Home page logo
/

interesting-people logo Interesting People mailing list archives

IP: Digital Signatures
From: David Farber <farber () cis upenn edu>
Date: Sat, 18 Oct 1997 20:27:10 -0400

--=====================_877235230==_
Content-Type: text/plain; charset="us-ascii"




Date: Sat, 18 Oct 97 14:12:13 EST
From: "Stewart Baker" <sbaker () mail steptoe com>
To: farber () cis upenn edu
Subject: Digital Signatures


     Dave --
     
     I've written a long piece about some serious legal and international 
     problems I see emerging in the area of digital signatures.  Here's the 
     summary from my web page:
     
           Governments around the world are embracing digital 
           signatures.  Everybody loves this technology.  Oddly, 
           that's the biggest obstacle it faces.  Digital signature 
           technology may be loved to death before it ever gets to 
           really take off.  Stewart Baker looks at growing 
           international regulation of digital signatures, predicts 
           serious problems for the technology as a result of 
           conflicting national laws, and evaluates possible fora for 
           reaching agreement on more coordinated and 
           technology-friendly international rules for digital 
           signatures and certificates.
     
     The web citation is:  http://www.steptoe.com/digsig2.htm.  If you 
     decide you'd rather send out the entire piece, it is attached as a 
     text file.
     
     Stewart


The following is an attached File item from cc:Mail.  It contains
information that had to be encoded to ensure successful transmission
through various mail systems.  To decode the file use the UUDECODE
program.
--------------------------------- Cut Here ---------------------------------










--=====================_877235230==_
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: attachment; filename="digsig.txt"












International Developments Affecting Digital Signatures
by
Stewart A. Baker
Steptoe & Johnson LLP


October 1997




                Governments around the world are embracing digital signatures.  Everybody loves this technology.


                Oddly, that's the biggest obstacle it faces.  Digital signature technology may be loved to death before 
it ever gets to really take off.


        The technology


                Public key cryptography was first described publicly in 1975.  In essence, it relies on the difficulty 
of reversing certain mathematical functions.  For example, multiplying to find a product is easy; factoring to find the 
numbers that were originally multiplied together is hard.  With big enough numbers, I can even keep one number secret 
and publish the other -- without any fear that the secret number can be guessed by an adversary.  Then, everyone in the 
world can look up my public number and use it to encrypt a message that only I can read.  That's the part of the 
public-key revolution that gives NSA and the FBI nightmares.


                But the flip side of that process is just as intriguing -- and may yet become the predominant use of 
public key technology.  If I encrypt a message with my private key, anyone in the world can decrypt it using my public 
key.  That's no way to keep secrets, but it's a great way to tell the world that I and I alone could have sent the 
message.  Since I'm the only one in the world who knows what my private key is, no one else could have written a 
message that can be decrypted using my public key.


It doesn't take a genius to see how useful this technology could be in cyberspace.  It allows us to put highly 
sensitive material on a network, then use digital signatures to restrict access.  What's more, with only a modest 
infrastructure, strangers can do business with strangers all across the globe, using a few digital signatures to 
establish their bona fides.


                What's needed to make this scenario come true is a "trust infrastructure."  In the simplest case, 
suppose a bank issues digital signatures to every one of its customers that has maintained a $10,000 checking balance 
over the past year.  If I want to do business online with another customer of the bank and he sends me a copy of his 
bank-issued digital signature, I can be pretty sure his $5,000 offer is good.


                As a practical matter, the bank will probably issue a public-private key pair to its customers, then 
tell them to store the private key somewhere safe (a 3.5-inch floppy would be good; a chip card would be better).  The 
bank could publish the public key (as well as its own) on the Internet and elsewhere.  However, since they won't want 
to identify their clients as targets for scams or worse, it's more likely that the bank will privately issue a 
certificate, saying "As of October 1, the holder of this private key has maintained a $10,000 checking balance for the 
past year, signed, His Bank."  The customer could then send that certificate to people who needed to know his credit 
was good, and they could rely on it as long as they knew the bank's public key and trusted the bank to tell the truth. 


        Why the technology requires new legal rules


                The efficiencies and security that this system allows are tremendously exciting, but there are a few 
problems.  First, suppose the customer is sloppy with his private key.  He writes the password to his smart card on the 
card and then leaves the card in the washroom.  Now anyone who has the card can use his identity -- and his credit.  To 
deal with that problem, the bank needs to maintain an easily accessible list of stolen or compromised public-private 
key pairs.  This is known as a Certificate Revocation List (CRL).  And to make the system work, anyone who relies on 
digital signatures should check the CRL.


