I have been quite surprised by the number of requests for a lengthy summary of
messages regarding reliance limits, liability, etc., that originally appeared
on the ietf-pkix list. Judging by the affiliations of those who contacted me
after reading my offer on the sepp-talk list, there are a number of people who
may be more "business" oriented than technical who are monitoring some of these
lists than might appear. Respondents included people from the US Congressional
Budget Office; Hitachi-SK in Japan; GIE - Groupement des Cartes Bancaires,
Paris; Citicorp and Bank of America, and OSF.
I'm now wondering whether there would be a sufficient amount of interest in
discussing the business/legal aspects of electronic payments, certificates,
CAs, etc., as to warrant establishing a separate discussion list for that
purpose. I'm not trying to exclude anyone, just trying to declutter the
existing list(s) so they can focus more on the technical issues. In particular
Warwick Ford, co-chair of the ietf-pkix group has indicated that the sometimes
voluminous mail on these topics (mea culpa) overwhelms him, and that these
issues aren't presently being addressed in the RFC they are preparing. He
recommended that a separate RFC be prepared whcih could then be commented on
and eventually folded into the pkix RFC, if appropriate.
Although I understand that a certain amount of coming up to speed is necessary,
I would be primarily interested in developing a list of active contributors,
not just educating the lurkers. A strong technical background would NOT
necessarily be required, and in fact a banking/business/legal background would
probably be more helpful. However, a working knowledge of the technology of
digital signatures and the various legal issues (e.g., at the level of the
tutorial in the draft ABA Digital Signature Guidelines document) would be
highly desirable.
Please respond to me directly if you might be interested, so we don't
cross-post and clutter these lists any more than necessary.
Bob
I have prepared a summary of some of the discussion that has taken place on
ietf-pkix over the last month on the topic of liability and how to defend
against it with an appropriate terse legal notice and a URL pointer to the
CA's >complete policy statement. The discussion addresses the potential
problem of a >subscriber who uses a certificate for other purposes than it
might have been >intended, i.e., for credit card transactions, and instead uses
it to sign a >contract or something else. The relying party does not have an
agreement or >contract with the CA, but relies on the information to some
extent and is >harmed thereby, and therefore sues both the CA and the
subscriber.
Because the summary of five or six lengthy messages is almost 600 lines long,
I will forward it only on request.
Bob
Robert R. Jueneman
GTE Laboratories
1-617-466-2820 Office
1-508-264-0485 Telecommuting
Jueneman(_at_)gte(_dot_)com