Slide Presentation and Annotations: Each page of this document corresponds to a transparency that was presented at the July 24 public forum. In addition, each page has been annotated with notes to provide further context and background. _ _ _ _ _ _ _ _ 1.
Appendix A: Statement on the relationship between state and federal law for electronic authentication delivered to the Domestic and International Monetary Policy Subcommittee of the Committee on Banking and Financial Services of the United States House of Representatives, July 9, 1997. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 11.
Appendix B: Information related to the Virtual State House Project. This is a graduate course and a work shop at the Massachusetts Institute of Technology that centers on legal, policy, design and technical issues of online government and electronic commerce with special emphasis on state government issues. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 15.
Appendix C: Electronic Commerce Surveys by the Commonwealth of Massachusetts. The Commonwealth is conducting an empirical survey of electronic contracting practices and a straw poll of opinions related to electronic signature legislation. _ _ _ _ _ _ _ _ _ 16.
Appendix D: The Commonwealth of Massachusetts Online Government Task Force. This Task Force was convened by Louis Gutierrez, the Chief Information Officer for the Commonwealth, to assist the CIO in developing electronic commerce and online government policy. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 17.
Appendix E: Digital Signature Mock Trial. The purpose of this exercise is to explore legal ramifications of deploying digital signature technology as a business tool, including: what grounds may exist for legal cause of action, what issues arise relative to preserving certain evidence for trial, how might certain contract terms be interpreted, etc. This is planned for the fall of 1997 and will take place via a collaborative web site. _ _ _ _ _ _ 19.
Appendix F: The PKI Page! This is a screen print of the Commonwealth of Massachusetts CIO�s current Public Key Infrastructure information web page. The page contains links to a large number of technical, business, government and academic source materials. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 21.
Appendix G: ELECTRONIC SIGNATURES AND RECORDS: Legal, Policy and Technical Considerations. This January 1997 draft article was presented to a Massachusetts Continuing Legal Education program on Health Care and Information Technology. _ _ _ _ _ _ _ _ _ ____ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ 26.
Appendix H: E-Mail to UNCITRAL List Serve. This E-mail message outlines the differences in legislative approach between Utah and Massachusetts and exemplifies the dialogue underway at the state level relating to digital signature law and policy. _ _ _ 47.
Daniel Greenwood, Deputy General Counsel
Daniel Greenwood, Deputy General Counsel
Information Technology Division, Commonwealth of Massachusetts
JULY 24, 1997
Public Forum on Certificate Authorities
and Digital Signatures:
Enhancing Global Electronic Commerce
==== Comments on Slide ====
* Background and Context
* State Legislation
* Pro-Market Approach
* Accreditation: Public/Private
==== Comments on Slide ====
This slide previews the contents of the presentation.
Background and Context
"The Citizens Would Rather
Be On-Line Than In Line"
* Why states care
* What states do
* How states act
==== Comments on Slide ====
This slide sets the background and context of state government interest in these matters. Why states care: because this technology holds the potential for use by states as a tool for efficient public administration and, in the private sector, the technology can foster electronic commerce, broader economic development and other societally useful purposes. What states do: states are huge business operations that would benefit, like any other business, from the capacity to use secure online communications to reduce costs and enhance service quality (our logo is "the citizens would rather be online than in line"). How states act: this is a critical point. Many proponents of government action in the area of digital signatures and CAs seek statutes. Legislation that intervenes in the market by picking technology winners, apportioning liability among private parties to electronic transactions, granting special liability limitations for certain parties, or otherwise introducing regulatory proscribed behavior beyond that currently required under other bodies of law (consumer law, contract law, commercial law, existing regulatory oversight, etc.) is premature at best and risks harming the market evolution toward implementations which are workable from a technical and business perspective. Other ways states and governments act should be explored as better methods to promote electronic commerce at this early stage of market development. For instance, tax policy must be reformed so that no new net-specific taxes are levied and a tangle of inconsistent tax regimes do not emerge (and tax reductions should be seriously considered as a growth incentive measure). Furthermore, public procurement and government electronic filing/registration/etc. requirements are direct methods for promoting the use of these technologies.
* Electronic Signatures
- Common Law/Quill Pens
- "Any symbol or method with
present intent to be bound"
* Secure Signatures
==== Comments on Slide ====
An "Electronic Signature" refers to any electronic authentication method that would meet the common law requirements for a signature. Under the common law, any mark or symbol would qualify as an enforceable signature if it were executed with an intent to be bound or to authenticate a record. No particular security is required to create a signature that is potentially legally binding. For instance, signatures written in pencil on paper can be enforceable. Courts have long held typed signatures on paper and (more recently) even on e-mail to be legally enforceable as well. However, as a rule of thumb, the better security surrounding a given signature, the more weight that signature is likely to be afforded in a court of law or other decisional forum (from simple negotiations to formal arbitration). This issue arises most sharply when a party attempts to repudiate (deny) having signed (authenticated) a record. A "Secure Signature" refers to a subset of electronic signatures that possess some security features that would enhance reliability of the authenticity of the signature. Legislation that merely recognizes the validity of electronic signatures generally has been adopted by Virginia, Texas, Florida, Rhode Island and other states. While these laws probably just restate the result a court should reach under the common law, some people are still confused or uncertain about whether an electronic signature is "legal." Furthermore, electronic signature laws serve the vital purpose of eliminating antiquated "quill pen" laws that require certain documents to be "signed in ink" or provide other inappropriate medium specific requirements. Reform, amendment or repeal of such laws clears the decks for electronic commerce.
* Electronic Signatures
* Secure Signatures
- California: Criteria-Based
- Utah: Digital Signature
==== Comments on Slide ====
A "Secure Signature" refers to a subset of electronic signatures that possess some security features that would enhance reliability of the authenticity of the signature. For example, a "Digital Signature" (one created by use of public key cryptography and a message digest) is a type of secure signature. If the digital signature is verifiable by reference to an X.509 digital certificate that was issued by a reliable CA, then the signature can be deemed even more secure. The states of Utah and Washington have adopted "Digital Signature" legislation. While this legislation does confirm the validity of digital signatures, it does not similarly confirm the validity of electronic signatures (though it does not restrict validity of other types of electronic signatures). In addition, Utah/Washington legislation would create a rebuttable presumption that the digital signature is that of the person it purports to be from. The theory is that since digital signature technology is more secure than other types of electronic signatures, it deserves special statutory evidentiary weight. Furthermore, this legislation creates state government licensing of CAs and provides for the limitation of liability for licensed CAs. Another form of secure signature legislation was adopted by the state of California. California chose to enumerate certain security criteria rather than specify digital signatures alone. Under the California law, signatures must meet the following requirements: (1) it is unique to the person using it; (2) it is capable of verification; (3) it is under the sole control of the person using it; (4) it is linked to data in such a manner that if the data are changed, the digital signature is invalidated; and (5) it conforms to regulations adopted by the Secretary of State. [Some people talk about the need for legislation that will make a digital signature "valid and enforceable." Such an approach is dangerous because it goes too far. It is more accurate to say we need certainty that such a signature will not be invalid merely because it is in electronic form. There are many other areas of law that would, and should, render even a reliable digital signature "invalid" or "unenforceable" - such as if the signature signed a contract to perform a criminal act, or if the signer was a minor, or any number of other defenses or factors. It is important to tailor any electronic authentication legislation to achieve narrow and understood goals, because many other areas of law are implicated at the state and federal levels.]
- Wills and Trusts
- Real Estate
- Negotiable Instruments
- FOIA: Private Key
==== Comments on Slide ====
It is interesting to note areas of law or practice that are exempted from the scope of legislation. Some legislation provides for no exceptions. Important policy questions are raised by each of these areas. For instance, for the foreseeable future, some citizens and consumers will not have access to electronic commerce tools. Thus, statutes that call for signed notices and similar protections must be studied. The Massachusetts General Laws contain no less than 4,515 references to writings and signings (many of which provide for notice requirements). The effect of electronic or digital signature legislation in these areas should be closely examined and, in the end, states and the federal government should agree on a consistent approach to this issue. Proposed federal preemptive law that would interfere with existing state laws in these and other areas should be studied for several decades prior to action (just kidding - but there is a serious risk that federal law in this area will create undue, unwise and unwelcome changes in core areas of state law unless drafted in close cooperation with state policy makers).
