Steve,
I have sent you a repeat of my message to Jeff. Perhaps your message
took my comments out of context.
You said:
From: jueneman%wotan(_at_)gte(_dot_)com
Date: Sun, 08 Aug 93 18:49:00 EDT
Subject: Key & Signature responsibility
I am therefore urging that a PCA state in its Policy, that AS A CONDITION OF
ISSUING A CERTIFICATE TO A CA:
�(1) the CA shall require its users to agree to comply with the PCA's
� Policy,
�(2) that the PCA, the CA, and/or its users shall publish a readily
� accessible statement saying what they are or are not willing to
� be bound to by with respect to their digital signature, and that
�(3) in the absense of such a published statement their digital
� signature is for all intents and purposes essentially
� undefined, and is therefore null and void.
Do you feel that such a requirement by a PCA violates either the
spirit or the letter of the intent of the PEM standards? I certainly
don't.
----- End of quoted message -----
Let me add to Jeff's response. You've listed three terms that you
believe each PCA policy should adhere to. Of these, (1) is required
within the current system, (2) is at the option of each PCA, and (3)
is contrary to the current system. In fact, the community argued
quite vigorously about constraints such as (3) and there was strong
opposition to such requirements.
1) Of the sample of two draft PCA policies I have seen (the RSA Commercial
Hierarchy and the TIS-PCA), neither specified that the CAs were supposed
to require their users to agree with the PCA's policy. I would hope that
it was implicit, but I would rather see it in writing.
2) I agree that each PCA should have the option of specifying whether or not
they are willing to be legally bound by their digital signature.
3) I don't understand why my point 3 is contrary to the current system.
As you say,
Speaking for TIS-PCA, the intent of signatures created within our
hierarchy is to identify who created the message in question. Any
further interpretation of the signature is inextricably bound to a
myriad of other issues, none of which can be resolved with a
pronouncement or enforcement from the PCA. For example, my signature
on this message is intended only to tell you that it came from me.
The fact that this contains my opinion or that I'm speaking in an
official capacity on behalf of our PCA is contained only in the
context of this message.
What is wrong with stating that as a policy for your PCA? It may not
solve my particular problem, but it certainly seems reasonable for many
purposes.
I agree that "Any further interpretation of the signature is inextricably bound
to a myriad of other issues, none of which can be resolved with
a pronouncement of enforcement from the PCA." That is why I think that
the user has to agree to commit to whatever interpretation he
chooses to, perhaps with an Affidavit of Legal Mark, or maybe
with an EDI Trading Partner Agreement.
(The problem with Trading Partner Agreements is that they are bilateral.
As a result, you need to have N-squared agreements, which tends to
mitigate the benefit of a public key system.)
Let me say it again another way. If the TIS-PCA publishes a statement
that says something like:
"The intent of signatures created within our hierarchy is to identify
who created the message in question with a level of assurance that
is practical for a widely diverse user population. The use of a signature
certified within this hierarchy for legally binding purposes, e.g., for
purposes of trade or commerce, may not be appropriate given the level
of assurance provided and is therefore not recommended."
Wouldn't this be acceptable, both to TIS and to your intended
user community?
Without some sort of notice to this effect, the user is potentially
liable for something that he didn't sign, because he hasn't devoted
the necessary time and the resources to ensure that his keys are
adequately protected for all possible types of risk.
Are we still talking at cross purposes?
Bob