Interesting People mailing list archives
IP: Digital Signatures
From: David Farber <farber () cis upenn edu>
Date: Sat, 18 Oct 1997 20:27:10 -0400
--=====================_877235230==_ Content-Type: text/plain; charset="us-ascii" Date: Sat, 18 Oct 97 14:12:13 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () cis upenn edu Subject: Digital Signatures Dave -- I've written a long piece about some serious legal and international problems I see emerging in the area of digital signatures. Here's the summary from my web page: Governments around the world are embracing digital signatures. Everybody loves this technology. Oddly, that's the biggest obstacle it faces. Digital signature technology may be loved to death before it ever gets to really take off. Stewart Baker looks at growing international regulation of digital signatures, predicts serious problems for the technology as a result of conflicting national laws, and evaluates possible fora for reaching agreement on more coordinated and technology-friendly international rules for digital signatures and certificates. The web citation is: http://www.steptoe.com/digsig2.htm. If you decide you'd rather send out the entire piece, it is attached as a text file. Stewart The following is an attached File item from cc:Mail. It contains information that had to be encoded to ensure successful transmission through various mail systems. To decode the file use the UUDECODE program. --------------------------------- Cut Here --------------------------------- --=====================_877235230==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="digsig.txt" International Developments Affecting Digital Signatures by Stewart A. Baker Steptoe & Johnson LLP October 1997 Governments around the world are embracing digital signatures. Everybody loves this technology. Oddly, that's the biggest obstacle it faces. Digital signature technology may be loved to death before it ever gets to really take off. The technology Public key cryptography was first described publicly in 1975. In essence, it relies on the difficulty of reversing certain mathematical functions. For example, multiplying to find a product is easy; factoring to find the numbers that were originally multiplied together is hard. With big enough numbers, I can even keep one number secret and publish the other -- without any fear that the secret number can be guessed by an adversary. Then, everyone in the world can look up my public number and use it to encrypt a message that only I can read. That's the part of the public-key revolution that gives NSA and the FBI nightmares. But the flip side of that process is just as intriguing -- and may yet become the predominant use of public key technology. If I encrypt a message with my private key, anyone in the world can decrypt it using my public key. That's no way to keep secrets, but it's a great way to tell the world that I and I alone could have sent the message. Since I'm the only one in the world who knows what my private key is, no one else could have written a message that can be decrypted using my public key. It doesn't take a genius to see how useful this technology could be in cyberspace. It allows us to put highly sensitive material on a network, then use digital signatures to restrict access. What's more, with only a modest infrastructure, strangers can do business with strangers all across the globe, using a few digital signatures to establish their bona fides. What's needed to make this scenario come true is a "trust infrastructure." In the simplest case, suppose a bank issues digital signatures to every one of its customers that has maintained a $10,000 checking balance over the past year. If I want to do business online with another customer of the bank and he sends me a copy of his bank-issued digital signature, I can be pretty sure his $5,000 offer is good. As a practical matter, the bank will probably issue a public-private key pair to its customers, then tell them to store the private key somewhere safe (a 3.5-inch floppy would be good; a chip card would be better). The bank could publish the public key (as well as its own) on the Internet and elsewhere. However, since they won't want to identify their clients as targets for scams or worse, it's more likely that the bank will privately issue a certificate, saying "As of October 1, the holder of this private key has maintained a $10,000 checking balance for the past year, signed, His Bank." The customer could then send that certificate to people who needed to know his credit was good, and they could rely on it as long as they knew the bank's public key and trusted the bank to tell the truth. Why the technology requires new legal rules The efficiencies and security that this system allows are tremendously exciting, but there are a few problems. First, suppose the customer is sloppy with his private key. He writes the password to his smart card on the card and then leaves the card in the washroom. Now anyone who has the card can use his identity -- and his credit. To deal with that problem, the bank needs to maintain an easily accessible list of stolen or compromised public-private key pairs. This is known as a Certificate Revocation List (CRL). And to make the system work, anyone who relies on digital signatures should check the CRL. But this is the real world. Some people won't check the