Mass. Statutory Approach:
* Slow Move to Secure Sig. Law
* Technology Neutral/Reform Quill-Pen Laws
Mass. Policy Approach:
* Promote Competitive Market
* Harmonize Practice and Law/Develop PKI
==== Comments on Slide ====
Why be slow to move toward secure signature law? Most (nearly all) citizens and businesses do not possess or use especially secure computing systems at this time. While smart cards and other technologies hold the promise of more secure implementations of PKI for the future, the current technical and business practice environment is not secure enough to warrant an evidentiary presumption against one who purportedly used a digital signature - but the current state of technology and market adoption is certainly sufficient to warrant the promotion of electronic commerce under existing legal principles. Furthermore, since no system has yet been devised to prevent forgery (including PKI), it appears that for the foreseeable future some parties who repudiate signatures will actually be telling the truth (in fact, I am litigating a case now where my client is the victim of an indisputable ink on paper forgery - the electronic equivalent for this case is not unprecedented). Particularly where the law applies to consumers (as distinct from business to business), current evidentiary processes should remain in effect. Any reversal of the burden of proof against a signer should occur only after a period of experience with widely used electronic authentication systems and scrutiny of known forgery rates and other reliability factors related to those systems. As a general principle, special statutory benefits (liability limits, other regulatory safe-harbors, evidentiary presumptions, etc.) should not be gifted to any technology users or industries in an attempt to kindle electronic commerce. No market has ever been regulated into existence. Markets are created as a result of supply and demand. The law and government policy in this area should promote a competitive market place for PKI and for other technologies. Clearing legal obstacles makes sense - but affirmatively providing regulatory benefits risks legislatively enshrining incorrect guesses about the best technology and business practices (thus chilling innovation and market evolution of the most efficient approaches). Law in this area should follow and reflect market realities (like the Commercial Code) and not attempt to lead the market. Hence, technology neutral laws that assure the common law is properly applied to electronic authentication is appropriate. In general, statutes and policies need to be coordinated at the state and federal levels. However, the primary focus of government policy at this time should be the facilitation of coordinated business practices and technology standardization - not legislation and regulation.
Statutes, Practices & the Market: ACCREDITATION
- Health Care, Schools, Insurance, Labs, etc.
Market Driven, Multi-Tiered
- Openly arrived at results
- Broadly representative
- Voluntary, Self-Sustaining
- Accepted & Accessible
==== Comments on Slide ====
The development of a usable PKI will be best served by a competitive market for PKI related products and services - and that should include a competitive CA. A multi-CA market will require some quick, objective way to determine whether a given certificate issued by a given CA is sufficiently reliable under the circumstances. It is widely recognized that private sector based accreditation of CAs can serve these and other practice harmonizing goals. To be successful, accreditation should serve the needs of the public and the private sector and should be (eventually) capable of scaling up to global use. To the extent statutes, regulations or private contracts need to reference the use of a CA that meets certain minimum standards, reference should be made to accreditation, rather than government license. There is significant precedence for the legal recognition of private accreditation. Statutes frequently will either give legal recognition of accreditation or, in some cases, will provide that an organization (health care, insurance, etc.) must be either licensed or accredited to do business in a particular jurisdiction. The process of creating accreditation that in fact affords sufficient information on which to base a judgment about the reliability of a given certificate (and the CA that issued it) must involve a broadly representative group of stakeholders. The process of accreditation should be voluntary for CAs and it should be financially self-sustaining. The results (the ratings of accredited CAs) must be publicly accessible for any consumer or business who would seek to rely on the accreditation (perhaps available in a machine readable and human readable format). A closed system of accreditation would not be consistent with promoting general electronic commerce. Widely accepted accreditation can serve as the basis for technical cross-certification among CAs as well. States are actively involved in initiatives to test and create CA accreditation.
"The Forums are the Thing"
* NASIRE, NASPO, NASC
* American Bar Association
* CommerceNet, Etc.
* U.S. Innovation Partnership (USIP)
- Web-Based Conference
- State and Federal
- Statutes, Policy and Practice
==== Comments on Slide ====
It is important that the stakeholders, public and private sector, in electronic commerce and PKI development focus on coordinating efforts. On the state level, NASIRE, NASPO, and NASC (national organizations of state governments) are working hard with the National Automated Clearing House Association (a bank trade association) to facilitate the creation of private sector based CA accreditation. Other organizations are also attempting to provide forums for stakeholders to work together on various legal, policy, business practice and technical issues. As time goes on, it will be important to further coordinate the use of these forums to ensure adequate information exchange and reduce duplication and conflict. One important forum is the USIP, a partnership between the National Governor�s Association and the White House to foster collaboration between the states and the federal government on national technology policy. The USIP is now working to create a web-based conference application to provide an online forum for discussion among stakeholders on many of these important questions. The Commonwealth of Massachusetts looks forward to working with the USIP to support their efforts at forging national partnerships for technology policy.
Appendix A: Congressional Testimony
Statement of Daniel Greenwood, Deputy General Counsel For The Information Technology Division Of The Commonwealth of Massachusetts Before The Domestic and International Monetary Policy Subcommittee Of The Committee on Banking and Financial Services Of The United States House of Representatives. Transcripts available soon at www.house.gov.
July 9, 1997
Mr. Chairman, members of the Subcommittee, I appreciate the opportunity to participate in this important hearing on a Federal Role in Electronic Authentication. I am pleased to share the views on legislation developed in the Commonwealth of Massachusetts based on our experiences both using and promoting authentication techniques for electronic commerce. As Deputy General Counsel for the Information Technology Division (ITD) for the Commonwealth, I have had ample occasion to focus on the ramifications of electronic commerce from a legal, practice, and technology oriented perspective. The Commonwealth of Massachusetts is home to several electronic commerce companies and our state government is a robust user of electronic commerce technology. In essence, the Commonwealth favors an incremental and pro-market policy in legislation and regulation at this time.
Many people are questioning whether electronic signature law should be enacted at the state level or preempted by federal law. The Commonwealth believes that electronic signatures are relevant as a part of broader electronic commerce policy and should be viewed in that context rather than in isolation. The question is not one of state versus federal law, but how each level of government should coordinate. The law, policy and practice related to electronic commerce are too important and pervasive to be under the sole jurisdiction or influence of any single level or branch of government.
The Commonwealth is having a very positive experience using electronic commerce to achieve cost savings and service quality enhancements by making important state government transactions available over the Internet for citizens and business. Citizens can use a credit card over a secure Internet connection to renew their vehicle registration, pay a citation and even to order a vanity license plate. Vendors that do business with the Commonwealth can access official requests for proposals over the state's web site and will be able to submit bids in the future. Our most recent transaction allows banks to conduct secure and authenticated Internet filings with the Massachusetts Division of Banks. We believe the citizens would rather be Online than in line when dealing with government. There are a number of different information technologies that can be deployed for secure electronic commerce and our policy has been to promote use of multiple technologies and a competitive marketplace for electronic commerce services and products.
It is unrealistic to assume that all conflicts can be preempted out of existence. At the legislative, regulatory and policy levels, governments will have to coordinate actions because electronic commerce is multi-jurisdictional by nature. For instance, among state governments and between the states and the federal government, it is vital that a citizen or business dealing with the government not be burdened with inconsistent or conflicting technical or legal requirements. To this end, state and federal government must coordinate policies on electronic filings, registrations, licensing and other online transactions.
In the narrow but important area of public key cryptography, for instance, Massachusetts is cooperating with several other lead states and three national associations of state governments to accredit certification authorities. This accreditation project is aimed at producing consistent standards among states and other parties who would purchase or rely on digital certificates of identity in electronic commerce. This project serves as a market driven but coordinated approach to protect certification authorities from conflicting requirements by different governments and other large users. A wide array of private sector electronic commerce partners and the federal government have been part of the planning of this pilot. Such efforts can be far more fruitful than legislation for the purpose of accelerating electronic commerce by working out practical obstacles.
