The point I was really trying to make, though, was whether the
experience with using credit cards as ID in the real world provides any
lessons for the use (or misuse) of credit card companies as
"certification authorities". A credit card company provides a
credential or certificate which includes a user name, credit card
number, and public key (I am not familiar with the details of the
various proposals, but I gather that similar information is included).
They are worried (it is suggested here) that people will take those and
use them to prove identity in other contexts. Merchants might demand
to see those credentials in order to be sure of the identity of the
person they are dealing with. This could raise a liability issue for the
CC company if the identity is faked.
(Do I understand the issue correctly? I confess that I don't see exactly
what situation people might take a credential/certificate from a credit
card company and use it for identification in such a way that the credit
card company would object. Perhaps a concrete example would be helpful.)
To me this situation sounds very analogous to the one where credit cards
with names on them are used to facilitate various transactions which may
not involve the credit card companies directly. Was there a liability
concern there, that if someone got a Citibank card in a fake name and
some other person relied on their identity, then Citibank could get sued?
I don't recall the issue being framed in those terms.
Hal Finney
I don't know whether that particular issues was ever framed that way as a
matter of fact, but I believe that you correctly understand the issue.
This is a point that most people who are not attorneys often don't
understand. (I'm not a lawyer either, so don't start piling sand on top of
me! And I'm not an expert and will say so up front, so if I'm wrong don't
try to apply this same reasoning in suing me! :-)
There is a general theory concerning Fraud and Misrepresentation in
English common law that runs throughout the US civil law. If pary A makes
a statement or representation of fact, being in a position to make an
authorative statement and knowing or ought to know that soeone might
reasonably rely on that statement, and if party B does rely on that
statement and suffers harm or damages as a result, the relying party (B)
is entitled to sue for damages from A, EVEN THOUGH NO CONTRACT OR
AGREEMENT EXISTS BETWEEN A AND B.
Even the general rule of sovereign immunity for actions of the Government
don't preclude the application of this rule. For example, if the Coast and
Geodetic survey people publish a book of tides for mariners, or if they
publish the depth of frequented waterways, and there is an error in those
reports and a ship runs aground, the C&G can be successfully sued for
damages. If the error was willful or the result of gross negligence,
punitive damages may apply in addition.
In the case of a credit card (or a certificate issued by a credit card
company), there is both the explicit identity information that is provided
(the name on the card). In addition, there is an implicit but reasonably
strong indication of stability and creditworthiness, based on the color of
the card and the number of years of membership (in the case of Amex, for
example).
Whether reasonable or unreasonable (that's for the court to determine), a
merchant may rely on that explicit and implicit information to a greater
or lesser extent. And if the information is erroneous, the card issuer may
be liable for damages.(that's probably the real reason why they stopped
writing the card number on checks -- it prevents the collection of the
neccessary information to prove reliance.)
Now consider the case where alice has a "Platinum" certificate issued by a
card association, and she uses the corresponding key pair to make an
digitally signed offer on a house. If for some reason the deal falls
through, Harry Homeowner might try to sue both Alice and the card
company, alleging that Harry relied on the identification and implication
of creditworthiness of Alice by the card company. Alice turns out to be
well-dressed but homeless and bankrupt, and the card association is stuck
with the deep pockets liability.
Although this seems pretty implausible in the case of a credit card, the
uncertainly surrounding the use of a certificate to authenticate a digital
signature for such purposes is enough to give almost any CA reason to
pause, and especially the risk-averse financial institutions.
Unless the risk can be bounded by the use of carefully drafted legal
notices and policy statements concerning caveats and limitations, the risk
is likely to greatly exceed the rewards of a modestly-priced certificate.
That's why I've been arguing so strenuously (and for such a long time, it
seems) on ietf-pkix and this list for the optional means to include a
terse statement plus an embedded secure URL of some form that points to
the CA's more comprehensive policy -- to provide the CA a defensible way
to say that the relying party in fact should not have relied on that
certificate for that purpose, for that kind of reliance was explicitly
ruled out.
Bob
Robert R. Jueneman
GTE Laboratories
1-617-466-2820 Office
1-508-264-0485 Telecommuting