by
Stewart Baker
(sbaker@steptoe.com)
October 1997
As a result of work I have done for UNCITRAL and for individual clients, I am becoming concerned at the direction of digital signature laws around the world. It looks increasingly risky to incorporate such technology into mass market products.
The attachment was prepared as background for a briefing I was asked to do for Ira Magaziner, Don Gips, and other Administration officials about the recent UNCITRAL group of experts meeting on digital signatures.
Governments around the world are embracing digital signatures. Everybody loves this technology.
Oddly, that's the biggest obstacle it faces. Digital signature technology may be loved to death before it ever gets to really take off.
The technology
Public key cryptography was first described publicly in 1975. In essence, it relies on the difficulty of reversing certain mathematical functions. For example, multiplying to find a product is easy; factoring to find the numbers that were originally multiplied together is hard. With big enough numbers, I can even keep one number secret and publish the other - without any fear that the secret number can be guessed by an adversary. Then, everyone in the world can look up my public number and use it to encrypt a message that only I can read. That's the part of the public-key revolution that gives NSA and the FBI nightmares.
But the flip side of that process is just as intriguing - and may yet become the predominant use of public key technology. If I encrypt a message with my private key, anyone in the world can decrypt it using my public key. That's no way to keep secrets, but it's a great way to tell the world that I and I alone could have sent the message. Since I'm the only one in the world who knows what my private key is, no one else could have written a message that can be decrypted using my public key.
It doesn't take a genius to see how useful this technology could be in cyberspace. It allows us to put highly sensitive material on a network, then use digital signatures to restrict access. What's more, with only a modest infrastructure, strangers can do business with strangers all across the globe, using a few digital signatures to establish their bona fides.
What's needed to make this scenario come true is a "trust infrastructure." In the simplest case, suppose a bank issues digital signatures to every one of its customers that has maintained a $10,000 checking balance over the past year. If I want to do business online with another customer of the bank and he sends me a copy of his bank-issued digital signature, I can be pretty sure his $5,000 offer is good.
As a practical matter, the bank will probably issue a public-private key pair to its customers, then tell them to store the private key somewhere safe (a 3.5-inch floppy would be good; a chip card would be better). The bank could publish the public key (as well as its own) on the Internet and elsewhere. However, since they won't want to identify their clients as targets for scams or worse, it's more likely that the bank will privately issue a certificate, saying "As of October 1, the holder of this private key has maintained a $10,000 checking balance for the past year, signed, His Bank." The customer could then send that certificate to people who needed to know his credit was good, and they could rely on it as long as they knew the bank's public key and trusted the bank to tell the truth.
Why the technology requires new legal rules
The efficiencies and security that this system allows are tremendously exciting, but there are a few problems. First, suppose the customer is sloppy with his private key. He writes the password to his smart card on the card and then leaves the card in the washroom. Now anyone who has the card can use his identity -- and his credit. To deal with that problem, the bank needs to maintain an easily accessible list of stolen or compromised public-private key pairs. This is known as a Certificate Revocation List (CRL). And to make the system work, anyone who relies on digital signatures should check the CRL.
But this is the real world. Some people won't check the CRL. They'll get burned. They'll blame the bank, because it has the most money to pay damages. They'll sue. (Thank God, a role for lawyers after the digital revolution!)
Without a law on digital signatures and certificates, no one knows how such a suit will come out. The bank can write a contract with the customer, demanding that he be careful with his private key, perhaps even making him liable for his negligence. But consumer groups would oppose enforcement of such contracts (digital signature buffs call this the "Grandma picks a bad password and loses her house" problem). Even worse from the bank's point of view, it doesn't have a contract with the guy who got burned by the compromised signature. He's just an innocent third party who lost money - by relying on the word of the bank, his lawyer will say.
Without more legal certainty about how to protect themselves (or how much insurance to buy), companies with deep pockets will not want to take that risk. They'll stay out of the business of issuing digital signatures and digital certificates for such transactions. In fact, for a decade or more, that's pretty much been the story: Cool math confronts corporate legal department; cool math loses.
How digital signatures are actually being implemented today
But the technology is too good to be locked up by lawyers forever. Companies that wanted to use digital signature technologies began looking for places where this open-ended liability wasn't a big problem. They found at least two.
1. Cheap certificates. First, they offered certificates with a sweeping disclaimer of any liability. These certificates aren't much good for high-value transactions, but they can be used in a lot of circumstances where even a no-liability signature is better than no signature at all.
Millions of "cheap," liability-free certificates are already in circulation. The SSL encryption that everyone uses for secure Web connections relies in part on digital signatures to identify the server and the browser to each other. No one really guarantees the server's public key, but if it's the same one every time I log on, I can be pretty sure that I am dealing with the same server, belonging to the same store, rather than to an online con artist. Other Internet-based "cheap" certificates include the "authenticode" certificates used to identify the authors of Java-like ActiveX programs. The certificates offer a modest, but better-than-nothing, security precaution for Internet users who are understandably reluctant to let code written by strangers gain access to their computer's operating system.