Important though it may be, perhaps too much emphasis has been paid to the role of Government as law maker. An initial, and probably counterproductive, assumption is often made that the lack of a comprehensive statutory and regulatory framework is holding back electronic commerce. The Administration of Governor William Weld has found consistently over the past six years that restraining the government impulse to regulate private enterprise results in more, not less, economic activity. The Weld Administration has recently concluded an unprecedented phaseout of antiquated or overly burdensome regulation throughout every corner of the state bureaucracy. Particularly in an area as dynamic and fast growing as the information technology economy, government at all levels must temper the regulatory urge with a healthy respect for the power of markets to develop the least costly, highest quality most efficient technical, business and contractual solutions. Government remains, of course, a player in the online market by virtue of consumer power and transactional standards setting. However, the electronic commerce market will not be regulated or legislated into existence, but it will emerge as a result of supply and demand. As the market develops, legislation or regulation can be crafted to deal specifically with market failures that may emerge with respect to consumers, corporate market needs, criminality and other public concerns. To attempt to legislate solutions to problems that have largely not yet happened in a market that is still not fully formed risks harmful market distortions and other unintended consequences.
It is clear, however, that certain legislative reforms will be needed to remove legal obstacles from the path of private sector parties who use electronic commerce as part of their business. Some legal reforms are largely under the jurisdictions of the states. For instance, the law of contracts has traditionally been a matter for state law. Similarly, the specific question of electronic authentication often boils down to an issue of evidence. This is an issue of proof of the identity of a party to a transaction or other online activity. To the extent these matters are tried in state courts applying state rules of evidence, this too is a matter of state law. Just one month ago, in the case of DOHERTY v. REGISTRY OF MOTOR VEHICLES, a Massachusetts district court ruled that an e-mail message qualified as a writing signed under the pains of perjury. State courts have, for centuries, proven to be quite capable of adjudicating commercial disputes between parties from multiple jurisdictions and dealing with technological advances. Concerns over state government competence to continue in this field are not called for. In fact, states are often better suited to produce innovative, responsive and accountable policy models than the federal government.
In recognition of the novel issues raised by electronic transactions generally (including authentication issues) the states are in the process of drafting uniform state law governing electronic contracts, licenses and other private transactions. The uniform law drafting process affords an open, deliberate process that is necessary to arrive at sound, informed legislation in this area. However, while uniform law drafting proceeds, some legal reforms may be ripe for action in the mean time. For instance, the Massachusetts General Laws provide some 4,515 separate references to documents that must be in writing and/or signed. Some laws require writings "on paper" and signatures "in ink." These laws are strewn throughout the laws and regulations of states and the federal government. Such "quill pen" laws, in many cases, hale from an industrial age (and occasionally from agrarian times) and serve as antiquated senseless impediments to electronic commerce. The repeal or reform of such laws should be undertaken in a coordinated and consistent fashion at all levels of government. Similarly, federal and state tax policy should be tailored to promote electronic commerce and existing or contemplated regulation of electronic commerce should be seriously reconsidered in light of the importance of market driven solutions and robust competition in this field.
The Commonwealth of Massachusetts has proposed the creation of an online, web-based conference area to facilitate communication between and among states and the federal government regarding electronic signature and authentication legislation, regulation and policy. We are pleased to work with the newly formed United States Innovation Partnership on this project. The USIP is a joint effort of the National Governors Association, the White House Office of Science and Technology Policy and the Secretary of the U.S. Department of Commerce. When this web site is operational, we will be happy to inform the Subcommittee of the http address. The Commonwealth has also drafted a survey to collect and share views on the proper balance between state, federal and international law for electronic signatures. This survey has been published on the Internet, in the BNA, and other periodicals and results are still coming in. When the results are complete, we will forward a report to the Subcommittee for your information.
There are many opportunities for state and federal law to form a consistent legal framework in support of the emerging information society. Needed international coordination will have to be spearheaded by the federal government. Such issues as export, copyright, patent, federal tax and federal procurement will also have an important impact. Areas such as uniform commercial law, general contract law and state rules of evidence, on the other hand, will need to be carefully evolved by the states in light of federal and international electronic commerce policy. On a going forward basis, more forums and opportunities for communication between levels of government are needed to avoid the crafting of inconsistent policy or misunderstandings about the roles of each stakeholder.
Mr. Chairman, thank you for the opportunity to testify today. If the Subcommittee would like deeper background on these matters, I would encourage you to visit the ITD web site, available at www.state.ma.us/itd/legal. As you continue to work on these important issues, the Commonwealth would be honored to provide the Subcommittee with assistance in the future. I would be pleased to answer any questions the Subcommittee may have at this time.
Appendix B: The Virtual State House
MASSACHUSETTS INSTITUTE OF TECHNOLOGY, Cambridge, MA
The Virtual State House. Course 4.182, Department of Architecture. This course is co-taught by Dan Greenwood and William J. Mitchell, Dean of the School of Architecture and Planning, MIT. The course explores the policy and legal issues that arise when online information technologies are put to public and community uses. Special emphasis is paid to 3D virtual reality systems that allow real-time multi-user collaboration over the Internet. The students cooperate to design and build a working virtual state house to demonstrate the problems and prospects for online government in the future. The virtual state house allows users to conduct electronic commerce, view or interact with public records, and engage in participatory democracy.
Appendix C: Survey on Legislation (compilation still ongoing)
(available at www.state.ma.us/itd/legal)
[In addition to the survey reprinted below, the Commonwealth of Massachusetts is also conducting a large-scale survey of electronic contracting practices - including inquiry into current electronic records management practices, how parties manifest assent (electronic signatures? Clicking "I Accept" etc.) and other important practices. Co-sponsors include CommerceNet and the American Bar Association�s Electronic Contracting Practices Work Group of the Committee on the Law of Commerce in Cyberspace. The final "best practices" document resulting from this survey will be made a public record on the Commonwealth�s web site.]
Survey: As many of you are no doubt aware, there has been talk lately of federal digital or electronic signature legislation. Under the supremacy clause of the Constitution (and perhaps other clauses) such legislation would preempt state law. A number of state laws already exist and the National Conference of Commissioners on Uniform State Law is also working in this general area. However, a desire for the benefits of quick, national uniform treatment of this field have prompted renewed interest in federal law. I would like to poll each of you on the following four questions:
1. Should electronic and/or digital signature laws:
a. remain exclusively as state legislation (why?)
b. become totally preempted by federal legislation (why?)
c. be governed by both state and federal legislation (if so, who governs what?)
2. What coordination of legal framework is needed at an international level?
3. Is the current trend in state legislation creating an insufficiently coordinated legal environment for electronic commerce? If so, please indicate where the problems exist. If not, indicate why different types of existing and pending state electronic signature laws do not significantly impede electronic commerce.
4. Why, if at all, are electronic or digital signature laws needed? What problems do such legislation solve? What would be the result if no such legislation existed?
* May we publish your remarks on the Commonwealth of Massachusetts web site (if so, would you like attribution or anonymity)?
Please feel free to answer in short blurbs, or to go into more depth. Thank you in advance for your thoughts on this matter. Please send responses to firstname.lastname@example.org
Appendix D: The Commonwealth of Massachusetts Online Government Task Force
(Task Force information available at www.state.ma.us/itd/legal)
The Chief Information Officer has established the On-Line Government Task Force to chart the immediate future course of online government in the Commonwealth of Massachusetts. On or about August 30, 1997, the Task Force shall report to the CIO on:
a) the Commonwealth�s operational needs for online government functions;
b) the legal and policy requirements for such functions, with particular emphasis on the need for authentication, integrity,
confidentiality, and non-repudiability;
c) currently available and near-term technologies performing such functions;
d) central services that could promote the growth of online government;
e) the state of current technical and legal efforts in the Commonwealth, other states, the federal government, and other countries;
f) specific technical and legal information that could support agencies that are implementing or evaluating online
g) suitable candidates for pilot projects for evaluating online government solutions.
