X.509 certificates contain only one DN, so the only way to bind an
individual's identity and a role is to construct a DN which
incorporates both. Of course, you would not want a company to control
the private key associated with this certificate, as they could use it
to later forge the individual's signature in that role capacity. If
the user controls the key, upon termination or change of role, the
certificate would be hot listed. With suitable notarization
facilities, to deal with trusted timestamping of signed documents, the
fact that the user still held the key after the hot listing date might
not be a problem. However, this does introduce a discontinuity in the
key used in conjunction with the role and that is a nuisance. I
suspect companies will feel more comfortable with a scheme in which
procedural controls are used to enforce the individual-role binding,
without disclosing any keys to the user occupying the role.
It is a little difficult to discern what your argument is here. Note
that knowledge of a key may be different from possession of a key
if that key is generated within a smart card and never disclosed to
anybody. My own opinion is that if digital signatures are to be
accepted the same way that analog signature are now accepted, they
must be unique to people and must be their property. Then we have
an existing suite of laws and customs to deal with them and don't
need heroic legal contortions to deal with their introductions.
It is easy to say "suitable notarization facilities", it is quite
another to characterize them more completely. What is notarized,
the sending, the time that the sending occurred, the signature, the
time that the signature was created, the delivery, all the above?
What liability is accepted by this notary and what trust is placed
in the notary? What form do these notarizations take? Can a
notarization perform the same function as the multiple signatures
that typically are attached to documents in large hierarchical
organizations (eg. the military)? That is, can a notarization be
notarized? What is the duty of the notary to appear in court to
testify as to the efficacy of the procedures used in the notarization
process? Is the notarization process itself subject to
standardization?
In a similar vein, what liability is to be assigned to the CA? I can
envision a set of really nasty confrontations if a receiver relies
on a document which is disallowed in a court of law. The natural
recourse in this case is the certificate issuer. Some of the
questions above apply to the CA. One of the major failings of ANSI
ASC X9.17 Key Management - Wholesale was the over specification of
the responsibility of the Key Center. The job was made so onerous
that no organization would step forward to be a Key Center. It
appears that X9F1 is in the process of committing the same error
with certificate issuers, ie. to make the job so onerous that no
organization with any assets or lawyers will touch the job with a
ten foot pole. (By the bye, is the current draft available on inet?)
Forms that are submitted to governmental entities must be signed by
people, not by roles. The same is true for most of the fiduciary
actions that I am aware of. The issue here is to nail the source of
a document to a person that a criminal court of law can put in jail.
On the other hand, documents that can be shown to originate from a
company in the normal course of business are binding on that company.
It is not up to the receiver of a document to validate the authority
of the signatory to the document. The internal authority structure
within a company is just that - INTERNAL. This is the flaw that makes
the Fisher document you quoted so completely worthless. So the real
issue to be proved in a civil court is whether the email can be
traced to physical origin within a company and whether the receiver
should have expected it to be valid.
There is a big difference between lifetimes for signed vs. encrypted
data. Once a data item is signed, anyone who wants to validate it
need to acquire a certification path and corresponding CRLs starting
at some commonly agreed upon point, e.g., the IPRA in the PEM system.
For non-repudiation purposes, the signature needs to be registered in
some fashion, e.g., the Bellcore binary tree hash approach or via a
timestamp notary. Once a user (e.g., a message recipient) has all of
this ancillary data, then he can prove to a third-party that the data
in question was signed by the indicated signatory, irrespective of
what the signer may do to destroy and keys or certificate copies that
he may possess. Thus, the burden to acquire and hold the necessary
ancillary data is on the individual who derives benefit from possessing
a signed data item, not the sender.
You seem to be arguing here that the receiver must ensure that the
entire chain of certificates are appended to every document that is
archived since no other source s reliable; is that so? If it is
so is such knowledge already documented? Where will users of email
go to find out what risk they take by using email? Note that the
real issue here is to encourage people to use PEM. That can only
be done if these potential users achieve a sense of confidence that
their use of PEM (or email) will not increase their risk, but reduce
it.
Theorem 1: That a certificate, once created, may not be
destroyed unless it can be proven that no document signed
by that certificate will ever need to be authenticated again.
Based on the above discussion, I think you'll agree that this
conjecture does not apply, since it is the responsibility of
recipients of signed message to collect the necessary info to be able
to prove the validity of the signature to a third party in the future.
I would say that you have, in fact, proved Th. 1 to be true. You have
just changed the responsibility from the CA to the receiver. The certs
must still be maintained indefinitely.
As noted above, the operative terms here is non-repudiation with proof
of origin. It can be effected using X.509 certificates as a basis for
authentication, CRLs for revocation, possibly other application of one
or more digital signatures applied to a document, conventions about
document semantics, maybe ancillary certificates of a different form
(or some form of signed data item) to express authorization, and a
timestamp notary to fix the time and date of a signature. It's not a
trivial matter to get non-repudiable digital signatures, and PEM does
not provide the whole service, but considerable work on the problem
has been performed and documented.
I must admit a certain prejudice against the concept of revocation in
general, especially with electronic documents. If a CA issues a
cert which is sent to me as a part of the document (perhaps even the
entire chain is sent), but I have no relationship to that CA at all,
what trust am I to place in that cert or that CA? Since there is no
contractual relationship between me and the CA, IMHO there is no way
for me to force the CA to testify as to the validity of a signature
if a dispute should arise. And certainly there is no requirement for
that particular CA to ensure that I have or can easily obtain the CRL.
If there is no third party to testify in my behalf, what benefit has
the certificate provided?
One can imagine ways of employing these mechanisms such that
the long term authentication is possible, but without standard
semantics for such uses, so that all can agree with what it means,
how useful or enforceable are they likely to be? In other words if
we have created the need for notary servers that unequivocally
vouch for the time of a signature, is it safe to turn all of this
loose without defining what a notary seal looks like? And if we
haven't created such a need, how does the court decide whether Humin's
estate belongs to my kid? Cheers - Greg Bailey
I agree!
Peace
Tom Jones - Lemcom