[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Invalidity Dates

To: <Mary_Ellen_Zurko@xxxxxxxx>
Subject: Re: Invalidity Dates
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Mon, 14 Dec 1998 15:24:22 -0700
Cc: <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

>>> <Mary_Ellen_Zurko@iris.com> 12/14/98 02:18PM >>>
Thanks Bob. All good points, which leave me wondering what
to do about that period of time when the key might have been
compromised but was not yet revoked. Do you posit that the
CPS and other contracts cover this? (I'm just asking you instead
of bothering the list, as I imagine this sort of philosophical ground
has been already trod, but feel free to distribute any response
as widely as you like.)
     Mez

Mez,

That's why, in my judgement, we need legislation that lets 
potential relying parties know what the rules of the road are.
Unfortunately, the young turk lawyers that seem to be in control
of the technical legislative agenda in a lot of influential states
are very anti-regulatory, and pro "fight it out in court." that being
their background.

The trouble with putting something in the CPS is that it is highly
questionable just how binding the CPS is on the relying party, 
_unless_ the CA, the subscriber, and the relying party are all part
of a mutual trust association, i.e., a closed user group, which
tends to defeat at least a portion of what a PKI was supposed 
to provide  If on the other hand the relying party is one of the 
proverbial widows and orphans, they are quite likely not to even 
read the CPS, and it is not likely to be binding.

The issue in the case of a contested digital signature is two-fold:

1.  Who has the burden of proof, i.e., to what extent is there or
should there be a rebuttable presumption of the validity of
the signature under certain circumstances (such as licensed CA, 
under Utah law), and if the presumption is rebutted, i.e., challenged,
who has what burden of proof -- does the burden shift to the defendant,
or remain with the plaintiff?

2.  Regardless of who has the burden of proof, who has the risk of 
loss?  (These are two entirely separate issues.)  If it can be 
established as a matter of fact, as well as a matter of law, that the
defendant did not sign the document in question, and hence it must 
have  been signed by person or persons unknown, who is left 
holding the bag:

The poor defendant, who didn't sign it but perhaps should have been
more careful with his keys, if necessary depositing them in Fort Knox
overnight?  

Or the equally hapless relying party, who is clueless about
the defendant's key hygiene?  

Or perhaps the CA, who issued the certificate in exchange for a 
payment of a few tens or hundreds of dollars, and is now potentially 
liable for a transaction greatly in excess of his total cost, much less 
profit, for circumstances they had no control over?

>From my perspective, I don't care terribly much one way or the other, 
because I can see pros and cons to each side, and depending 
on the circumstances I might be either a subscriber or a relying party.

What I do insist on is a careful spelling out of the rules of the road.
Given that understanding, I can choose to drive on the right hand 
side, on the left hand side, or stay home in bed, but I will at least know
my risk and potential vulnerabilities.  If you leave it up to a jury, 
I'm at the mercy of which orator has the more golden tongue, how 
the judge is feeling that day, and the economic and technical 
background of the jurors.  None of those give me a warm feeling!

Regards,

Bob

Prev by Date: when can an entry not appear on a CRL?
Next by Date: Re: when can an entry not appear on a CRL?
Previous by thread: Re: Invalidity Dates
Next by thread: Re: Invalidity Dates
Index(es):
- Date
- Thread