Re: Invalidity Dates

[bgmiller <bgmiller@xxxxxxxxxxxx>]

The Electronic Funds Transfer Act (described in layman's terms at
http://www.fdic.gov/consumer/consnews/spr98/crook.html) would appear to apply to this
situation.  Depending on the type of card involved (debit, credit, ATM), liability is
limited based on when the theft is reported.  I think it could be successfully argued
that stealing the key is equivalent to stealing the card.  The important dates for
purposes of liability are when it was reported relative to when it was stolen.

It would appear to be in the consumer's best interest to not rely on the CRL as the
mechanism for reporting, since the delay introduced by the CRL issuance (versus a
phone call to the credit card company) potentially increases the liability.

Bobby Miller

Al Arsenault wrote:

> ...  Now, this certainly introduces some doubt onto the whole notion of
> non-repudiation.  I can report on 30 November that my key was compromised on 22
> November, and lo and behold it was used to purchase $3,000 worth of books and
> software from on-line services on the 25th.  The merchants approved those purchases
> based on the fact that the certificate was not revoked.  Now, maybe I really made
> the purchases and now wish to repudiate them, to try to get the merchandise 'for
> free'.  Or, maybe the key really was stolen, and the purchases were made by the
> person or persons who stole it, rather than me.  The merchants (and the CA who
> issued the certificate) don't know.  Depending on the value of goods in question,
> and on other available evidence, they may do one of several things ... While this
> does introduce some uncertainty into the system, it is no different from what
> happens today in the physical world of credit cards and similar instruments.  I may
> lose my credit card, or have it (or the number) stolen.  I may not know this for
> some period of time after the event - for example, the item stolen in the burglary
> could have been the credit card left behind, rather than my private key.