Donald Eastlake writes:
With regard to the stuff below, it occurs to me that CAs and/or PCAs
could offer a service where they forwarded mail with their own
signature and time. With this feature a user could just include their
own certificate in the mail and send it to, for example, their CA.
The CA would perform a number of checks (reasonable date&time,
currently valid certificate, etc.), perhaps manipulate the address
headers such as the To: field a bit, and then create a new message
containing the modified original message and signed by the CA, with
the date&time of signing and the CA's certificate. Etc. While this
might create a choke point if the volume were too high the CA can (1)
set up multiple hosts that provide this service and/or (2) charge for
it.
This is exactly the model I had in mind, assuming that the originator
recognizes the fact that nonrepudiation is likely to be necessary.
But the recipient of the message should be able to dsend an inquiry
to the CA and get back a reply in the same manner. In this case
it doesn't seem necessary to send the entire message back and forth --
it would suffice to send only the digital signature. (Sending only the
message digest might be dangerous, as it might imply that the CA was
endorsing the content of the message instead of merely confirming the
validity of the user's certificate at that moment.
An accurate timestamp would be nice, and we should probably determine
how much accuracy is required, but it is both necessary and for most
purposes sufficient to have the CA include an explicit statement to the
effect that certificate #xxxx, issued by yyy (i.e., that CA) was valid at the
time
of receipt of the enclosed digitally signed message or digital signature.
Note that if the CA lies and says that the certificate was valid when it
really wasn't, the CA is merely hanging itself with its own rope, assuming
that the CA is operated by the organization with which the user is affiliated
and therefore has at least some degree of deep-pockets responsibility.
If the CA says that the certificate was invalid when it was really valid, the
recipient can reject the transaction and leave it to the originator to
straighten out.
In the case of an unaffiliated user, an accidental or deliberate error on the
part of the CA may leave the recipient with relatively little recourse. This
problem probably deserves further study from a legal perspective, e.g., at
the ABA workshop on notarization and nonrepudiation.
Bob