CRL. They'll get burned. They'll blame the bank, because it has the most money to pay damages. They'll sue. (Thank God, a role for lawyers after the digital revolution!) Without a law on digital signatures and certificates, no one knows how such a suit will come out. The bank can write a contract with the customer, demanding that he be careful with his private key, perhaps even making him liable for his negligence. But consumer groups would oppose enforcement of such contracts (digital signature buffs call this the "Grandma picks a bad password and loses her house" problem). Even worse from the bank's point of view, it doesn't have a contract with the guy who got burned by the compromised signature. He's just an innocent third party who lost money -- by relying on the word of the bank, his lawyer will say. Without more legal certainty about how to protect themselves (or how much insurance to buy), companies with deep pockets will not want to take that risk. They'll stay out of the business of issuing digital signatures and digital certificates for such transactions. In fact, for a decade or more, that's pretty much been the story: Cool math confronts corporate legal department; cool math loses. How digital signatures are actually being implemented today But the technology is too good to be locked up by lawyers forever. Companies that wanted to use digital signature technologies began looking for places where this open-ended liability wasn't a big problem. They found at least two. 1. Cheap certificates. First, they offered certificates with a sweeping disclaimer of any liability. These certificates aren't much good for high-value transactions, but they can be used in a lot of circumstances where even a no-liability signature is better than no signature at all. Millions of "cheap," liability-free certificates are already in circulation. The SSL encryption that everyone uses for secure Web connections relies in part on digital signatures to identify the server and the browser to each other. No one really guarantees the server's public key, but if it's the same one every time I log on, I can be pretty sure that I am dealing with the same server, belonging to the same store, rather than to an online con artist. Other Internet-based "cheap" certificates include the "authenticode" certificates used to identify the authors of Java-like ActiveX programs. The certificates offer a modest, but better-than-nothing, security precaution for Internet users who are understandably reluctant to let code written by strangers gain access to their computer's operating system. 2. Closed system certificates. Second, some digital signature proponents have begun creating their own law, by contract. Any group of companies or individuals that does business in accordance with one or more agreements setting forth the liability and other rules that govern their relationships; many of these communicates can create a self-contained set of rules to cover digital signatures. IBM, for example, can issue digital identity certificates to all its employees; it can say that they are good for email attribution and for petty cash requests but not for private transactions unrelated to work -- or whatever rules it is comfortable with. Or, in a more exciting use, Visa can issue certificates to all its member banks, and they can issue certificates to all their cardholders and merchants. Suddenly, shoppers don't have to type their credit card numbers onto the screen at Amazon.com, and they don't have to worry about Internet card number theft. Within the preexisting Visa relationships, all those tough liability problems become easy. Visa simply says that using a digital signature won't substantially change the existing liability rules for any of the system participants. Liability is already covered by an elaborate set of agreements and rules, some driven by long-standing government regulations. (Remember Grandma and her house? For credit cards, the rule is clear enough inside the United States: if she picks a bad password, she may lose fifty bucks but she won't lose her house.) In fact, Visa and Mastercard have built digital signatures into a Secure Electronic Transaction protocol (SET) that is already being implemented in several countries. Lawyers to the rescue? While all this was going on, the lawyers themselves began to look for legislative solutions. A committee of the American Bar Association led by Michael Baum (now the top lawyer at Verisign) designed a comprehensive model law to deal with all the new legal issues arising from digital signatures. While that work was underway, the state of Utah took the plunge, enacting a variant of the ABA draft. Within three years, more than forty state legislatures were contemplating digital signature laws. So were numerous countries; indeed, by the fall of 1997 Germany, Malaysia, and Italy already had their own laws, and many more bills were in legislative hoppers around the world. This should be good news -- lawyers and lawmakers working together to solve a legal problem and enable the birth of a new technology. But it's not. As we'll see, it is posing a growing threat to the burgeoning use of low-value certificates and closed certificate systems. Digital signature laws are often sold to legislators as a way to bring written signature requirements into the computer age. An image is conjured