2. Closed system certificates. Second, some digital signature proponents have begun creating their own law, by contract. Any group of companies or individuals that does business in accordance with one or more agreements setting forth the liability and other rules that govern their relationships; many of these communicates can create a self-contained set of rules to cover digital signatures. IBM, for example, can issue digital identity certificates to all its employees; it can say that they are good for email attribution and for petty cash requests but not for private transactions unrelated to work -- or whatever rules it is comfortable with. Or, in a more exciting use, Visa can issue certificates to all its member banks, and they can issue certificates to all their cardholders and merchants. Suddenly, shoppers don't have to type their credit card numbers onto the screen at Amazon.com, and they don't have to worry about Internet card number theft.
Within the preexisting Visa relationships, all those tough liability problems become easy. Visa simply says that using a digital signature won't substantially change the existing liability rules for any of the system participants. Liability is already covered by an elaborate set of agreements and rules, some driven by long-standing government regulations. (Remember Grandma and her house? For credit cards, the rule is clear enough inside the United States: if she picks a bad password, she may lose fifty bucks but she won't lose her house.) In fact, Visa and Mastercard have built digital signatures into a Secure Electronic Transaction protocol (SET) that is already being implemented in several countries.
Lawyers to the rescue?
While all this was going on, the lawyers themselves began to look for legislative solutions. A committee of the American Bar Association led by Michael Baum (now the top lawyer at Verisign) designed a comprehensive model law to deal with all the new legal issues arising from digital signatures. While that work was underway, the state of Utah took the plunge, enacting a variant of the ABA draft. Within three years, more than forty state legislatures were contemplating digital signature laws. So were numerous countries; indeed, by the fall of 1997 Germany, Malaysia, and Italy already had their own laws, and many more bills were in legislative hoppers around the world.
This should be good news - lawyers and lawmakers working together to solve a legal problem and enable the birth of a new technology. But it's not.
As we'll see, it is posing a growing threat to the burgeoning use of low-value certificates and closed certificate systems.
Digital signature laws are often sold to legislators as a way to bring written signature requirements into the computer age. An image is conjured up of computer signatures being rejected by courts insisting on something executed with a quill pen. This is an overstated problem, at least in the United States and for most commercial transactions. Courts have been treating printed telegrams as "signed" documents for a century. There's nothing about a digital signature that makes it a harder legal problem than telegrams - or telexes, or typed letters, or faxed signatures, or a dozen other ways in which real-world commercial actors have lawfully "signed" contracts over the last century.
What digital signatures need - uniquely - from the law is certainty about he obligations and rights of three parties:
(1) the keyholder who is identified by the public key and who controls the private key,
(2) the certifying authority who vouches for the public key and ties it to the identity (or creditworthiness, or chess club membership, or whatever) of the keyholder, and
(3) the relying party who gets the public key and the certificate and who decides to trust the certificate.
The Utah law, and the ABA guidelines, decided to spell out all of these duties in great detail. In particular, to make sure that relying parties could trust certifying authorities (CAs), the Utah law and the ABA called for government licensing. The government would make sure that prospective CAs are trustworthy and that they remain so. It would check the technical and other security measures that CAs use to protect keys and would enforce rules about documents CAs should demand before certifying someone's signature. (Can the CA issue an identity certificate based on one piece of identification or must it see three? Does it have to check the keyholder's address? And so on.)
By and large, the Utah bill is also pretty tough on keyholders. If they aren't careful with their private keys, they will lose their houses. Early boosters of the technology, however, thought the alternative was worse: Relying parties and certifying authorities might refuse to participate in digital signature transactions if keyholders could invalidate transactions after the fact by making up a story about having been negligent with their keys.
How many lawmakers does it take to screw up an infrastructure?
Two problems with the Utah approach only became apparent as digital signature laws began to sweep through legislature after legislature.
1. Conflicting obligations. First, not every lawmaker saw the policy issues the way Utah did. And the more detailed the legislation, the more room there was for fatal conflicts between state laws, sometimes on the most inconsequential points.
To take one example, both Utah and Washington require a CA to suspend a certificate if the CA gets a call from the keyholder saying the private key has been compromised. (In Utah, the keyholder has a big incentive to act fast; he wants that compromised key suspended before somebody sells his house.)
But to guard against fraud or pranks ("Hey, guys, let's call up the bank and suspend our gym teacher's public key."), the CA can't suspend for long without checking to make sure the suspension request really came from the keyholder. Under Utah law, the check has to be done within two days, but the certificate is automatically suspended whenever the CA gets a request from someone claiming to be the keyholder. Under Washington law, the caller can ask for a four-day suspension, but the CA can only suspend the certificate if the CA is pretty sure the caller really is the keyholder.
Same basic idea in both states. But what if you are a CA doing business in both states and you get a suspension request from someone who doesn't sound very much like the keyholder? In Utah, you must suspend; in Washington, you can't. Or suppose the caller asks for three days to come in and verify his identity? In Utah, you can't wait that long; in Washington, you must. CAs simply can't obey the laws of both states.
