RE: Common misconception #10. was RE: NEW Data type forcertificate

[Ed Gerck <egerck@xxxxxxxxxxxxxxxxxxx>]

On Fri, 9 Oct 1998, Phillip M Hallam-Baker wrote:

> Ed Gerck wrote:
>
>> My assertion was "every PKIX CA must inevitably disclaim all legal
>> liability to the user" -- not to the subscriber.
>
>A statement which is untrue, completely and utterly wrong.
>

Denial is good. But it is no more than a marketing technique when
Verisign's own warranty declaration and CPS say what I affirm and you
deny.

I also note, for the record and I have already made that clear, what
is called a CA "user" is not the subscriber that buys the cert
services from the CA, but the Joe Doe that needs to rely on the cert
presented by the subscriber and that has no relationship whatsoever
with the CA. Certainly, the majority of cases in international trade,
since not all users will also be customers of the very same CA.

This question gains in importance as we remember that there is no
international law system that uniquely defines matters, not even in
the same country. So, a cert user represents an open risk also in the
legal sense, and not only in terms of key-snatching, virus, etc.
Given the overabundance of lawyers in the US alone and the growing
attitude of finding culprits for one's own lack of foresight, any CA
that makes an offer to the whole world, capable of acceptance without
communication and by mere conduct, is suicidal.

Is this relevant to PKIX? No, if PKIX is being designed to work
within a company or in a bounded environment, where subscribers and
users share a common and pre-existent trusted environment. Yes, if
PKIX wants to address no-previous relationship cases worldwide.

>
>> BTW, you did not show any counterarguments.
>
>I believe that I countered your statement that a CPS cannot
>be audited by stating that the ABA was working on audit standards
>for that very purpose.
>

First, the statement that current CPSs cannot be audited was NOT mine
(as you unfortunately misstated) but YOUR own and public, verbatim
as:

 The CPS is not a document designed for auditing use however. It
 describes a 'specification', it does not describe details which may
 be checked by a third party in a systematic manner."

Second, it is very probable that *any* future CPS standards (of which
there are none today) will NOT provide any assurance of correct
results -- just correct methods and within some broad assumtpions.
Which is however already granted by law such as by the UCC. Thus, the
"new" CPS standard will very probably simply deal with a convergence
of terms and clauses, while leaving open the door I mentioned you
saying.

But, while that remains to be seen it is perhaps clear that you
cannot cite non-existent CPS regulations to say that current CPSs are
or will be auditable in a next incarnation. Oftentimes, problems have
no solutions in a broader scope. In particular, I have reasonable
doubt that one could ever audit or warrant ***results*** in CA
certification.

>As an employee of the major CA on the Internet I am not going
>to speculate on the future liabilities or insurance which might
>be offered by VeriSign or any of its competitors here. The PKIX 
>architecture does not prevent such products being offered or 
>supported which was your claim.
>
 
I appreciate your technical and business competence.

However, I may indeed question why all the work if no public CA will
ever be able to offer public warranty on results, from a general
subscriber to the general public. Which is what the public needs.

>I will merely remind people that five years ago folk were loudly
>proclaiming that a public CA such as VeriSign was an impossibility.

I did not say that. In fact, I have recently affirmed it is a very
good business to be a CA. The question is ...what next?

Cheers,

Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck                     egerck@novaware.cps.softex.br
http://novaware.cps.softex.br