                But this is the real world.  Some people won't check the CRL.  They'll get burned.  They'll blame the 
bank, because it has the most money to pay damages.  They'll sue.  (Thank God, a role for lawyers after the digital 
revolution!)


                Without a law on digital signatures and certificates, no one knows how such a suit will come out.  The 
bank can write a contract with the customer, demanding that he be careful with his private key, perhaps even making him 
liable for his negligence.  But consumer groups would oppose enforcement of such contracts (digital signature buffs 
call this the "Grandma picks a bad password and loses her house" problem).  Even worse from the bank's point of view, 
it doesn't have a contract with the guy who got burned by the compromised signature.  He's just an innocent third party 
who lost money -- by relying on the word of the bank, his lawyer will say.


                Without more legal certainty about how to protect themselves (or how much insurance to buy), companies 
with deep pockets will not want to take that risk.  They'll stay out of the business of issuing digital signatures and 
digital certificates for such transactions.  In fact, for a decade or more, that's pretty much been the story:  Cool 
math confronts corporate legal department; cool math loses.


        How digital signatures are actually being implemented today


                But the technology is too good to be locked up by lawyers forever.  Companies that wanted to use 
digital signature technologies began looking for places where this open-ended liability wasn't a big problem.  They 
found at least two.


                1.      Cheap certificates.  First, they offered certificates with a sweeping disclaimer of any 
liability.  These certificates aren't much good for high-value transactions, but they can be used in a lot of 
circumstances where even a no-liability signature is better than no signature at all.


                Millions of "cheap," liability-free certificates are already in circulation.  The SSL encryption that 
everyone uses for secure Web connections relies in part on digital signatures to identify the server and the browser to 
each other.  No one really guarantees the server's public key, but if it's the same one every time I log on, I can be 
pretty sure that I am dealing with the same server, belonging to the same store, rather than to an online con artist.  
Other Internet-based "cheap" certificates include the "authenticode" certificates used to identify the authors of 
Java-like ActiveX programs.  The certificates offer a modest, but better-than-nothing, security precaution for Internet 
users who are understandably reluctant to let code written by strangers gain access to their computer's operating 
system.


                2.      Closed system certificates.  Second, some digital signature proponents have begun creating 
their own law, by contract.  Any group of companies or individuals that does business in accordance with one or more 
agreements setting forth the liability and other rules that govern their relationships; many of these communicates can 
create a self-contained set of rules to cover digital signatures.  IBM, for example, can issue digital identity 
certificates to all its employees; it can say that they are good for email attribution and for petty cash requests but 
not for private transactions unrelated to work -- or whatever rules it is comfortable with.  Or, in a more exciting 
use, Visa can issue certificates to all its member banks, and they can issue certificates to all their cardholders and 
merchants.  Suddenly, shoppers don't have to type their credit card numbers onto the screen at Amazon.com, and they 
don't have to worry about Internet card number theft.


                Within the preexisting Visa relationships, all those tough liability problems become easy.  Visa simply 
says that using a digital signature won't substantially  change the existing liability rules for any of the system 
participants.  Liability is already covered by an elaborate set of agreements and rules, some driven by long-standing 
government regulations.  (Remember Grandma and her house?  For credit cards, the rule is clear enough inside the United 
States:  if she picks a bad password, she may lose fifty bucks but she won't lose her house.)  In fact, Visa and 
Mastercard have built digital signatures into a Secure Electronic Transaction protocol (SET) that is already being 
implemented in several countries.


        Lawyers to the rescue?


                While all this was going on, the lawyers themselves began to look for legislative solutions.  A 
committee of the American Bar Association led by Michael Baum (now the top lawyer at Verisign) designed a comprehensive 
model law to deal with all the new legal issues arising from digital signatures.  While that work was underway, the 
state of Utah took the plunge, enacting a variant of the ABA draft.  Within three years, more than forty state 
legislatures were contemplating digital signature laws.  So were numerous countries; indeed, by the fall of 1997 
Germany, Malaysia, and Italy already had their own laws, and many more bills were in legislative hoppers around the 
world.


                This should be good news -- lawyers and lawmakers working together to solve a legal problem and enable 
the birth of a new technology.  But it's not.


                As we'll see, it is posing a growing threat to the burgeoning use of low-value certificates and closed 
certificate systems.


