get an exemption from most laws, users
and issuers of cheap certificates can't stand even a remote prospect of liability in a handful of countries. Rather
than register, they'll find weaker, less-regulated alternatives to digital signatures -- or they'll do without
entirely. The same goes for "closed system" users of digital signatures. Burgeoning regulations that are not tailored
to their private certificate system will create disincentives for credit card companies to use digital signatures. In
short, this outbreak of regulatory enthusiasm is likely to make digital signatures much rarer and much riskier for
prospective certificate authorities.
What Should the United States Do?
The next question is what U.S. policymakers should do to avoid this train wreck.
Inside the United States, efforts to write a uniform state law that would resolve some of these issues
are moving forward, but slowly. There are honest disagreements about how much liability to assign to the parties to a
transaction and how much "freedom of contract" should be recognized in a complex field with major implications for
consumers. So even if a uniform law is agreed upon, it may not exactly sweep the nation.
That's why there's support for at least a limited form of preemption by the federal government, perhaps
just a list of things that states will not do, like imposing their rules on otherwise valid "closed" systems or
requiring even issuers of low-value certificates to register as CAs. That might be enough, for example, to reassure
financial institutions and others that they can use digital signatures to secure payment systems without fear of being
surprised by new state liabilities.
But there is no preemption in the international sphere. There, uniformity can be achieved only if
states are persuaded to adopt the same rules. Usually, this takes the form of bilateral or multilateral negotiations
resulting in a treaty or other agreement. But there are at least two other models as wellOECD. The Organization for
Economic Cooperation and Development (OECD) specializes in nonbinding, consensual codes of conduct and guidelines.
These are developed by the world's richest nations to coordinate policies on a variety of topics from privacy to
OECD has recently released a paper on issues raised by international certification, and it shows some
of OECD's strengths and weaknesses as a forum. To bolster its claim to address the digital signature issue, OECD notes
that it has already done extensive work on privacy and on cryptography guidelines. Both are related to digital
signatures, the report suggests. That's because digital signatures allow extensive tracking of individuals and because
the technology is closely tied to encryption and the law-enforcement-access debate that dominated the OECD's
deliberations on cryptography.
This observation is a distinctly two-edged sword for OECD. Both the privacy and the cryptography
guidelines were a source of continued and bitter controversy. Digital signatures do not have to be dragged into either
debate, but handing the problem to the OECD more or less guarantees a replay of past three-way battles between
government, industry, and privacy advocates.
UNCITRAL. The United Nations Commission on International Trade and Law (UNCITRAL) plays a
consensus-building role for a larger audience -- UN members. In addition, its products tend to be more specific and
less controversial, focusing on achieving technical consensus on the language of model laws or conventions to regulate
aspects of international trade -- international arbitration, international sale of goods, and the like.
UNCITRAL already has a concrete record of achievement on technical legal issues affecting digital
signatures. It has released a model law on electronic commerce; this law treats digital (and other electronic)
signatures attached to a message as valid and binding, so long as the method of "signing" was "as reliable as
appropriate for the purpose for which the data message was generated or communicated." See UNCITRAL Model Law on
Electronic Commerce, Article 7.
Although the Model Law by itself lays to rest any questions about the validity of digital signatures
for purposes of commercial transactions, UNCITRAL recognized that digital signatures and public key infrastructure
raise legal issues going well beyond this point. For that reason, UNCITRAL has already begun work on a model law (or
some other instrument) to deal with certification authorities. Unfortunately, the work done so far suggests that
UNCITRAL's efforts could easily fail to produce a consensus. Thus, it is not clear that the UNCITRAL efforts will in
fact provide the kind of relief and assurance of legality needed by producers of inexpensive certificates and "closed"
systems that use digital signatures (for more on these uses of digital signatures, see my background paper).
The most recent meeting of an experts group made some progress in limiting the most egregiously
regulatory language. But it also revealed that at least Germany -- and perhaps also France, the United Kingdom, Italy,
and other Europeans -- are wedded in varying degrees to the notion that certification services are too important to be
left to the private market. What is more, there is only modest sympathy for private, closed systems using digital
signatures and virtually none for issuers of "cheap certs."
What is the right forum?
Unfortunately, it is becoming increasingly likely that serious differences will arise internationally
between countries enamored of the high-regulation, high-trust model and those more open to market developments in
digital signature use. This opens the door to protectionism and discrimination.
UNCITRAL is an unlikely place to combat such tendencies. It does not have a tradition of brokering
trade disputes. OECD is a more plausible forum for addressing such differences, but its process yields only
guidelines, not binding agreement.
Are there other fora? Perhaps. The WTO has some claim to jurisdiction over trade in services but it
lacks a clear framework for resolving this matter. More interestingly, the U.S. federal government and the European
Commission -- usually antagonists on trade -- may have some common interests here. Both are concerned that excessive
regulation of digital signatures will lead to inconsistent standards and discrimination within their boundaries. And
both have been a bit left out as their constituent parts raced to define new regulatory schemes. While there are
pitfalls, the U.S. and the EU might be able to reach a quick understanding on at least some basic rules to discipline
the digital signature laws of their constituent states.
- 2 -
"Photons have neither morals nor visas" -- Dave Farber 1994
- IP: Digital Signatures David Farber (Oct 19)