My message of 5 May, concerning "What things mean", written just before
I went on vacation, was apparently not understood by Steve Crocker and
Steve Kent, so I will ask it again.
(It must have been all those pesky carriage returns that got in the way. I use
a Windows mailer which allows me to type fairly lengthy lines before it wraps,
depending on the size of my window. I hadn't realized that Unix systems
still assumed that all messages were to be punched on 80 column IBM cards,
but I'll try to be more careful in the future. :-)
The issue that I was trying to address was how to mitigate the risk
associated with the creation and existance of a private key (which
could be stolen, perhaps by means of a virus running on my less
than A1 secure PC), together with a public key certificate which
(allegedly) binds that key to "me." In particular, we are trying to decide
whether PEM can reasonably be fielded for commercial purposes with a
sotware implementation on an untrusted PC, or whether we must go to
a smart card imploementation and even consider biometrics for certain
users.
Although I would hope that the certification policy established
by the Policy Certification Authority would address this issue,
in fact the draft RSA Commercial Hierarchy I have reviewed
as part of our deciding to purcase a Certificate Issuing System
does not say anything about limitations of liability. I am also
not aware of any other PCA having published their policy.
(As an aside, how will people be made aware of the PCA's policies when
they go to validate PEM messages in the future? What happens if the policy
changes? I would assume that this would cause the PCA to issue a new
set of certificates for all of its CAs, assuming that they will agree with the
new policy. If not, and even if they do, what a mess!)
My point is that since the X.509 certificate does not provide any mechanism
for limiting the liability associated with the use or alleged use of a digital
signature, and since the claim of the cryptographic community
(myself included) since the invention of public key cryptography has been
that digital signatures should be far MORE reliable than conventional
written signatures, the existance of a digitally signed document may be
interpreted by the courts and public opinion as having satisfied a higher
level of assurance, amounting to a prima facie case, than would a
conventional signature. the burden of proof would then fall on me to
disprove the accusation--a very difficult task.
My problem is this: If my digital signature carries more weight (in some
sense) than my written signature, yet my private key can be stolen more
easily (let us argue) than my written signature can be forged, then I have
a serious liability and no way to control it.
On the surface, it would seem that the least a digital signature should imply
is attribution, for what else are they good for?
However, even simple attribution of a statement without any commercial
value carries some risk. If someone were to forge my name to some
particularly fatuous or ignorent statement, my reputation might be damaged,
and if I made my living selling newsletters or stock tips
(or even security advice) the damage might be huge, up to depriving
me of my livelihood.
If someone were to forge my name to a statement which slaners or libels
another person, the damages might be as large or even larger, since in this
case I could be sued. Since libel suits are often for millions of dollars,
the risk is certainly not inconsequential.
Once we go beyond the point of addresing the risk of falsely implying
attribution and start talking about financial transactions, the subject at
least becomes more sharply focused. but what if someone forges my name
to an order to a stockbroker, instructing him to sell short 100,000 ounces
of silver, and then the Hunts corner the market on silver and I cannot cover
the order. Even if I had stated that my liability was limited to $1,000,000,
this might not be sufficient. (Maybe I should just let my stockbroker worry
about this, and throw myself on the mercy of the bankruptcy court.)
It is often argued that I should send a statement limiting my liability to
anyone with whom I am doing business, and require that they acknowledge
it. I would then keep a copy of that acknowledgement.
But now suppose that I steal Steve's (Crocker or Kent - I don't care )private
key, and forge a message that says: "I hereby bequeth to Bob Jueneman, his
heirs and assignees in perpuitity, all my estate and worldly goods." I then
wait until poor Steve throws off this mortal coil, and either I, or my daughter,
and/or her unborn children file suit for the estate.
Since some of these people haven't even been bornconceived yet, they
could hardly have signed a statement acknowledging the limits of Steve's
liability.
For this reason, I argue that it is absolutely essential that the PCA's
policy statement explicitly establish a default limit of financial liability
associated with each certificate issued under their CA. Further, I
would suggest that the limit be low enough as to be insurable against,
both by the PCA, the CA, and the individual.
this will have the effect of limiting the number of CAs that can be
authorized by a PCA under one certificate, and likewise the number
of individuals certified under a given CA's certificate.
If the default liability for a Commercial Hierarchy PCA is $1000, then
10 CAs with 100 individuals each would amount to an aggregate
liability of $1,000,000 if someone were to subvert the PCA's keys.
RSA and other PCAs should perhaps think about using multiple
Certificate Issuing Systems, each with a completely different set of key
holders, in order to limit the liability to an affordable/insurable amount.
The same logic would apply to CAs certified under that PCA.
Finally, as an individual, although I could perhaps tolerate a liability of
$1000 (ouch) for a financial transaction, I am at a loss to figure out
how to bound my liability for apparent self-defamation of character and/or
a forged libelous or slander standpoint.
"Bob Jueneman will never, ever, say anything stupid or incorrect, nor will he
ever say anything bad about anyone or anything, and any digitally
signed statement to the contrary is hearby declared to be null and void!"
Likewise, "GTE Laboratories will never, ever, issue a certificate to
anyone who would ever be less than scrupulously honest, less than
extraodinarily careful about keeping his private keys private, and
any acts apparently committed by such a nonexistant person are hereby
disavowed."
"RSA, TIS, et al., will never issue a certificate to any CA without infinitely
deep pockets, and anyone who claims any liability for any acts committed by
anyone allegedly certified by one of their certificate chains will be
immediately CRL'ed."
I would encourage all those people who have been sending digitally
signed messages, whether by a PEM implementation, RSAREF, or even
PGP, to consider their own liability.
"If Roger Clements signs a baseball, does it imply that he approves of
the ball itself. If the ball breaks a window, is he liable? How do we know?"