Re: relying-party contract

["C. Bradford Biddle" <biddle@xxxxxxxxxxxxx>]

I thought I'd de-lurk (uncloak?) from the PKIX list momentarily to chime
in on this topic. As someone coming to the PKI issue from a legal
perspective, I heartily concur with the view that there has been
inadequate cross-fertilization between the legal and technology
communities concerning PKI. This fact is rather striking, really, when you
consider how inexorably linked legal and technical issues are in this
area.

The one truly public list that I'm aware of that addresses legal issues
related to a PKI is caldigsig@commerce.net, but the scope of that list is
theoretically limited to the California digital signature legislation and
newly-released regulations. Nonetheless, for anyone interested, the
relevant info is: "send a mail message to
'ca-digsig-request@lists.commerce.net' with 'help' (no quotations) 
contained in the body of your message." 

The few other legal-oriented lists that I'm aware of where PKI issues are
discussed are closed lists -- i.e., lists associated with particular
American Bar Association committees, that sort of thing.  There's a list
run by the state of Texas which focuses on the efforts of NASIRE (I think
the acronym stands for "the National Association of State Information
Resource Executives") to develop accreditation standards for certification
authorities; this list could be characterized as "semi-public", I suppose. 
(I could provide subscription info privately if anyone's interested.) So,
I think that a public list which addressed PKI legal and policy issues,
and which integrated legal and technical discussions, could be interesting
and useful.

While I'm at it, I thought I'd mention a draft article I recently
completed which does address -- at least peripherally -- some of the
issues which Dwight Arthur raised.  I've appended the introduction to the
article below; the full article (18 double-spaced pages) is available at:

<http://www.acusd.edu/~biddle/LMW.htm> 

or you can start at my home page at:

<http://www.acusd.edu/~biddle>. 

The article is going to be printed in the summer issue of the World Wide
Web Journal in largely its current form. However, the San Diego Law Review
has offered me a slot for an article in their upcoming Internet Symposium
issue, and I'm planning on expanding this current article into a law
review piece for that issue. Thus I'm very interested in receiving
feedback and criticism as I develop this expanded article (June 30 is the
deadline for my next draft). I hope that some of you may have time to
provide your thoughts. 

Regards,
Brad

Brad Biddle <biddlecb@cooley.com> [<--- PREFERRED ADDRESS]
Cooley Godward LLP <www.cooley.com>
4365 Executive Dr. Ste 1100, San Diego CA 92121
voice: (619) 550-6301  fax: (619) 453-3555

--------------------------------------------------------------

"Legislating Market Winners: Digital Signature Laws and the 
Electronic Commerce Marketplace"
 
The argument goes something like this: Internet commerce is
hampered by the authentication problem. There is no reliable
way to ensure that the sender of an electronic transmission is
in fact who they purport to be. Digital signatures, supported by
a "public key infrastructure" of certification authorities (CAs)
and certificate databases, can solve this authentication
problem. CAs will not emerge under the current legal regime,
however, because they face uncertain and potentially
immense liability exposure. Additionally, the legal status of
digitally signed documents is unclear. Therefore, legislation is
needed which defines and limits CA liability and which
establishes the legality of digitally signed documents.

This argument has captured an influential segment of the legal
community, and has led to the enactment of "digital signature
legislation" in several U.S. states and foreign nations.
Unfortunately, the argument is built on fundamentally flawed
assumptions, and the legislation enacted based upon it is
correspondingly flawed. Much (but not all) of the digital
signature legislation enacted to date presumes a vision of
electronic commerce that simply is not tenable, and which
would not "naturally" evolve in the marketplace. This
legislation poses the risk of profoundly distorting an infant
market and locking in business models which are harmful to
consumers and to the future development of electronic
commerce.

The type of public key infrastructure (PKI) envisioned by many
of the existing digital signature laws is not viable. The problem
is liability. Digital signature legislation drafters have assumed
that the potential liability exposure faced by CAs is somehow a
flaw of the existing legal regime. This is an erroneous
assumption: the liability exposure faced by CAs under the
"open PKI" model envisioned by legislation drafters is a
product of a business model that cannot internalize the costs
associated with its implementation. Moreover, in attempting to
limit the liability exposure of CAs, current digital signature laws
shift an immense liability burden onto consumers who use the
infrastructure envisioned by these laws. Putting this type of
liability burden on consumers violates long-held tenets of
public policy, and is a result which consumers would reject in
any truly "bargained for" transaction.

Digital signatures will undoubtedly play a significant role in
electronic commerce. However, rather than being
implemented in the "open PKI" model envisioned by various
digital signature laws, digital signatures are more likely to be
utilized under a "closed PKI" system. Under a closed PKI
system, the liability problems associated with digital
signatures become much more manageable. This article
describes the differences between open and closed PKI, and
suggests that, in the absence of legislative displacement,
certain marketplace trends indicate that closed PKI is indeed
the likely market winner. 

The open PKI model can and should compete against closed
PKI and other authentication technologies, and should not be
accorded special legal status via legislation. Such legislation is
unnecessary: the "contractual privity problem" which is used
to justify open PKI legislation is a red herring. Commercial CAs
utilizing the open PKI model can compete in the marketplace
without special PKI legislation. These CAs are unlikely to
succeed, not because of flaws with the legal system, but
because the open PKI model is not a winning business model.

Despite raising the very peculiar specter of regulating an
essentially nonexistent industry (CAs), and despite increased
recognition of the problems associated with the very specific
vision of electronic commerce embodied in these digital
signature laws, laws based on the open PKI model continue to
be proposed and implemented. This article suggests that one
of several factors behind the continued momentum of this
legislation, particularly at the federal and international levels, is
its synergy with cryptographic "key escrow" proposals. While
digital signature legislation ostensibly addresses the use of
cryptography only for the purposes of authentication, and not
for confidentiality, the infrastructure created by these laws is
ideal for implementing a key escrow scheme. 

Ultimately this article argues that digital signature laws which
impose a particular view of electronic commerce should be
abandoned. Laws which remove specific, well-defined barriers
to electronic commerce -- such as unnecessary "writing" or
handwritten signature requirements -- and which allow the
electronic commerce marketplace to evolve unfettered should
be encouraged.