In light of the various difficulties involved in providing a disclaimer
of the user's liability within the X.509 certificate that have become
increasingly apparent over the last several days, I thought it might
be worthwhile revisiting the possibility of providing a suitable
disclaimer statement within a PCA's policy statement (at the
discretion of the individual PCAs, of course).
Because we want to be able to limit or deny legal liability for most
uses of digital signatures but not rule out the possibility of
someone using their digital signature for legally binding purposes
under certain circumstances, I think we have to firmly establish a
default of not-legally-binding, and then let that default be
overridden by the user though a written and notarized document
such as a unilateral affidavit or a bilateral or multilateral contract
or other specific agreement.
At such time as the ANSI X9F1, EDI, ECMA, and/or other
authorization-granting certificates have been been officially
adopted this disclaimer should be modified to endorse them, but
until definitive standards exist it is probably too dangerous to
allow exceptions to this policy, even to the extent of referring
to a digitally signed and witnessed electronic copy of the affidavit
or contract referred to below (because it would just require the
forger to forge two signatures.)
I haven't run this by a lawyer for a definitive review yet, but what
I have in mind is something like the following:
LEGAL NOTICE AND DISCLAIMER:
In consideration of the possibility of theft or other form of
compromise of a user's private key followed by the use
of that key by some third party to forge a user's digital
signature to a document, it is the express and agreed-to
intent of every user whose digital signature certificate is
certified using this PCA as the root of their certification
hierarchy, that:
1. The user explicitly disavows any intent to either create or
be bound by any document allegedly or actually bearing his
or her digital signature which purports to have any legal
force or consequence whatsoever (except for provable
allegations of libel or slander); and that any document which
purports to bind, commit, or otherwise obligate the user
and/or the organization with which he or she is affiliated
either to perform or refrain from performing any act, or to
honor or allow any contract, agreement, or condition,
SHOULD BE CONSIDERED AN APPARENT FORGERY
and held to be null and void and without legal effect;
unless,
2. The user elects to have certain documents carrying his or
her digital nature considered to be legal binding upon the
user and/or the user's association (if and as authorized),
and so indicates and registers that intent by providing
all potential recipients and holders-in-due-course of those
documents a notarized affidavit, contract, or other
traditional form of legally binding agreement which reaffirms
the user's identity, attests to his or her willingness to be
legal bound by their digital signature, and states whatever
limitations, caveats, and restrictions which are imposed by
the user and which must be understood to apply when
determining the validity of any document which purports
to bear the user's digital signature.
3. This Legal Notice and Disclaimer shall remain in effect
for the duration of the validity period of the user's
digital signature certificate, and shall not be modified or
waived by the Policy Certification Authority, the user's
Certification Authority, the organization with which the
user is affiliated, or the user himself or herself without
the issuance of a Certification Revocation List revoking the
certificate of the PCA, CA, and/or the user as appropriate
and the issuance of a new digital signature certificate to
the user as required.
Comments?
Bob