up of computer signatures being rejected by courts insisting on something executed with a quill pen. This is an overstated problem, at least in the United States and for most commercial transactions. Courts have been treating printed telegrams as "signed" documents for a century. There's nothing about a digital signature that makes it a harder legal problem than telegrams -- or telexes, or typed letters, or faxed signatures, or a dozen other ways in which real-world commercial actors have lawfully "signed" contracts over the last century. What digital signatures need -- uniquely -- from the law is certainty about the obligations and rights of three parties: (1) the keyholder who is identified by the public key and who controls the private key, (2) the certifying authority who vouches for the public key and ties it to the identity (or creditworthiness, or chess club membership, or whatever) of the keyholder, and (3) the relying party who gets the public key and the certificate and who decides to trust the certificate. The Utah law, and the ABA guidelines, decided to spell out all of these duties in great detail. In particular, to make sure that relying parties could trust certifying authorities (CAs), the Utah law and the ABA called for government licensing. The government would make sure that prospective CAs are trustworthy and that they remain so. It would check the technical and other security measures that CAs use to protect keys and would enforce rules about documents CAs should demand before certifying someone's signature. (Can the CA issue an identity certificate based on one piece of identification or must it see three? Does it have to check the keyholder's address? And so on.) By and large, the Utah bill is also pretty tough on keyholders. If they aren't careful with their private keys, they will lose their houses. Early boosters of the technology, however, thought the alternative was worse: Relying parties and certifying authorities might refuse to participate in digital signature transactions if keyholders could invalidate transactions after the fact by making up a story about having been negligent with their keys. How many lawmakers does it take to screw up an infrastructure? Two problems with the Utah approach only became apparent as digital signature laws began to sweep through legislature after legislature. 1. Conflicting obligations. First, not every lawmaker saw the policy issues the way Utah did. And the more detailed the legislation, the more room there was for fatal conflicts between state laws, sometimes on the most inconsequential points. To take one example, both Utah and Washington require a CA to suspend a certificate if the CA gets a call from the keyholder saying the private key has been compromised. (In Utah, the keyholder has a big incentive to act fast; he wants that compromised key suspended before somebody sells his house.) But to guard against fraud or pranks ("Hey, guys, let's call up the bank and suspend our gym teacher's public key."), the CA can't suspend for long without checking to make sure the suspension request really came from the keyholder. Under Utah law, the check has to be done within two days, but the certificate is automatically suspended whenever the CA gets a request from someone claiming to be the keyholder. Under Washington law, the caller can ask for a four-day suspension, but the CA can only suspend the certificate if the CA is pretty sure the caller really is the keyholder. Same basic idea in both states. But what if you are a CA doing business in both states and you get a suspension request from someone who doesn't sound very much like the keyholder? In Utah, you must suspend; in Washington, you can't. Or suppose the caller asks for three days to come in and verify his identity? In Utah, you can't wait that long; in Washington, you must. CAs simply can't obey the laws of both states. Other states have tried to avoid such problems by writing less detailed laws, leaving a lot to regulatory authorities. But that just postpones the conflicts, and perhaps makes them harder to find. It does not eliminate the likelihood of conflicting regulations. After all, many of the questions addressed by the Utah law have no easy answer. How much risk should the keyholder bear and how much should fall on the CA? Different states, and certainly different countries, will arrive at different answers to such questions. But, if CAs must change their practice in each country or each state, there will be very few CAs in ten years, and digital signatures will not live up to their promise. 