[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKI in court [was: Certificate suspension]

To: ietf-pkix@xxxxxxx
Subject: PKI in court [was: Certificate suspension]
From: Stephen Wilson <swilson@xxxxxxxxxxxxxxx>
Date: Mon, 28 Jan 2008 12:19:15 +1100
In-reply-to: <D45B34A8-E222-4BDF-9C1C-706AB26CC2FD@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Lockstep
References: <1A3F46F5DD089944AFEA613D454D707301C451DB@xxxxxxxxxxxxxxxxxxxxxxx> <479B5C42.9010204@xxxxxxxxxxx> <> <479BD909.7080408@xxxxxxxxxxxxxxx> <D45B34A8-E222-4BDF-9C1C-706AB26CC2FD@xxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)



Eric Norman wrote:

Since we're talking about court cases here, it's not obvious to me that
the court would even care about whether certificates used for signing
were valid at signing time.  The only things a court might care about
is whether the signer had the *intent* to sign, or the signature was
under duress, or something like that.

I have a suspicion, and hope, that these attempts to design "electronic
justice" result in nothing more than discussions on mailing lists.


I don't know about hoping these discussions go nowhere ;-)

But I agree with the implication that 'designing electronic justice' isproblematic. In my view, too many of the PKI-in-court discussions seemto be devoid of context. Famously, Jane Winn years ago lampooned theidea of forming contracts on line using digital signatures -- but Ithink she was looking at the special case (the very special case) ofstranger-to-stranger business.

Certificate subjects tend not to use their keys in a vacuum; when theysign things, there is plenty of context apart from their certificate. Toimagine that a court case might turn on the certificate and private keyalone I think is utterly academic.

It is better to realise that certificates are always used as part ofsome defined scheme (we should heed the practical experience that allmost if not all successful individual certificate programs are "closed"or vertical). Certificates are not usually presented to Relying Partiesby total strangers (and if they are, they should be ignored, just as wewould tend to ignore an unexpected order sent to us by an unknown partyon plain paper, even if it is signed by hand). Instead certificates aregenerally used to automate transactions between parties that eitheralready know each other, or else recognise one another's credentials andcapacity to act in the transaction at hand. There isn't a lot of"serious" use of certificates in vanilla e-mail applications. Rather,"serious" certificates are used in the context of special purposesoftware (e.g. medical software applications, e-conveyancing, governmentforms, trade documentation etc.) or are embedded in dedicated systemslike smartcards, e-passports, set-top boxes, and Skype.

In these sorts of contexts, I think that when disputes get as far as acourt, they are usually concerned with much more prosaic matters, likeproduct failures, product liability, user interface design, and contracts.


Cheers,

Stephen Wilson
www.lockstep.com.au.

References:
- RE: Certificate suspension
  - From: Bechlaghem, Malek
- Re: Certificate suspension
  - From: Alfredo Esposito
- Re: Certificate suspension
  - From: Anders Rundgren
- Re: Certificate suspension
  - From: Stephen Wilson
- Re: Certificate suspension
  - From: Eric Norman

Prev by Date: launa
Previous by thread: Re: Certificate suspension
Next by thread: rfc3280bis change requested
Index(es):
- Date
- Thread