Bob> (Aside to Doug Porter - how many PEM users are either involved in
grants to educational institutions or are involved in either government
or industry with contracts and COTRs, and would like to expedite this
process?)
Sounds like a good application, although EDI is already going after that
market. Let's keep our priorities with PEM straight.
I don't believe that the EDI community has or is expected to deal
with contracts, grants, funding requests and authorizations,
task plans, etc., yet I suspect that a significant amount of
the educational market (college and particularly graduate
school, not the high school/Prodigy market) will be involved in
these types of issues.
I don't think that this affects our "priorities" with respect to PEM
at all. Presumably organizations such as yours will develop and
try to sell PEM-conformant applications. What type of mail is
sent using that mail package is none of your concern, nor mine.
In particular, I am not trying to "fix" PEM, nor (I hope) trying to
"break" it, but rather to determine what happens if I USE it.
What is most at issue here is what the Policy statement for the
various PCAs should be, and how to draft those policies so that
the social goals of those who choose to be certified under that
PCA are achieved. I don't think that PEM needs to be modified at
all, although that doesn't mean that I wouldn't have a long list of
suggestions of what to do if the opportunity arose.
--------------------
Bob> Do you have an application in mind for PEM where you would sign
something (using your real name, not a Persona - I understand the
utility of a signed pseudonym) but not want it to be binding in any legal
sense?
Almost any non-contractual communication falls into that category, such
as the messages on this list. We also all sign personal letters to
friends with no expectation that it's a legally binding document. Of
course courts sometimes decide otherwise, but that is seldom the intent
of the writer.
I agree. The question which I keep raising, though, is how to avoid ALL
legal liability, especially for contractual agreements, in the event that your
private keys are stolen and used to FORGE your signature.
If the PCA Policy were to state that digital signatures were intended for
identification only, and that other than for libel and slander no legal
implications
at all were to be asserted or implied, would that make you and your customers
happy? If so, why don't you use the Persona PCA -- you don't even have to
use your real name, although you are not forbidden to. You could also use
your e-mail account name, and presumably only Compuserve or whomever
would know who you really were.
If your model is that of the speaker's corner at Hyde Park, or the
demonstrators in front of the White House, then I would think that
the Persona PCA would do for you.
On the other hand, if someone wants to be taken somewhat more
seriously, with their statements evaluated for their credibility on the
basis of their personal integrity and professional reputation, then
presumably they would want to use their own name. In that case,
I think that your CA ought to have some obligation to protect ME
from being impersonated by YOU (and vice versa), and so they
ought to at least ask for a signed application, and I would hope they
would require two or three forms of identification.
But assuming that there is a PCA who is willing to go into this business
(probably TIS-PCA), I would think that they could publish an appropriate
policy statement to the effect that digital signatures certified under that
PCA are not intended to have any legal weight at all, and that any
financial or other obligation apparently signed using such a digital
signature would be null and void.
What those users would be giving up in this case would include the
following, I should think:
1. The ability to file their IRS returns electronically using
such a system.
2. The ability to do any type of home banking.
3. The ability to sign or witness a laboratory notebook
that might be used to validate your patent rights
(another Nobel prize down the drain!)
4. The ability to sign a medical Power of Attorney or surgical
consent for their child who is in summer camp and needs
to be operated on for appendicitus.
I am not at all averse to allowing people to make those
tradeoffs, and I anticipate that many will probably willing to
do that. I also believe that the TIS-PCA is probably the right
PCA to certify such users and their CAs. I just want to make
sure that the users know what they are giving up, and that the
recipients of their messages know what degree of trust
(and liability - the two go hand in hand) or lack thereof to
associate with them.
The model you seem to be recommending is the equivalent
of the street-corner free speech, in which case the legal
liability that could be imputed could probably be made the
equivalent of an oral contract. Even oral contracts can be
valid and binding, but generally there would have to be witnesses
to the fact that both parties agreed and intended to be bound
by that contract or handshake agreement
Forcing the assumption of legal liability will make people
far less willing to speak their minds. We very badly need that
willingness to speak freely.
I would say that there is little danger on that score!