2. State licensing. An even bigger potential problem is the solution Utah used to ensure the quality of CAs. Having CAs obtain licenses from the state in exchange for accepting regulation by the state is very appealing in many ways. It is flexible, it allows the state to "back up" the digital signature of a licensed CA with a state-issued certificate, and it gives unhappy parties somewhere to go with complaints. But what if licensing is mandatory? Suddenly, many cheap but useful certificates could become too much trouble to bother with. Take the example of a merchant that wants to improve online shopping security by issuing customer certificates: "This certifies that the holder has purchased more than five books at Amazon.com using the name 'Stewart Baker'." If Amazon.com can't issue a simple customer certificate without registering in fifty states and complying with all the security rules that apply to the high-trust certificates, it will just stop using certificates like this. And we will all have a little less security when we shop online. So far, in the United States, licensing has remained voluntary. If a CA wants the imprimatur of the State of Utah, it must register there. If not, not. Either way, the CA can lawfully issue certificates to Utah residents. (Actually, there are still some disadvantages that will push many firms into registering in most states, but I am ignoring them for simplicity.) Not so abroad. Germany's law contains no savings clause for cheap certificates. It implies that no one may issue certificates without meeting strict standards for security; these standards include a requirement that private keys be stored only on a smart card -- they can't be sent over the Internet, and they can't be stored on a magnetic stripe card or 3.5-inch floppy. If pressed, German authorities sometimes say that they will not punish those who issue "unauthorized certificates." (That seems to be what they are telling the European Commission, which is worried about the trade-restricting impact of the German law.) But privately, some officials say that within three years the licensing regime will be mature and unauthorized CAs will be stamped out. In Malaysia, that future is now. Malaysia's recently enacted digital signature bill makes it clear that anyone who issues certificates must register in Malaysia. And it is not just cheap but useful certificates that will be affected. SET, arguably the most sweeping and important use of digital signature technology to actually see the light of day, is also harmed by the proliferation of registration requirements. Neither Malaysia nor Germany was willing to make a clear exception in its law even for entirely private and consensual uses of digital signatures. Why conflicting rules won't go away by themselves What's going on here? Partly, of course, it's just that some governments choose regulatory solutions for everything. In Europe, the idea of letting the market take care of things is viewed with suspicion in the best of times. It sounds even less plausible coming from the same Internet advocates who cheerfully proclaim that national borders are just speed bumps on the information highway and that important national policies -- on distribution of pornography, on wiretapping, and a host of other issues -- will soon be rendered unenforceable by a global market. Worse, many other nations fear that such statements are just a disguised bid for American domination: "Leave it to the market, where our companies have an enormous lead." So government regulation looks to these nations as a cheap way to even up the odds; whatever competitive problems local technology companies may have in other arenas, they surely know more than Americans about working successfully with local authorities. Then, too, the case for regulation gets stronger as the stakes get higher. If the main use for digital signatures will be for a national identity card that includes bank account access, the companies issuing those certificates had better be watched closely. If legislators don't know much about other uses of digital signature technology, or if a digital signature law is being jammed through the legislature by a few interested parties under the guise of "modernizing signature requirements," it isn't likely that closed systems or inexpensive certificates will get much attention from the legislative drafters. Whatever the motivation for this outburst of regulatory zeal, the results will likely be a disaster for implementation of a public key infrastructure. Even if they might be able to get an exemption from most laws, users and issuers of cheap certificates can't stand even a remote prospect of liability in a handful of countries. Rather than register, they'll find weaker, less-regulated alternatives to digital signatures -- or they'll do without entirely. The same goes for "closed system" users of digital signatures. Burgeoning regulations that are not tailored to their private certificate system will create disincentives for credit card companies to use digital signatures. In short, this outbreak of regulatory enthusiasm is likely to make digital signatures much rarer and much riskier for prospective certificate authorities. What Should the United States Do? The next question is what U.S. policymakers should do to avoid this train wreck. Inside the United States, efforts to write a uniform state law that would resolve some of these issues are moving forward, but slowly. There are honest disagreements about how much liability to assign to the parties to a transaction and how much "freedom of contract" should be recognized in a complex field with major implications for consumers. So even if a uniform law is agreed upon, it may not exactly sweep the nation. That's why there's support for at least a limited form of preemption by the federal government, perhaps just a list of things that states will not do, like imposing their rules on otherwise valid "closed" systems or requiring even issuers of low-value certificates to register as CAs. That might be enough, for example, to reassure financial institutions and others that they can use digital