                Digital signature laws are often sold to legislators as a way to bring written signature requirements 
into the computer age.  An image is conjured up of computer signatures being rejected by courts insisting on something 
executed with a quill pen.  This is an overstated problem, at least in the United States and for most commercial 
transactions.  Courts have been treating printed telegrams as "signed" documents for a century.  There's nothing about 
a digital signature that makes it a harder legal problem than telegrams -- or telexes, or typed letters, or faxed 
signatures, or a dozen other ways in which real-world commercial actors have lawfully "signed" contracts over the last 
century.


                What digital signatures need -- uniquely -- from the law is certainty about the obligations and rights 
of three parties:


                (1) the keyholder who is identified by the public key and who controls the private key,


                (2) the certifying authority who vouches for the public key and ties it to the identity (or 
creditworthiness, or chess club membership, or whatever) of the keyholder, and


                (3) the relying party who gets the public key and the certificate and who decides to trust the 
certificate.


                The Utah law, and the ABA guidelines, decided to spell out all of these duties in great detail.  In 
particular, to make sure that relying parties could trust certifying authorities (CAs), the Utah law and the ABA called 
for government licensing.  The government would make sure that prospective CAs are trustworthy and that they remain so. 
 It would check the technical and other security measures that CAs use to protect keys and would enforce rules about 
documents CAs should demand before certifying someone's signature.  (Can the CA issue an identity certificate based on 
one piece of identification or must it see three?  Does it have to check the keyholder's address?  And so on.)


                By and large, the Utah bill is also pretty tough on keyholders.  If they aren't careful with their 
private keys, they will lose their houses.  Early boosters of the technology, however, thought the alternative was 
worse:  Relying parties and certifying authorities might refuse to participate in digital signature transactions if 
keyholders could invalidate transactions after the fact by making up a story about having been negligent with their 
keys.


        How many lawmakers does it take to screw up an infrastructure?


                Two problems with the Utah approach only became apparent as digital signature laws began to sweep 
through legislature after legislature.


                1.      Conflicting obligations.  First, not every lawmaker saw the policy issues the way Utah did.  
And the more detailed the legislation, the more room there was for fatal conflicts between state laws, sometimes on the 
most inconsequential points.


                To take one example, both Utah and Washington require a CA to suspend a certificate if the CA gets a 
call from the keyholder saying the private key has been compromised.  (In Utah, the keyholder has a big incentive to 
act fast; he wants that compromised key suspended before somebody sells his house.)


                But to guard against fraud or pranks ("Hey, guys, let's call up the bank and suspend our gym teacher's 
public key."), the CA can't suspend for long without checking to make sure the suspension request really came from the 
keyholder.  Under Utah law, the check has to be done within two days, but the certificate is automatically suspended 
whenever the CA gets a request from someone claiming to be the keyholder.  Under Washington law, the caller can ask for 
a four-day suspension, but the CA can only suspend the certificate if the CA is pretty sure the caller really is the 
keyholder.


                Same basic idea in both states.  But what if you are a CA doing business in both states and you get a 
suspension request from someone who doesn't sound very much like the keyholder?  In Utah, you must suspend; in 
Washington, you can't.  Or suppose the caller asks for three days to come in and verify his identity?  In Utah, you 
can't wait that long; in Washington, you must.  CAs simply can't obey the laws of both states.


                Other states have tried to avoid such problems by writing less detailed laws, leaving a lot to 
regulatory authorities.  But that just postpones the conflicts, and perhaps makes them harder to find.  It does not 
eliminate the likelihood of conflicting regulations.  After all, many of the questions addressed by the Utah law have 
no easy answer.  How much risk should the keyholder bear and how much should fall on the CA?  Different states, and 
certainly different countries, will arrive at different answers to such questions.  But, if CAs must change their 
practice in each country or each state, there will be very few CAs in ten years, and digital signatures will not live 
up to their promise.


                2.      State licensing.  An even bigger potential problem is the solution Utah used to ensure the 
quality of CAs.  Having CAs obtain licenses from the state in exchange for accepting regulation by the state is very 
appealing in many ways.  It is flexible, it allows the state to "back up" the digital signature of a licensed CA with a 
state-issued certificate, and it gives unhappy parties somewhere to go with complaints.