2. Operational Needs for Online Government
The Task Force should explicitly identify the Commonwealth�s range of operations that could be performed better or more efficiently using online technologies. The Task Force should identify online government projects that are being implemented now and are planned or desired in the short term by agencies. The Task Force should identify and categorize the types of government functions that are ripe for networked automation. The scope should extend to both Internet and intranet communications.
3. Legal and Policy Requirements for Online Government
The Task Force should identify and categorize the functionality needed for online government functions to comply with business, legal, and policy requirements. Specifically, the Task Force should evaluate requirements for authenticity, integrity, confidentiality, and non-repudiability of network communications, with particular emphasis on the suitability of PKI technologies.
4. Current Technology
The Task Force should assess the current and near-term state of the technology available to meet the business, legal, and policy needs of the Commonwealth. This includes testing or demonstrating relevant technology. This effort should result in a narrative and/or a matrix that represents a thorough evaluation of current offerings by PKI and other vendors, as well as an assessment of the strengths and weaknesses of these solutions.
5. Central Services for Promoting Online Government
Given the business, legal, and policy requirements, and the technologies available to meet them, the Task Force should identify key central services, particularly PKI services, that would promote the use of online technologies by state agencies.
6. Standards and Guidance for Agencies
The Task Force should develop specific standards and guidance for agencies that wish to implement online government solutions. The emphasis should be on concrete, practical advice that can materially assist agencies that have advanced to the point of implementing an online government operation. In addition to this specific guidance, the Task Force should also develop information and advice for agencies that wish to evaluate the benefits of online technologies. This and/or other material should also serve to give agency management the information they need to appreciate and support online technologies.
7. Pilot Projects
As a result of identifying business needs, legal and policy requirements, available technologies, and the appropriate central role for the state, the Task Force should propose suitable candidates for pilot projects for evaluating online government solutions.
8. Members of the PKI Task Force
Membership in the task force is open to any public entity in the Commonwealth. Anyone interested in joining the task force or receiving more information should contact Task Force Chairman Dan Greenwood at email@example.com or 617.973.0071.
Appendix E: Digital Signature Mock Trial
(planned for fall, 1997)
The Commonwealth of Massachusetts Information Technology Division Legal Department will sponsor a mock trial based on a dispute over a digitally signed communication. This will be an online event, probably web-based. There will also be a half-day "court room" mock trial to be held in Boston in the fall. Anyone interested in helping to plan, or participate in one or both of these mock trials should contact Dan Greenwood at firstname.lastname@example.org.
The purpose of this exercise will be to explore legal ramifications of deploying digital signature technology as a business tool, including: what grounds for a claim (consumer law, financial and banking law, common law, other?); what issues arise relative to preserving certain evidence for trial; the legal relationship between an "owner" (subscriber) of a digital signature, a relying party and a certification authority; what other evidentiary admissibility issues arise, how might certain contract terms be interpreted (i.e.: what arguments might be raised related to liability limitations, rights and duties under contract); etc. The case will be tried in a fictional jurisdiction and to fictional parties.
The specific factual pattern (i.e.: who are the parties and what happened to them) will be developed so as to highlight areas of legal uncertainty and maximize the instructional value of this exercise. It is expected that this exercise will assist the Commonwealth of Massachusetts and other interested parties to more efficiently manage liability and to better anticipate legal issues as we look to deploy public key based network solutions.
Digital Signature Online Mock Trial
How would you like to participate in the virtual digital signature mock trial? At this time, there it is still possible to participate in any of the roles listed below, please let me know what positions you are interested in pursuing (if you are interested in more than one from a category, please indicate order of preference). Send your reply to email@example.com.
Category A. Trial Participants.
I want to:
1. be a lawyer
2. be a party and a witness
3. be an expert witness
4. be a judge
5. be a juror
Category B. Coordinators/Organizers.
I want to:
1. write part of the fact pattern for this case and review other parts
2. create or advice on the technical design look/feel/functionality/security of the web site
3. moderate or otherwise administer access to the web-based trial site
Though the fact pattern is not yet determined, our thought is to design facts under which none of the parties are at fault, yet there has been a loss due to either theft or unknown causes. Though the focus will be on the issues specific to digital signatures, we expect that some electronic contracting issues will also be raised. We also expect that all evidence of the transaction will be in electronic form (including relevant sections of contracts, server logs, correspondence and other transaction records). It is expected that the trial system will be made into two sites. One site will be closed to the trial teams for participation, but open for viewing by the world (virtual open court). The other site will be totally open for read/write access for anyone to join the discussion about the mock trial as it is unfolding.
Again, thank you for your interest in this project. We look forward to working with you to make this a useful and educational experience for us all.
Appendix F: The PKI Page!
(an online PKI information resource - also available at www.state.ma.us/itd/legal)
* The Purpose of the PKI Page
* Standard, Policy and Practice Related PKI Links
* Certification Authorities and Vendors
* Industry and Trade Groups
* National and International PKI Government Activity
* State Government Initiatives
* Academic Treatment of Information Infrastructure Issues
The purpose of the PKI page
This page exists to provide an information bank for people who wish to use the evolving public key infrastructure as a tool for securing net-based communications and transactions. There is a large amount of information available on the Internet, which the page will link to where appropriate. However, there are a large number of issues that are still emerging that will also be tackled here. Feel free to send along any PKI-related information, such as: news, product announcements, papers, web addresses and any other information that you think people interested in PKI would like to see. Enjoy!
Standard, Policy and Practice Related PKI Links
* Strawman Certificate Policy Definitions: Mid-Level Policies for
Digital Signature and Encryption, by Warwaick Ford, April 29, 1997
* Strawman Certificate Policy Definitions: Mid-Level Policies for
Digital Signature and Encryption, by Warwaick Ford, December 12, 1996
* Certificate Policy and Certification Practice Statement Framework,
Version 1.2b, November 12, 1996. Prepared for the Policy Management
Authority Committee of the Government of Canada
* Policy Checklist - Warwick Ford's "elements of policy" which he is
preparing in conjunction with Santosh Chokani as part of
"Certification Practice Statement Frameworks" for the US and Canadian
governments. (From CommerceNet)
* IETF: PKI Working Group (PKIX)
* Internet Draft, Certificate Policy and Certification Practice
Statement Framework (expires in six months: June 1997)
o Internet Public Key Infrastructure Part I: X.509 Certificate and
o Internet Public Key Infrastructure Part III: Certificate
o Architecture for Public-Key Infrastructure
o Summary of ITU-T Recommendation X.509 (click here to find out how
to get this from the ITU)
o Additional Standards Documents:
+ Secure Electronic Transactions (SET) - Mastercard/Visa
+ Accredited Standards Committee X9 - Financial Services -
(ASC X9): Click here to find out how to get this
+ NIST Federal Information Processing Standards
+ Below are some gems buried in the above web site:
+ 1996-10-10 FIPS 140-1, Security Requirements for
+ 1995-04-17 FIPS 180-1, Secure Hash Standard (ASCII)
+ 1997-01-07 FIPS PUB 186 Digital Signature Standard
[Change Notice 1]
+ The Distributed Certificate System (DCS) (by OpenSoft
Corporation. 2/96 draft)
+ Microsoft Internet Security Framework
+ Public Key Cryptography Standards (PKCS) - from RSA
* General Public Key Infrastructure References by Marc Branchaud
Certification Authorities and Vendors (under development)
* The Digital Signature Trust Company (Utah)
Anyone know the URL for this?
