-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,OPrctkESKMEou9grfnSYQQTncnX+Jwc1Lm8EgQixq/z
G+Wl5AAaxofXuApLaNCkupsPCQU8v20ossImPj0IW87WE1bYrr6XspetL4DV4wi4
LnUrEf5fCMLozrqOtND/o
Bob,
Thanks for your reply. I think we're on the same wavelength, but
not (yet) in total agreement.
1) Of the sample of two draft PCA policies I have seen (the RSA Commercial
Hierarchy and the TIS-PCA), neither specified that the CAs were supposed
to require their users to agree with the PCA's policy. I would hope that
it was implicit, but I would rather see it in writing.
I suppose this could be added, although I think it's specified in
1422. I'll take this under consideration.
2) I agree that each PCA should have the option of specifying whether or not
they are willing to be legally bound by their digital signature.
I thought the issue was whether the PCA is to insist that the users
certified by their CAs were to be bound by their signatures. The PCA
is presumably bound by its signature.
3) I don't understand why my point 3 is contrary to the current system.
As you say,
Speaking for TIS-PCA, the intent of signatures created within our
hierarchy is to identify who created the message in question. Any
further interpretation of the signature is inextricably bound to a
myriad of other issues, none of which can be resolved with a
pronouncement or enforcement from the PCA. For example, my signature
on this message is intended only to tell you that it came from me.
The fact that this contains my opinion or that I'm speaking in an
official capacity on behalf of our PCA is contained only in the
context of this message.
What is wrong with stating that as a policy for your PCA? It may not
solve my particular problem, but it certainly seems reasonable for many
purposes.
I agree that "Any further interpretation of the signature is
inextricably bound to a myriad of other issues, none of which can be
resolved with a pronouncement of enforcement from the PCA." That is
why I think that the user has to agree to commit to whatever
interpretation he chooses to, perhaps with an Affidavit of Legal
Mark, or maybe with an EDI Trading Partner Agreement.
(The problem with Trading Partner Agreements is that they are bilateral.
As a result, you need to have N-squared agreements, which tends to
mitigate the benefit of a public key system.)
Let me say it again another way. If the TIS-PCA publishes a statement
that says something like:
"The intent of signatures created within our hierarchy is to identify
who created the message in question with a level of assurance that
is practical for a widely diverse user population. The use of a signature
certified within this hierarchy for legally binding purposes, e.g., for
purposes of trade or commerce, may not be appropriate given the level
of assurance provided and is therefore not recommended."
Wouldn't this be acceptable, both to TIS and to your intended
user community?
The first sentence is ok, but the second one is not. We certainly do
not want to recommend against using PEM for legally binding purposes.
Without some sort of notice to this effect, the user is potentially
liable for something that he didn't sign, because he hasn't devoted
the necessary time and the resources to ensure that his keys are
adequately protected for all possible types of risk.
Are we still talking at cross purposes?
I don't know; are we?
Steve
-----END PRIVACY-ENHANCED MESSAGE-----