Other states have tried to avoid such problems by writing less detailed laws, leaving a lot to regulatory authorities. But that just postpones the conflicts, and perhaps makes them harder to find. It does not eliminate the likelihood of conflicting regulations. After all, many of the questions addressed by the Utah law have no easy answer. How much risk should the keyholder bear and how much should fall on the CA? Different states, and certainly different countries, will arrive at different answers to such questions. But, if CAs must change their practice in each country or each state, there will be very few CAs in ten years, and digital signatures will not live up to their promise.
2. State licensing. An even bigger potential problem is the solution Utah used to ensure the quality of CAs. Having CAs obtain licenses from the state in exchange for accepting regulation by the state is very appealing in many ways. It is flexible, it allows the state to "back up" the digital signature of a licensed CA with a state-issued certificate, and it gives unhappy parties somewhere to go with complaints.
But what if licensing is mandatory? Suddenly, many cheap but useful certificates could become too much trouble to bother with. Take the example of a merchant that wants to improve online shopping security by issuing customer certificates: "This certifies that the holder has purchased more than five books at Amazon.com using the name 'Stewart Baker'." If Amazon.com can't issue a simple customer certificate without registering in fifty states and complying with all the security rules that apply to the high-trust certificates, it will just stop using certificates like this. And we will all have a little less security when we shop online.
So far, in the United States, licensing has remained voluntary. If a CA wants the imprimatur of the State of Utah, it must register there. If not, not. Either way, the CA can lawfully issue certificates to Utah residents. (Actually, there are still some disadvantages that will push many firms into registering in most states, but I am ignoring them for simplicity.)
Not so abroad. Germany's law contains no savings clause for cheap certificates. It implies that no one may issue certificates without meeting strict standards for security; these standards include a requirement that private keys be stored only on a smart card - they can't be sent over the Internet, and they can't be stored on a magnetic stripe card or 3.5-inch floppy.
If pressed, German authorities sometimes say that they will not punish those who issue "unauthorized certificates." (That seems to be what they are telling the European Commission, which is worried about the trade-restricting impact of the German law.) But privately, some officials say that within three years the licensing regime will be mature and unauthorized CAs will be stamped out.
In Malaysia, that future is now. Malaysia's recently enacted digital signature bill makes it clear that anyone who issues certificates must register in Malaysia.
And it is not just cheap but useful certificates that will be affected. SET, arguably the most sweeping and important use of digital signature technology to actually see the light of day, is also harmed by the proliferation of registration requirements. Neither Malaysia nor Germany was willing to make a clear exception in its law even for entirely private and consensual uses of digital signatures.
Why conflicting rules won't go away by themselves
What's going on here? Partly, of course, it's just that some governments choose regulatory solutions for everything. In Europe, the idea of letting the market take care of things is viewed with suspicion in the best of times. It sounds even less plausible coming from the same Internet advocates who cheerfully proclaim that national borders are just speed bumps on the information highway and that important national policies - on distribution of pornography, on wiretapping, and a host of other issues - will soon be rendered unenforceable by a global market.
Worse, many other nations fear that such statements are just a disguised bid for American domination: "Leave it to the market, where our companies have an enormous lead." So government regulation looks to these nations as a cheap way to even up the odds; whatever competitive problems local technology companies may have in other arenas, they surely know more than Americans about working successfully with local authorities.
Then, too, the case for regulation gets stronger as the stakes get higher. If the main use for digital signatures will be for a national identity card that includes bank account access, the companies issuing those certificates had better be watched closely. If legislators don't know much about other uses of digital signature technology, or if a digital signature law is being jammed through the legislature by a few interested parties under the guise of "modernizing signature requirements," it isn't likely that closed systems or inexpensive certificates will get much attention from the legislative drafters.
Whatever the motivation for this outburst of regulatory zeal, the results will likely be a disaster for implementation of a public key infrastructure. Even if they might be able to get an exemption from most laws, users and issuers of cheap certificates can't stand even a remote prospect of liability in a handful of countries. Rather than register, they'll find weaker, less-regulated alternatives to digital signatures - or they'll do without entirely. The same goes for "closed system" users of digital signatures. Burgeoning regulations that are not tailored to their private certificate system will create disincentives for credit card companies to use digital signatures. In short, this outbreak of regulatory enthusiasm is likely to make digital signatures much rarer and much riskier for prospective certificate authorities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
For further information please contact L. Benjamin Ederington on Tel: + 202-429-6411, Fax: 202-429-3902 or E-mail: bedering@steptoe.com
CONTRIBUTOR
To print this article, all you need is to be registered or login on Mondaq.com.
FREE News Alerts
Sign Up for our free News Alerts - All the latest articles on your chosen topics condensed into a free bi-weekly email.
Mondaq Webinars
Comparative Guides
Mondaq Advice Centres
Upcoming Events
MAY08
MAY23
Webinar New York United States