signatures to secure payment systems without fear of being surprised by new state liabilities. But there is no preemption in the international sphere. There, uniformity can be achieved only if states are persuaded to adopt the same rules. Usually, this takes the form of bilateral or multilateral negotiations resulting in a treaty or other agreement. But there are at least two other models as wellOECD. The Organization for Economic Cooperation and Development (OECD) specializes in nonbinding, consensual codes of conduct and guidelines. These are developed by the world's richest nations to coordinate policies on a variety of topics from privacy to cryptography. OECD has recently released a paper on issues raised by international certification, and it shows some of OECD's strengths and weaknesses as a forum. To bolster its claim to address the digital signature issue, OECD notes that it has already done extensive work on privacy and on cryptography guidelines. Both are related to digital signatures, the report suggests. That's because digital signatures allow extensive tracking of individuals and because the technology is closely tied to encryption and the law-enforcement-access debate that dominated the OECD's deliberations on cryptography. This observation is a distinctly two-edged sword for OECD. Both the privacy and the cryptography guidelines were a source of continued and bitter controversy. Digital signatures do not have to be dragged into either debate, but handing the problem to the OECD more or less guarantees a replay of past three-way battles between government, industry, and privacy advocates. UNCITRAL. The United Nations Commission on International Trade and Law (UNCITRAL) plays a consensus-building role for a larger audience -- UN members. In addition, its products tend to be more specific and less controversial, focusing on achieving technical consensus on the language of model laws or conventions to regulate aspects of international trade -- international arbitration, international sale of goods, and the like. UNCITRAL already has a concrete record of achievement on technical legal issues affecting digital signatures. It has released a model law on electronic commerce; this law treats digital (and other electronic) signatures attached to a message as valid and binding, so long as the method of "signing" was "as reliable as appropriate for the purpose for which the data message was generated or communicated." See UNCITRAL Model Law on Electronic Commerce, Article 7. Although the Model Law by itself lays to rest any questions about the validity of digital signatures for purposes of commercial transactions, UNCITRAL recognized that digital signatures and public key infrastructure raise legal issues going well beyond this point. For that reason, UNCITRAL has already begun work on a model law (or some other instrument) to deal with certification authorities. Unfortunately, the work done so far suggests that UNCITRAL's efforts could easily fail to produce a consensus. Thus, it is not clear that the UNCITRAL efforts will in fact provide the kind of relief and assurance of legality needed by producers of inexpensive certificates and "closed" systems that use digital signatures (for more on these uses of digital signatures, see my background paper). The most recent meeting of an experts group made some progress in limiting the most egregiously regulatory language. But it also revealed that at least Germany -- and perhaps also France, the United Kingdom, Italy, and other Europeans -- are wedded in varying degrees to the notion that certification services are too important to be left to the private market. What is more, there is only modest sympathy for private, closed systems using digital signatures and virtually none for issuers of "cheap certs." What is the right forum? Unfortunately, it is becoming increasingly likely that serious differences will arise internationally between countries enamored of the high-regulation, high-trust model and those more open to market developments in digital signature use. This opens the door to protectionism and discrimination. UNCITRAL is an unlikely place to combat such tendencies. It does not have a tradition of brokering trade disputes. OECD is a more plausible forum for addressing such differences, but its process yields only guidelines, not binding agreement. Are there other fora? Perhaps. The WTO has some claim to jurisdiction over trade in services but it lacks a clear framework for resolving this matter. More interestingly, the U.S. federal government and the European Commission -- usually antagonists on trade -- may have some common interests here. Both are concerned that excessive regulation of digital signatures will lead to inconsistent standards and discrimination within their boundaries. And both have been a bit left out as their constituent parts raced to define new regulatory schemes. While there are pitfalls, the U.S. and the EU might be able to reach a quick understanding on at least some basic rules to discipline the digital signature laws of their constituent states. - 2 - --=====================_877235230==_-- ************************************************** "Photons have neither morals nor visas" -- Dave Farber 1994 **************************************************
Current thread:
- IP: Digital Signatures David Farber (Oct 18)