John,
Forgive me for being imprecise, even when I was trying to
clarify what I was saying.
I think you are quite right. Neither the PCA nor the
CA can limit the liability of a user in any way, at least
by contract. Jeff Kimmelman made the same point
privately.
What they could do, I feel, is to publish the equivalent
of a Legal Notice that states what the users collective
expectations and understanding of their liabilities
might be. This would merely be a convenience for
the users, in order to avoid having to post such a notice
for themselves. I view this as the equivalent of printing
a statement on my company's checks to the effect that
two signatures are required for amounts in excess of $xxxx.
If I were to try to summarize the various positions that have been
expressed by the pem-dev community (which may only marginally
reflect the views of users, and particularly the legal counsel and
financial auditors within the user's organizations), I think it
would be as follows (I'll try to get this right):
1. The users generally do not want and do not intend that their digital
signatures be legally binding for transactions or acts of high value
or consequence, in particular if they might be personally liable. Some
users, however, do not want to be precluded from using their
signatures for legally binding purposes. So far there is no
efficient way to tell the difference between these two different
classes of users, at least that I can discern.
2. The users do intend that their signatures identify themselves,
and that any messages apparently signed by them should be
attributed to them. Despite the possibility of the theft of
a user's private key, no one other than myself seems to be very
concerned about the possibility of fraud or forgery.
3. If a user's digital signature implies anything at all regarding
attribution, then the users cannot escape the possibility
of being liable for slander or libel through their signed
utterances. This seems inescapable, and therefore
not worth arguing about.
3. The community seems to be divided as to what the implications
are or should be in the case where a user's DN includes an
organization, and especially if that organization is also the CA.
Some feel that the organization will inevitably have to accept
responsibility for its employees actions, and that the inclusion of
the person's name within that organization implies a degree
of affiliation that is probably inescapable. Others feel equally strongly
that the use of the oganization's name within the DN is merely
a convenience for addressing that individual in a globally unique
manner, and that affiliation can and perhaps should be very loose,
with no implication of corporate or (especially) CA responsibility
by those individuals whose names are subordinate to them.
4. There has been relatively little discussion about the implications
of a digital signature in those cases where there is an organizational
role in the DN. My feeling is that this pretty clearly involves the
company in some sort of shared liability, even if the individual
in question was not authorized to perform the particular transaction
in question.
My conclusion at this time is that we probably don't have any
very good way of limiting a user's liability for documents
allegedly signed using his digital signature, even if a forgery
was involved, except through litigation.
In other words, regardless of the user's intent, he is probably
subject to being held liable for anything that he signs or apparently
signs, and that the burden of proof will probably fall on the
defendent to prove the converse.
That leaves me with a very uncomfortable feeling, for I don't
know how to protect my keys and my user's keys at an affordable
cost when my liability and my company's liability might be almost
unbounded.
I feel that a continuing dialog on this issue is essential, but I don't
want to try the patience of the pem-dev development group
any further.
I would therefore invite individuals who are likely to be
responsible for recommending and/or establishing policies
to govern the USE of PEM and similar applications within
large commercial or government organizations contact me
directly, preferably by e-mail, but snail-mail, FAX or
telephone is OK also. If there is sufficient interest, I
will consider setting up a controlled redistribution list.
I would be particularly interested to hear from MIS directors,
lawyers, corporate auditors, and other senior individuals who
have opinions on what type of policy would be appropriate
for their organizations. Please tell me who you are, what
organization you represent, and what plans or concerns you
might have regarding either the generation or use of digital
signatures within your organization.
My goal in this regard is to understand and establish
the infrastructure that will be necessary in order derive
the maximum benefit that this technology can provide,
whether that is directed towards e-mail, internal corporate
documents, EDI, or financial applications. But my
initial interest is in those areas of intra-and inter-company
documents, primarily routine business correspondence,
that are not already being addressed by the X9F1 financial
standards community and/or the X.12 EDI community.
Feel free to pass this on to others within your organization if
appropriate.
The opinions expressed herein are my own, and do not
necessarily express the views of GTE or any of its
subsidiaries.
Robert R. Jueneman
Mgr., Secure Systems
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
USA
1-617-466-2820
1-617-466-2603 FAX