* CivicLink - US government service by AmeriTech
* COST - Sweden
* EuroSign - The European Certification Authority
* Open Market Incorporated
* Terisa Systems
* R3 (r� security engineering ag from Europe)
Industry and Trade Groups
* The CommerceNet PKI Task Force
* Silicon Valley Software Industry Coalition: Digital Signatures Working
* SigNet.Org (a trade association dedicated to encourage the development
and utilization of the Internet and information technology through
continuing support of professional, technical and civic Special
* International Chambers of Commerce (The ICC has been active with PKI
* Internet Law and Policy Forum
* The Open Group (a multi-vendor information systems consortium)
National and International PKI Government Activity
* United States of America
o NIST's Computer Security Resource Clearinghouse: Public Key
+ overview of PKI-Related Activities at NIST
+ PKI documents developed by NIST or PKI groups in which NIST
+ Panel: Public Key Infrastructure: From Theory to
+ Article: NIST is working with industry on digital signature
plan (This article is reprinted from the GCN NEWS )
o Electronic Commerce Project Council of Japan (ECOM)
(Certification Authority Working Group)
o CommerceNet - Japan
* Europe (Still Compiling Sources)
o Secure Electronic Marketplace for Europe (SEMPER)
o Federal Canadian Government PKI Program
Still looking for the correct URL
o CommerceNet - Canada
State Government Initiatives
* The National Association of State Information Resource Executives: PKI
Notes from the first meeting held on January 27, 1997 in San Francisco
* The Massachusetts Digital Signature and Public Key Infrastructure
o The Home Page of the Working Group
Not Yet Available
o Cyber-Slide Presentation: What is the Big Deal and Why Should I
Not Yet Available
o Online Backgrounder: The Basics of Public Key Cryptography and
* Utah Digital Signature Development Program
o Proposed Administrative Rules Utah Administrative Code R154-10
o Commentary to the Proposed Administrative Rules Utah
Administrative Code R154-10
* Florida: digital signature site, including the Digital Signature
Advisory Committee Final Report
* Electronic Frontiers Georgia (Not a state gov. group - but links to
relevant Georgia sites)
Academic Treatment of Information Infrastructure Issues
* The Essential Role of Trusted Third Parties in Electronic Commerce -
by law professor, Michael Froomkin.
* Revised Brad Biddle Article: Misplaced Priorities: The Utah Digital
Signature Act and Liability Allocation in a Public Key Infrastructure
(From the Software Indstry Coalition) In Adobe Acrobat Format.
* Economic Modelling and Risk Management in Public Key Infrastructures
Authors: David G. Masse and Andrew D. Fernandes
* Villanova Center for Information Law and Policy
* Legal Information Institute (Cornell)
* Stanford Law and Technology Policy Center
* Harvard Law School Center for Law & Information Technology
* Distributed Systems Technology Centre, Queensland University of
Technology: PKI Project
Appendix G: ELECTRONIC SIGNATURES AND RECORDS: Legal, Policy and Technical Considerations
Appendix G: ELECTRONIC SIGNATURES AND RECORDS: Legal, Policy and Technical Considerations
Daniel Greenwood, Esq
Version 1.0 | Draft: 1/9/97
Comments to: firstname.lastname@example.org
NOTE: The forward specifically relates to a program held by Massachusetts Continuing Legal Education. The program, "Health Care and Information Technology" was held January 15, 1997. Some information is now dated.
The following article deals generally with legal aspects of electronic signatures and writings. Though the article is not specifically tailored to medical systems, the information is quite relevant to the field of health care and the topics under consideration for this Massachusetts Continuing Legal Education program. The document is a draft of an article that will be published in the National Law Journal. It should be noted that, while I am an attorney for the Commonwealth of Massachusetts and reference is made throughout this article to legal and policy matters involving the Commonwealth, I submit this work in my personal capacity and nothing herein necessarily represents the views, positions or any official comment by the Commonwealth.
Information technology can be a powerful enabling tool for health care. According to the Chicago Tribune, a 21-year-old student in China fell into a coma due to a mysterious illness. The finest doctors in Beijing were unable to diagnose or treat her, and her condition was fast deteriorating. Her friends sent a desperate plea for help over the Internet, describing her symptoms and requesting assistance. Some 2,000 doctors and researchers in 18 countries replied to the message, and from those responses the illness' cause was established. The young student's life was saved as a result of that use of the Internet. This dramatic example illustrates the previously impossible communications made simple, inexpensive and commonly accessible through use of networked computer.
An early Clinton Administration health security proposal suggested the following benefits from a national health information infrastructure:
1. clear and useful consumer information
2. health status measures
3. health care system monitoring and evaluation
4. linking health record information to improve patient care
5. cost effective, streamlined administration, and
6. identification of fraudulent activities
Commentators have noted that the benefits of networked health care information outweigh the risks to privacy. Though providing for adequate information security protections can involve significant investments, the cost savings to be had from widespread use of new communications technologies are staggering. For instance, switching to electronic data interchange (EDI) would yield a billions of dollars in savings annually. The current paper based system is ill suited to health care in both form and function. The Government Accounting Office estimates that the 34 million hospital admissions and 1.2 billion physicians visits each year generate the equivalent of 10 billion pages of medical records.
Evidently, not only is medical data voluminous, but it is also poorly organized - sometimes inaccessible when needed and existing in several different locations, though associated with a single patient, perhaps even a single episode. In addition to administrative and cost savings, networked computing presents conspicuous advantages in quality of care and research directly advance the core mission of health care. The benefits of electronic information systems include accessible and comprehensive patient records, networked consultations without regard to geography, ease of treatment tracking and instant availability of critical clinical and research data capable of being queried, stored and cross-indexed to a patients file.
Several leading organizations in the field of medicine have publicly advocated for moving toward integration of information technologies into health care systems, including the American Hospital Association and the Institute of Medicine's Committee on Regional Health Data Networks. It is only a matter of time before ubiquitously networked computer systems allow for spontaneous, secure, authenticated and confidential transactions around the world. The cost and quality efficiencies of such an Information Infrastructure promise untold benefits in all sectors of the economy and society. As this transition hastens, attorneys will increasingly be asked for advice about the legal consequences of creating, receiving, transmitting, destroying and converting to electronic records. The role of electronic signatures, network security, and the contracts and licenses associated with digital systems and services will play a key role in the practice of modern law. The field of health care, with its special concern for confidentiality and literally life and death reliance on the accuracy and timeliness of information presents the strongest challenge and the greatest opportunities for adoption of emerging information technology. Legal and policy infrastructure supporting computer networks will be vital to the success of this transition.
The world is changing and the lawyers must change with it. A digital revolution has begun. The wide-scale transition from traditional forms of writing and communication is creating uncertainty in commerce, health care, government and all social and economic sectors. Specifically, records are increasingly created, transmitted and stored in electronic media and parties are using computer networks to access and communicate information with other parties. What is the legal status of an electronic signature? Are electronic records the legal equivalent of paper writings? It is clear that such uses of electronic data are saving enormous administrative and other transactional costs. The ability to access information in digital form is also creating qualitative cultural and economic improvements by allowing world-wide networked publishing, trade, education and interactive collaborations. However, the legal implications of these changes will require attorneys to adapt to new vocabularies and ways of thinking. This article will explore issues surrounding the use of electronic signatures and writings in the context of information security and the law.
What Is a Digital Signature?
A digital signature allows a party to send a secure message over an open, otherwise non-secure computer network. The phrase digital signature is a term of art. A digital signature is not based on an actual hand signed image, rather it is based on a complex mathematical formula that allows networked communications to be authenticated, confidential and non-repudiable. Though the technology is involved, it is helpful that lawyers have at least a passing understanding of the underlying content of digital signatures. There are two basic technical processes that combine to make a digital signature. The first function is known as "public key encryption." The second function is called a "hash." Encryption is simply the process by which information is scrambled by use of a code.
Military communications have relied on more or less advanced methods of encryption for thousands of years. In fact, Alexander the Great communicated with his generals by sending messages in which each letter was shifted a certain number of positions (a two position shift replaces every "a" with a "c", every "b" with a "d", and so on). This was a form of "secret key encryption" - because anyone who knew the secret code could send and receive messages securely. Today, commercially available encryption software creates encryption so strong that it is all but impossible to break the code and ascertain the original message without the use of the authorized software.
Public Key Cryptography
Unfortunately, a secret key system requires the sender to transmit the code to the receiver in a safe manner - not allowing the code to fall into unauthorized hands - because anyone with the secret code can read all messages sent. Since the Internet is very vulnerable to message interception, it becomes impractical to deliver the secret code to message recipients. Enter: Public Key Cryptography. With this type of encryption, information that is encrypted with one key from a given pair can only be decrypted by the other key. This is similar to the old "secret decoder rings" found in boxes of Cracker Jacks. Users of this system would keep their private key very safe (perhaps password protected or even embedded in a smartcard or other hardware device) but they would make their public key freely available, by sending it to all potential recipients of messages or posting it to an Internet public key directory. In this way, the private key holder can send a message to anyone on the Internet, and, if his public key decrypts the message, the recipient knows it must have come from the private key holder. Conversely, anyone on the Internet that wants to send the private key holder a message can encrypt the message with his public key (again, the public key is freely available) and send the message with the knowledge that only the private key holder can read the encrypted text.