                But what if licensing is mandatory?  Suddenly, many cheap but useful certificates could become too much 
trouble to bother with.  Take the example of a merchant that wants to improve online shopping security by issuing 
customer certificates:  "This certifies that the holder has purchased more than five books at Amazon.com using the name 
'Stewart Baker'."  If Amazon.com can't issue a simple customer certificate without registering in fifty states and 
complying with all the security rules that apply to the high-trust certificates, it will just stop using certificates 
like this.  And we will all have a little less security when we shop online.


                So far, in the United States, licensing has remained voluntary.  If a CA wants the imprimatur of the 
State of Utah, it must register there.  If not, not.  Either way, the CA can lawfully issue certificates to Utah 
residents.  (Actually, there are still some disadvantages that will push many firms into registering in most states, 
but I am ignoring them for simplicity.)


                Not so abroad.  Germany's law contains no savings clause for cheap certificates.  It implies that no 
one may issue certificates without meeting strict standards for security; these standards include a requirement that 
private keys be stored only on a smart card -- they can't be sent over the Internet, and they can't be stored on a 
magnetic stripe card or 3.5-inch floppy.


                If pressed, German authorities sometimes say that they will not punish those who issue "unauthorized 
certificates."  (That seems to be what they are telling the European Commission, which is worried about the 
trade-restricting impact of the German law.)  But privately, some officials say that within three years the licensing 
regime will be mature and unauthorized CAs will be stamped out.  


                In Malaysia, that future is now.  Malaysia's recently enacted digital signature bill makes it clear 
that anyone who issues certificates must register in Malaysia.


                And it is not just cheap but useful certificates that will be affected.  SET, arguably the most 
sweeping and important use of digital signature technology to actually see the light of day, is also harmed by the 
proliferation of registration requirements.  Neither Malaysia nor Germany was willing to make a clear exception in its 
law even for entirely private and consensual uses of digital signatures.


        Why conflicting rules won't go away by themselves


                What's going on here?  Partly, of course, it's just that some governments choose regulatory solutions 
for everything.  In Europe, the idea of letting the market take care of things is viewed with suspicion in the best of 
times.  It sounds even less plausible coming from the same Internet advocates who cheerfully proclaim that national 
borders are just speed bumps on the information highway and that important national policies -- on distribution of 
pornography, on wiretapping, and a host of other issues -- will soon be rendered unenforceable by a global market.


                Worse, many other nations fear that such statements are just a disguised bid for American domination:  
"Leave it to the market, where our companies have an enormous lead."  So government regulation looks to these nations 
as a cheap way to even up the odds; whatever competitive problems local technology companies may have in other arenas, 
they surely know more than Americans about working successfully with local authorities.


                Then, too, the case for regulation gets stronger as the stakes get higher.  If the main use for digital 
signatures will be for a national identity card that includes bank account access, the companies issuing those 
certificates had better be watched closely.  If legislators don't know much about other uses of digital signature 
technology, or if a digital signature law is being jammed through the legislature by a few interested parties under the 
guise of "modernizing signature requirements," it isn't likely that closed systems or inexpensive certificates will get 
much attention from the legislative drafters.


                Whatever the motivation for this outburst of regulatory zeal, the results will likely be a disaster for 
implementation of a public key infrastructure.  Even if they might be able to get an exemption from most laws, users 
and issuers of cheap certificates can't stand even a remote prospect of liability in a handful of countries.  Rather 
than register, they'll find weaker, less-regulated alternatives to digital signatures -- or they'll do without 
entirely.  The same goes for "closed system" users of digital signatures.  Burgeoning regulations that are not tailored 
to their private certificate system will create disincentives for credit card companies to use digital signatures.  In 
short, this outbreak of regulatory enthusiasm is likely to make digital signatures much rarer and much riskier for 
prospective certificate authorities.


        What Should the United States Do?


                The next question is what U.S. policymakers should do to avoid this train wreck.


                Inside the United States, efforts to write a uniform state law that would resolve some of these issues 
are moving forward, but slowly.  There are honest disagreements about how much liability to assign to the parties to a 
transaction and how much "freedom of contract" should be recognized in a complex field with major implications for 
consumers.  So even if a uniform law is agreed upon, it may not exactly sweep the nation.


                That's why there's support for at least a limited form of preemption by the federal government, perhaps 
just a list of things that states will not do, like imposing their rules on otherwise valid "closed" systems or 
requiring even issuers of low-value certificates to register as CAs.  That might be enough, for example, to reassure 
financial institutions and others that they can use digital signatures to secure payment systems without fear of being 
surprised by new state liabilities.


