Re: A $25,000,000,000 PKI Was:Spec. on QC-low-fat & QC-heavy-bio

[Stephen Kent <kent@xxxxxxxxxxx>]

Anders,

>May I ask a question regarding signature laws which I am pretty ignorant of?
>
>If a company runs a SET Wallet Server for their employees to use, is not
>the company
>responsible for signatures produced by the certificate and keys stored on that
> server?
>
>Legally as well as technically.
>
>Now to the users (with their CyberPhones) that initiates transactions:
>They are responsible to
>their company that as a minimum records all transations with user
>identity.  Or
>it could require a sign op as well.
>
>Looks OK to me.
>
>So what is so fundamentally flawed in the CyberPhone concept with respect
>to digital
>signature laws?

I won't comment on the question of the legality of CyberPhone, vis a vis,
the current hodge podge of digital signature laws.  However, I was not
aware of SET wallte servers, e.g., in the corporate context you describe.
An employee using a cert issued for company purchasing, etc. may or may not
be the real "owner" of the private key.  If the cert identifies the subject
as a role, and the user is the role occupant, then the company is
intentionally maintaining accountability on a purely internal basis.
Technicall, this can be done reasonably well by issuing the cert via a
smart card or PC card, so that the user has not (easy) access or knowledge
of the private key.  However, if the subject of the cert is an
organizationl person (not role), then I think of the issue of ownership
differently.  The company needs to revoke the cert when the employee leaves
of changes roles and no longer has the same purchasing authoirzation.  (Of
course, this points out why an attribute cert might be better in this case
...)

steve