Steve, George, and Michael,
Here is the second draft of the Legal Notice and Disclaimer I would
propose for a high assurance PCA such as the RSA Commercial Hierarchy
policy. I've not had an attorney look at it yet -- I wanted to see if we were
getting close from a business and technical standpoint first.
LEGAL NOTICE AND DISCLAIMER:
In consideration of the possibility of theft or other form of
compromise of a user's private key followed by the use
of that key by some third party to forge a user's digital
signature to a document, it is the express and agreed-to
intent of every user whose digital signature certificate is
certified using this PCA as the root of their certification
hierarchy, that:
1. The user explicitly disavows any intent to either create or
be bound by any document allegedly or actually bearing his
or her digital signature which purports to have any legal
force or consequence whatsoever (except for provable
allegations of libel, slander, or fraud); and that any document
which purports to bind, commit, or otherwise obligate the user
and/or the organization with which he or she is affiliated
either to perform or refrain from performing any act, or to
honor or allow any contract, agreement, or condition,
SHOULD BE CONSIDERED AN APPARENT FORGERY
and held to be null and void and without legal effect;
UNLESS,
a. The apparent originating user is employed or otherwise closely
affiliated with the organization which issues or certifies his
or her digital signature certificate as the Certification
Authority,
and the digital signature is applied to a document which is
normally only used for internal organizational business
purposes and is routinely subjected to review and counter-
signature by a Manager or other duly authorized person,
i.e., a time card, expense account, travel authorization
request, purchase requisition, insurance beneficiary
designation, payroll deduction authorization, W4 form,
internal memoranda and reports, etc.; OR,
b. The originating user is formally designated as having an
Organizational Role within his or her Organization and/or
Organizational Unit and vouched for as having that role by
virtue of his or her digital signature certificate containing
that
Organizational Role and the name and title of the Role
Occupant within the Distinguished Name and having been
certified by the Certification Authority for that organization;
it being duly noted that the certification of that person as
being
the Role Occupant of that Organizational Role does not
necessarily suffice to define the duties or limitations
associated
with that particular role beyond what can reasonably be inferred
in the normal course of business by the name of that Role; OR,
c. The originating user is a Residential Person, as indicated
by the presence of Locality information (e.g., state or province,
city, street name, and house number information) and the
absence of any Organization information in the Distinguished
Name within the user's digital signature certificate; OR,
d. The originating user elects to have certain documents carrying
his or her digital nature considered to be legal binding upon
the
user and/or the user's association (if and as authorized), and so
indicates and registers that intent by providing all potential
recipients and holders-in-due-course of those documents a
notarized affidavit, contract, or other traditional form of
legally
binding agreement which reaffirms the user's identity, attests
to
his or her willingness to be legally bound by their digital
signature, and states whatever limitations, caveats, and
restrictions which are imposed by the user and which must be
understood to apply when determining the validity of any
document which purports to bear the user's digital signature; OR,
e. The originating user elects to have certain documents carrying
his or her digital nature considered to be legal binding upon
the
user and/or the user's association (if and as authorized), and so
indicates and registers that intent by providing all potential
recipients and holders-in-due-course of those documents an
ELECTRONIC COPY of a notarized affidavit, contract, or other
traditional form of legally binding agreement which reaffirms
the
user's identity, attests to his or her willingness to be legally
bound by their digital signature, and states whatever
limitations,
caveats, and restrictions which are imposed by the user and
which must be understood to apply when determining the
validity of any document which purports to bear the user's
digital signature, a notarized true (paper) copy of the
affidavit,
contract, or agreement having been deposited with the Policy
Certification Authority, and the digital signature and trusted
date/time stamp of the Policy Certification Authority having
affixed as additional evidence of that fact.
2. This Legal Notice and Disclaimer shall remain in effect for the
duration of the validity period of the user's digital signature
certificate, and shall not be modified or waived by the Policy
Certification Authority, the user's Certification Authority, the
Organization with which the user is affiliated, or the user himself
or herself without the issuance of a Certification Revocation List
revoking the certificate of the PCA, CA, and/or the user as
appropriate and the issuance of a new digital signature certificate
to the user as required.
Comments?
Bob