                But there is no preemption in the international sphere.  There, uniformity can be achieved only if 
states are persuaded to adopt the same rules.  Usually, this takes the form of bilateral or multilateral negotiations 
resulting in a treaty or other agreement.  But there are at least two other models as wellOECD.  The Organization for 
Economic Cooperation and Development (OECD) specializes in nonbinding, consensual codes of conduct and guidelines.  
These are developed by the world's richest nations to coordinate policies on a variety of topics from privacy to 
cryptography.


                OECD has recently released a paper on issues raised by international certification, and it shows some 
of OECD's strengths and weaknesses as a forum.  To bolster its claim to address the digital signature issue, OECD notes 
that it has already done extensive work on privacy and on cryptography guidelines.  Both are related to digital 
signatures, the report suggests.  That's because digital signatures allow extensive tracking of individuals and because 
the technology is closely tied to encryption and the law-enforcement-access debate that dominated the OECD's 
deliberations on cryptography.


                This observation is a distinctly two-edged sword for OECD.  Both the privacy and the cryptography 
guidelines were a source of continued and bitter controversy.  Digital signatures do not have to be dragged into either 
debate, but handing the problem to the OECD more or less guarantees a replay of past three-way battles between 
government, industry, and privacy advocates.


                UNCITRAL.  The United Nations Commission on International Trade and Law (UNCITRAL) plays a 
consensus-building role for a larger audience -- UN members.  In addition, its products tend to be more specific and 
less controversial, focusing on achieving technical consensus on the language of model laws or conventions to regulate 
aspects of international trade -- international arbitration, international sale of goods, and the like.


                UNCITRAL already has a concrete record of achievement on technical legal issues affecting digital 
signatures.  It has released a model law on electronic commerce; this law treats digital (and other electronic) 
signatures attached to a message as valid and binding, so long as the method of "signing" was "as reliable as 
appropriate for the purpose for which the data message was generated or communicated."  See UNCITRAL Model Law on 
Electronic Commerce, Article 7.


                Although the Model Law by itself lays to rest any questions about the validity of digital signatures 
for purposes of commercial transactions, UNCITRAL recognized that digital signatures and public key infrastructure 
raise legal issues going well beyond this point.  For that reason, UNCITRAL has already begun work on a model law (or 
some other instrument) to deal with certification authorities.  Unfortunately, the work done so far suggests that 
UNCITRAL's efforts could easily fail to produce a consensus.  Thus, it is not clear that the UNCITRAL efforts will in 
fact provide the kind of relief and assurance of legality needed by producers of inexpensive certificates and "closed" 
systems that use digital signatures (for more on these uses of digital signatures, see my background paper).


                The most recent meeting of an experts group made some progress in limiting the most egregiously 
regulatory language.  But it also revealed that at least Germany -- and perhaps also France, the United Kingdom, Italy, 
and other Europeans -- are wedded in varying degrees to the notion that certification services are too important to be 
left to the private market.  What is more, there is only modest sympathy for private, closed systems using digital 
signatures and virtually none for issuers of "cheap certs."


        What is the right forum?


                Unfortunately, it is becoming increasingly likely that serious differences will arise internationally 
between countries enamored of the high-regulation, high-trust model and those more open to market developments in 
digital signature use.  This opens the door to protectionism and discrimination.


                UNCITRAL is an unlikely place to combat such tendencies.  It does not have a tradition of brokering 
trade disputes.  OECD is a more plausible forum for addressing such differences, but its process yields only 
guidelines, not binding agreement.


                Are there other fora?  Perhaps.  The WTO has some claim to jurisdiction over trade in services but it 
lacks a clear framework for resolving this matter.  More interestingly, the U.S. federal government and the European 
Commission -- usually antagonists on trade -- may have some common interests here.  Both are concerned that excessive 
regulation of digital signatures will lead to inconsistent standards and discrimination within their boundaries.  And 
both have been a bit left out as their constituent parts raced to define new regulatory schemes.  While there are 
pitfalls, the U.S. and the EU might be able to reach a quick understanding on at least some basic rules to discipline 
the digital signature laws of their constituent states.
 


        


        






        - 2 -


 




--=====================_877235230==_--






**************************************************
"Photons have neither morals nor visas"  --  Dave Farber 1994
**************************************************


  By Date           By Thread  

Current thread:
  • IP: Digital Signatures David Farber (Oct 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]