For example, if you receive a message from John Smith, and you use Smith�s public key to successfully unencrypt the message, you know, to an extremely high degree of certainty, that Smith, and not an impostor, wrote the message. The message could only have been created by someone with Smith�s private key, and presumably the only person with Smith�s private key is Smith. This can be seen as the equivalent of a signature on the data sent by Smith - a so-called "digital signature."
Hash Functions and Message Digests
A "hash function" is a process that creates a relatively small number that represents a much larger amount of electronic data. For instance, if I had a ten page word processing document on my computer hard drive, I could use special hashing software to derive a particular number associated with that document. If even one comma were changed on the document, the resulting hash number from the changed document would be completely different. This number is called the "message digest." Digital signatures use a "one way hash function" - that means there is no way to reverse engineer or derive the content of the message based on the resulting message digest. When you send a digest along with a message, the recipient can check to see if the message has been tampered with by using the same hashing software to make her own digest of the message and then checking to see if the two numbers match. If the digest number sent with the message matches the digest created by the recipient, then she know that the message is exactly the same as when it was sent.
To achieve a digital signature, the sender's software creates a message digest and then encrypts that number with the sender's private key. This "encrypted digest" is then sent along with the text of the message. That way, the recipient can determine both who the message came from and that the content has not been tampered with just by decrypting the digest and checking to see that it matches the digest of the message she received.
The entire message could also be encrypted, but that would only be done to achieve confidentiality of the message. If the sender merely wants to sign a message, only the digest needs to be encrypted. This is important because it is significantly quicker to send a receive messages that are not encrypted. The technology is developing to give users a choice when a message is sent: you can "sign" the message or "sign and encrypt" the entire message. Remember, it will cost additional delays and computer resources to use encryption for confidentiality as well as signatures, so think about when you want to use each. This system, however, will not require any technical expertise among users above that required to use a word processor. The process will be nearly "transparent" to the end user. All that will be required is a few clicks of the mouse to sign or encrypt messages and to accept and review the signed messages sent to the user.
The issue, legally, is to bind the identity of a particular party to a particular public key. This need has been widely perceived in the marketplace and several companies are stepping into the so-called "trusted third party" business. Such a company is known as a certification authority (C/A). The C/A will issue a certificate that identifies the person associated with a given public key (the "subscriber"). The C/A is responsible for undertaking certain measures to ascertain the identity of the person to whom it issues a certificate. The market appears to be evolving toward tiered levels of certificates. Relatively inexpensive certificates may only represent an attestation by the C/A that the subscriber presented a notarized letter indicating her identity through the U.S. mail. More expensive certificates might be issued based on more stringent measures by the C/A, such as requiring the subscriber to physically show up at a location and present multiple forms of photo identifications and so on.
When the subscriber wishes to use her private key to sign a record, she would send a certificate, issued by a C/A along with the transmission. That way, the relying party who receives the transmission can independently verify the identity of the subscriber by reference to the C/A's online database of valid certificates and revoked certificates. A subscriber would have a responsibility to notify the C/A if she discovers that her private key has been lost or compromised. In this case, the C/A would post this information to a Certificate Revocation List. Prudent persons would check such a list before relying on a given certificate. Banks, the U.S. Post Office, and several other large and small entities are positioning to become C/As.
In a sense, the entire public key system is built on two deep fault lines. First, the private key of the subscriber must remain secure. If the private key is stolen or used without authorization, the whole system falls. Secondly, there must be a trusted third party to the transaction. Without this certification, again, the system falls. The recipient must have objective grounds for confidence that the public key which "unlocks" the signature, leading to the critical elements of authenticity and message integrity, is associated with Smith. Without this assurance, the fact that a public key unlocks a message encrypted with a private key has no meaning other than that the two keys are mathematically related. Today, there is a serious debate about what policies and practices C/As should use. It is clear that this system requires some common understanding among C/As and the user population regarding uniform levels of authentication of the subscribers. There are multiple views about what, if any, laws are called for at present to further define, and perhaps limit, the rights and liabilities of C/As, subscribers and relying parties who use this system.
The Commonwealth of Massachusetts has assumed a leadership position among states with regard to the creation of a public key infrastructure. The Commonwealth is working with several national organizations of state government officials to bring together the fledgling C/A industry for the purpose of discussing more coordinated, predictable and uniform business practices and standards. There must be an objective method, such as accepted standards, accreditation or licensing whereby consumers, government and business can identify which C/As will be worthy of trust. The elements of a trustworthy C/A extend to very technical specification as well as to business practices. Ideally, voluntary, testable, widely recognized industry standards will develop, rather than more rigid government conceived promulgations. The Commonwealth is also actively involved with joint federal and state efforts to coordinate electronic commerce policies on a national level. In addition to policy work, the Commonwealth is gaining practical experience with this technology as a business tool. The Registry of Motor Vehicles web site now uses point to point encryption over the Internet to allow confidential transmission of credit card transactions to renew vehicle registration, pay citations and even order vanity license plates. The Division of Banks is about to begin a pilot using digital certificates to enable banks to file authenticated documents over the state�s Internet web site. The Information Technology Division makes information available about Commonwealth secure Internet initiatives at <www.state.ma.us/itd/legal>.
The Difference Between Electronic Signatures and Digital Signatures
An electronic signature is, simply, any symbol or method executed or adopted by a party with present intention to be bound by or to authenticate a record, accomplished by electronic means. An electronic signature may be created be any electronic means. For instance, a sophisticated bio-metric device, such as a fingerprint computer recognition system could qualify as an electronic signature, and so would the simple entry of a typed name at the end of an e-mail message. The principle is that the symbol or method was executed or adopted by the signer with a present intent to sign the record. This definition focuses on the traditional legal purposes of a signature, not the particular medium or manner chosen to accomplish the signature. By contrast, a digital signature refers to a particular implementation of public key cryptography.
A digital signature can be defined to mean a transformation of a record using an asymmetric cryptosystem and a hash function such that a person having the initial record and the signer's public key can accurately determine: (a) whether the transformation was created using the private key that corresponds to the signer's public key; and (b) whether the initial record has been altered since the transformation was made. In other words, a digital signature is created by use of a public key system, but an electronic signature includes broadly any computer method, including, but not limited to, public key systems. Digital signatures are technology specific. Electronic signatures are technology neutral.
The use of low security electronic signatures, such as simply typing one's name on an e-mail, raises serious questions of proof regarding the authenticity of such a signature. However, there are times when low or no levels of security are warranted. A given transaction or message may be informal, of little or no value nor otherwise reasonably likely to form the basis of subsequent dispute. For instance, it is common practice to conclude purely social e-mail messages with the typing of the sender's name. In this case, the name would be a symbol intended to authenticate the document, but not necessarily manifesting an intent to be bound by the content - assuming there exists any particular content at all. In this context, the word "authenticate" means merely an intent to represent that the signer was the sender. In common parlance, e-mail among friends and close colleagues is often concluded with the initials of the sender alone. For more formal, but low risk, electronic transactions, a more robust signature system may be desirable. This does not necessarily mean a full fledged public key solution is required. For example, some business and professional online services require a user name and password to access their system. Once a user is on the system, they may be entitled to additional information or services, such as online dialogue with an expert or authorization to view value-added proprietary documents. Here, the electronic signature is created by use of a user name and password, probably relying on access control technology far less expensive and simpler to use than public key cryptosystems. The use of this system may (depending on the understanding of the parties as evidenced by contracts, disclaimers or other conditions of use) authenticate the user and also impliedly, or perhaps expressly, express an intent to be bound by billing rates or other terms.
