Steve and Steve,
Some private correspondence has convinced me that at least a part of
the problem we are having comes from one set of folks who are
almost exclusively concerned about the use of PEM to protect
their privacy, or at least the confidentiality of their "speech",
while the others are less concerned about privacy and more
concerned about issues of trust and/or liability.
For the users concerned about privacy, the current orientation of
the PEM RFCs should be perfectly sufficient. It isn't too likely
that PCAs will be set up to define "in-groups" that will automatically
be trusted with regard to their private thoughts, without further
introduction or initiation. (Or maybe someone will set up a secret
society PCA, so that all the Masons, Knights of Columbus, etc.,
will be able to exchange their secret lodge rituals over e-mail,
but only within the scope of their own CA.)
On the other hand, it does not seem at all unreasonable
that a group of users could get together and agree
on a common definition of what is meant, in a legal sense,
by a digital signature that appears on a document. Those
users could agree to sign something like my Affidavit of Legal
Mark, or the the companies that sponsor such efforts might
form a consortium that agrees to be bound by such signatures.
I am troubled by Steve Kent saying that he doesn't know
what it means to be a member or affiliated with a PCA. I also
suddenly realize that I haven't seen the word "scope" or
"domain" in most of these discussions. Presumably, it means
that that CA, and therefore that user agrees with and promises
to comply with the POLICY of that PCA. Presumably the word
comply implies some level of conformance, auditing, or even
enforcement, which implies a contract somewhere. But
if the PCA wants to get paid for the various services it is
performing, a contract will be required in any case.
The problem seems to be that to date the various PCAs have
been slow to publish their Policies, or that, with respect
to any declarations with respect to what a digital signature
means the policies are vacuous. My problem is that without
such a Policy I don't know what a digital signature means.
Many people are saying that a digital signature means nothing,
that it is to be used for identification only. But that reminds me
of those little packages that used to be sold "Only for the
prevention of disease." If a digital signature can be used
for identification, then it presumably can be used for
attribution. (If not, it really isn't much good for anything
other than opening doors.)
But if a signature can be used for attribution, then something
I sign can, and almost surely does, have some degree of legal
weight. In that case, how do I protect myself from unintended
consequences? What protection does my correspondent have
when he or she tries to understand the context of my comments,
and whether I intend to be bound by them?
Steve Crocker is right -- these issues simply won't go away.
It doesn't bother me that the term PCA isn't defined in X.509,
as X.509 is perhaps notorious for avoiding any discussion of
semantics at all. That shouldn't be a barrier to additional agreements.
P.S. to Steve Crocker -
Has TIS published the Policy for their PCA yet? If so, I missed
it. Could you send me a copy?