I think much of the discussion over requirements on PCAs concerning
how binding user signatures are is fundamentally backwards. Someone
certifying my public key cannot possibly bind me or the signatures I
create in any way. CAs can certify my public key without my
permission or even knowledge, just as a service could create an
on-line database of physical signatures for use by check verifiers and
that action would not make my physical signature any more binding than
it is today.
The only contract that could possibly be relevant would be a contract
between me and my CA in which I agree to be bound in a certain way by
signatures I create with the certified key. I suppose all the CAs
below a PCA could have a uniform contract and could publish that
contract as part of their PCA statement, but that doesn't seem to be
what is being debated here. I can see no reason why such a contract
should be required or prohibited.
Nothing we do is going to keep lawyers from doing something crazy if
they are of a mind to. I don't believe adding obvious disclaimers
akin to "possession of a drivers licence does not imply that the
holder's checking account has sufficient funds" are useful; if
anything it will encourage them.
--Charlie
(kaufman(_at_)zk3(_dot_)dec(_dot_)com)