As mentioned earlier, digital signatures, when properly implemented, provide an extremely high degree of confidence that a message originated from the person or entity it purports to come from and that the message was not altered. In addition, the current implementation of this technology relies on particular digital certificates that comply with internationally recognized standards. This current standard, known as X.509v3, provides for the inclusion of several data fields that specify the name of the private key holder (the subscriber), the name of the issuing certification authority, the period during which the certificate is valid and a copy of the subscriber's relevant public key.
This current version of this standard is particularly exciting for legal and policy reasons because it also allows for a number of so-called "certificate extensions" - that is, data fields with no predetermined use. These open fields can be used to further customize a certificate for a given industry or individual use. Additional fields might designate a reasonable monetary reliance limit to be associated with a given certificate, or some indication of the signer's authorization limits. Unlike a traditional pen and ink signature, a digital signature with a customized certificate could denote, in detail, the types of transactions a given employee is authorized to enter or the role a signer is playing within a company. For instance, Mr. Gates may use one private key to buy low dollar items on the Internet for his personal use or to sign his weekly time sheets (hey - its possible). He might keep this key on his desktop hard drive and protect it with a password. However, to sign important high dollar deals Mr. Gates may chose to use a different key, denoting him as the CEO who is authorized to bind his company. This key may be protected with a more expensive and more trustworthy system, perhaps including smart cards or biometric devices.
Technical Capabilities and Legal Judgments
The role of attorneys in assessing the adequacy of a digital signature, particularly in a jurisdiction without detailed digital signature legislation, will involve a special evaluation and recommendation process. More so than most other fields of legal practice, information technology issues will form the basis of unfamiliar, dynamic and complex facts and circumstances for most lawyers. The technology is, by nature, fast evolving and very complicated. Even if you have a computer science degree, you will have to take additional time making sure you understand the basics of current and future technological systems. However, lawyers do not need computer science degrees to render sound legal advice to clients seeking guidance in these matters. In the context of electronic signatures, and the probable commercial uses to which they will be put, there are a relatively few key concepts that can be used to assure an accurate "big picture" view of particular technologies.
There are an increasing number of technologies being developed that would provide for varying levels of security over open networks. Clients will look to attorneys and others for guidance about the appropriate level of security for a given line of electronic business or other transactions. Of course, the average attorney will not be expected to render technical judgments about the information technology investments their clients make. Very technical analysis can be involved in making such selections, such as interoperability with existing information technology systems, costs to administer, trends in the industry and so on. However, it is going to be very important for attorneys to cooperate closely with business and technical people in the procurement and deployment of certain computer security systems generally, and systems that require electronic signatures specifically. The legal consequences that flow from the presence or absence of particular elements of data security will constitute risks, liabilities and other potential costs that should be taken into account from the beginning. Similarly, relatively small changes to the purchase, or implementation, of a large electronic system can drastically improve a clients position should the system ever be implicated in or form the basis of a dispute, or formal adjudication.
A full discussion of network security would necessarily include exploration of disaster recovery systems, physical security, audit trails, security policies, procedures, training and so on. Leaving aside, for purposes of this article, these important but more general issues of network and systems security, lawyers should pay special attention to five basic legal and technical elements when assessing a given electronic signature or other network security system. Security, in this context, consists of: authentication, access control, confidentiality, message integrity and non-repudiation. These are the terms of art that will form an important part of every lawyers thinking and advice in the field of information technology law for years to come. Each one of these terms has a specific technical meaning and distinct legal and policy implications. Here is a very general description of each term:
Authentication: This is achieved by ascertaining the identities of parties to a message or transaction.
Access Control: This means that information, and other network resources, are available only to authorized parties.
Confidentiality: This is achieved by keeping the contents of a message or substance of a transaction secret to unauthorized parties.
Message Integrity: This is achieved by ascertaining that a message or other transmission has not been tampered with in transit over a computer network, i.e., it is accurate.
Non-Repudiation: This means that evidence exists tying the identity of a party to the substance of a message or transaction at a certain point in time and the evidence is sufficiently strong to prevent or rebut that party's subsequent denial of same.
As lawyers, we will increasingly be called upon to develop a legal analysis involving one or more of the above concepts. These technical terms are cropping up in a host of every-day situations. For instance, as more medical records are made available to treating physicians over multi-hospital computer networks and even over the Internet, it is vital that the confidentiality of those records is maintained. Similarly, whenever a credit card number and expiration date are transmitted, that information should be kept confidential both in the merchants computer system and while in transit over the network. Assurance of message integrity is necessary to prove the contents of a contract agreed to by means of electronic commerce. One seeking to prove a contract will want to show that every clause, word and character in such a contract was received accurately - exactly as it was transmitted.
Access control can prevent unauthorized users from availing themselves of certain non-confidential, but valuable network resources, such as computationally demanding analysis programs or scarce communications bandwidth. In addition, access control measures can stop unauthorized users from viewing, deleting or otherwise manipulating sensitive data. For instance, a bank might wish to post current interest rates on an Internet web site. This information is not confidential, in fact, it is widely publicized, but the bank will require assurance that individuals from the general public who are viewing that information can not manipulate the data and change the posted interest rates.
The concepts of authentication and non-repudiation are particularly important. In order to separate "authorized" users of information from "unauthorized" users, there must be some reliable way to ascertain the identity of the user. The Internet was not designed with adequate technical means to achieve this identification. In fact, without the existence of more robust security measures. it is quite easy to "spoof" the identity of another person on the Internet. The apparent origin and return address on an e-mail message, for instance, is quite subject to impersonation. There are several means, not involving cryptography, to achieve authentication, including by use of a password or PIN, a hardware device (perhaps as simple as an inexpensive thin plastic card with a unique magnetic strip), voice recognition, and many other methods. Authentication information can be used as the basis for other programs that control access or save the authentication data in order to forestall subsequent attempts to repudiate transmission or receipt of a message or transaction.
Finally, though related, the elements of non-repudiation should not be confused with the legal notion of contract "repudiation." Non-repudiation should be thought of as sufficient technical evidence that a particular party submitted or received a particular transmission. Some state statutes are creating evidentiary rebuttable presumptions that a transmission was submitted or received by a particular party under specified technical circumstances, such as when a digital signature is used. The emerging legislative trend, however, seems to be more technology neutral. Under this approach, proof that a "secure system," (defined to include the basic elements of a trustworthy system) was used to generate and transmit the signature will create a rebuttable presumption that the signature is authentic. However, it is helpful to remember that achieving non-repudiation does not necessarily mean that a party will be bound by an obligation or that a given contract will be enforceable. The laws of contract will, of course, still operate to allow defenses to enforcement and to rebut contract formation based on incapacity, mistake, illegality and so on. Courts will continue to look to whether substantial performance has been rendered and other legal requirements met. However, the technical elements of non-repudiation operate to form a solid business and legal foundation on which to build reliable communications.
Evidentiary Implications of Non-Digital Signature Based Authentication
It may be helpful, when presented with a request for legal advice based on a client's planned or present use of a secure network system, to run through each of the five elements listed above with the client, or technical person making the presentation. Based on the answers, you should be able to determine which, if any, of the five elements is present, and to what degree. For instance, if, upon inquiry, you determine that there is a method for authentication, but no way to assure non-repudiation, then business functions that require billing or creation of other obligations should be questioned. For example, if the computer server merely authenticates the identity of a party upon entry into the system for access control purposes, but then either deletes, over-writes or fails to save that information, then potentially valuable data to prove non-repudiation is being lost. It may be fruitful to discuss whether there is a way to archive the authentication data in a secure way that would allow it to be entered into evidence should a formal adjudication ever result. The client could consider any number of process' that would allow you, or the trial attorney, to lay a proper foundation for introduction of the authentication information.
Basic issues to consider include proof of the following: the reliability of the hardware and software used; the accuracy of data entered; the integrity of stored records; and; the reliability of the process whereby records are retrieved for the court in perceivable form. However, for the non-repudiation element in particular, you should contemplate how the system will support the admissibility and weight of evidence that a particular party sent a message or engaged in a transaction. For instance, think about how the system ensures that the disputed information is identified with the party (was a password given to the signer and was there an agreement about keeping the password safe?) and that unauthorized persons did not have the opportunity to create the or manipulate the information after the transaction (does the server have limited physical and software access - what other procedures are in place to prevent unauthorized access?). These facts will assist in laying a proper foundation and proffering persuasive evidence.
Information Security: How Much is the Right Amount?
It will be some time before digital signature technology is pervasively used, and it is entirely possible that it will remain merely one of several technologies for information security. Given current growth rates, it is clear that, in the meantime, every area of the economy will increase use of computer networks secured by other technologies. Information security technology and related costs of business process can absorb inordinate amounts of available resources, unless carefully managed. A modern trend in legal analysis of such systems requires a balancing test. Specifically, an attorney should ask whether the reliability of the method used to create, store, and communicate the signature or electronic record was appropriate for the purposes for which it was created and transmitted. A broad range or financial, legal and other relevant factors should be considered and balanced when determining the advisability of a given network security or signature system.
As a general observation, it seems that many attorneys and other professional initially expect near perfect information security systems to be in place when a process shift from paper to electronic medium is contemplated. While it is true that some vulnerabilities to the information increase when it is converted to electronic form (ranging from a simple power surge, to a malicious virus), in many, possibly most, situations, the digital information is actually more secure. Relatively small information security precautions can render the same information far safer when in electronic form. One should be wary of unreasonable expectations or demands for near 100% security from every conceivable threat just because information is to be maintained in electronic rather than paper form. A more appropriate, if general, benchmark is to ask whether the electronic system affords approximately the same or better security than analogous paper systems. This type of analysis should deliberately balance the costs of various security systems against the risks of security breach in light of the entire enterprise. Of course, some functions will require extremely high degrees of security. Typically, such a security system commands significant financial and personnel resources to create and maintain. Determining the right level of information security should be the result of searching analysis of the business, legal and other demands on the enterprise.
Information Security Benefits of Digital Signature Technology
Based on the description of public key cryptography earlier in this article, it is possible to define precisely how it is so well suited to meet each of the five postulated elements of network security. When the recipient receives a digitally signed message, if the subscribers public key decrypts the message digest, then the recipient knows to a mathematical certainty that the subscriber�s private key must have encrypted the message. If the certificate indicates that the subscriber is the same person purports to have sent the message, then the recipient knows the signature is authentic (assuming the certification authority inspires sufficient trust and the certificate is listed as valid and not revoked on the C/As database). This part of the process provides evidence of authentication. Once the digest is decrypted, the recipient can run the message through a hash function and, if the resulting digest matches the digest that was sent in encrypted form, then the recipient know that the message has not been altered. In other words, this process of sending an encrypted message digest along with a message can provide solid proof of authentication and message integrity.
But, what about access control, confidentiality and non-repudiation? Access control can be achieved based on a digital certificate quite easily today. In fact, standard browsers come with the Secure Sockets Layer (SSL) protocol built in. The current version protocol (SSL3) allows for the automatic exchange of digital certificates between a web browser and a web server, thus creating cross-authentication. This information can form the basis of a server program that only allows browsers with certain certificates into secure areas of the web site. Hence, SSL3 can be used to control access to network resources based on the identity of the party seeking to use the resource. Though the basic formulation for a digital signature does not require that the message be encrypted, if the message were encrypted, then the contents would be confidential. Finally, non-repudiation can be achieved by keeping records of the original message, the associated encrypted message digest and the attached digital certificate. With these items, if the sender of the message later attempted to deny having sent the message, then it could be shown that: 1. his public key decrypts a given message digest; 2. that message digest corresponds to the message in question; and 3. the relevant certification authority listed his certificate as valid at the time of the transaction. To pinpoint the time of the transaction, a digital time stamp service or other general server logs may also be necessary.
The State of the Law and Legislative Initiatives
Today, there exist a number of legal requirements for transactions to be evidenced by a "writing" or to be "signed." The most commonly referenced signature requirement is the Statute of Frauds. However, a large number, perhaps thousands, of federal, state and local laws, regulations and ordinances also call for a "writing" and a "signature." Some of these laws specifically require the writing to be on "paper" and the signature to be "in ink." These so-called quill pen laws have caused anomalous legal results from the use of technology as widely accepted as the fax machine.
In the notable case of Gilmore v Lujan, the requirement for a lease to be signed was rigidly adhered to by a federal agency when the agency killed a significant business transaction based solely on a faxed rather than ink signature. The court admonished the agency for their harsh and unreasonable application of a regulation requiring a "holographic signature," but recognized the right of the agency to so act based on the law as written. The court noted:
While in this instance, denial produces a harsh result, a telefaxed signature is a machine produced signature. It is the exact situation the amended regulations sought to address. . . The decision we reach here is compelled by the narrow scope of the court's review of agency decisions. Obviously the equities favor Gilmore, as he is guilty of no omission but use of the United States mails. Eight days for delivery of mail from Nebraska to Nevada far exceeds the time it should take. Indeed, the Pony Express could have covered the distance with time to spare.
Justice Holmes observed that citizens dealing with their government must turn square corners. > Rock Island, Arkansas, and Louisiana Railway Co. v. United States, 254 U.S. 141, 143, 41 S.Ct. 55, 56, 65 L.Ed. 188 (1920). Gilmore turned all but the last millimeter, but that millimeter, whose traverse is jealously guarded by the BLM, was his undoing. Relief to Gilmore in this narrow case would expose BLM to no fraud or risk of fraud, as his bona fides are beyond question. If Gilmore and those other few luckless applicants whose documents are stored rather than delivered by the Postal Service are to get any relief, it must come at the hands of the BLM. As shown by this case, those hands are more iron than velvet
The case of State ex rel. Ashcroft v Blunt is equally noteworthy for its different emphasis. While out of state, Governor Ashcroft, of Missouri, signed by hand and transmitted by fax various documents, including eleven appointments, two proclamations, two commissions, one appointment as special commissioner or referee and even one extradition order. . The court held that the use of a fax machine to communicate official acts of the Chief Executive of the state was valid. In fact, the attention of the court was on the question of the Governor�s authority to exercise executive power while out of state, based on the state�s constitution. The court�s focus was on the appropriate issue - that of authority and the validity of the underlying transaction - not fixated on the particular medium used.
Chapter 111 Section 70 of the Massachusetts General Laws is an example of health care legislation that, by its explicit terms, does not appear to allow for a transition to electronic media - even if it could be shown that such a transition would clearly provide superior efficiency, confidentiality and promote the public interest. The statute reads, in pertinent part:
Hospitals or clinics subject to licensure by the department of public health or supported in whole or in part by the commonwealth, shall keep records of the treatment of the cases under their care including the medical history and nurses' notes. Such records may be made in handwriting, or in print, or by typewriting, or by the photographic or microphotographic process, or any combination of the same. Whenever preexisting records shall have been photographed or microphotographed and the photographs or microphotographs shall have been duly indexed and filed, such hospital or clinic upon notifying in writing the supervisor of public records referred to in chapter sixty-six may destroy the original records so photographed or microphotographed, and such photographs or microphotographs shall have the same force or effect as the original records from which they were made.
The present statutory and judicial framework for writings and signatures has become antiquated and leads to unpredictable, even anomalous results. This state of affairs has generated some uncertainty among current and would-be adopters of this technology. This has impeded the natural flow of the market. It is precisely this state of affairs which has prompted recent legal initiatives to recognize digital and electronic communications.
On a state level, there has been a surprising amount of activity in the area of digital signature legislation. The first state to adopt such a law was Utah. The Utah law, enacted in 1995 and amended in March of 1996 is widely recognized as an important and positive first step toward legal recognition of digital signature technology. The Utah act provides for the licensure of certification authorities by the Utah Department of Commerce. Utah's law also details the rights and liabilities of parties to a transaction using public key cryptography and a licensed certification authority. Washington state adopted legislation closely resembling the Utah law early in 1996. Other states, most notably Georgia, began considering Utah modeled bills and, for a time, it seemed a consensus was developing among states.
While a number of states have considered using the Utah act as a model, various policy issues have increasingly moved states toward less regulatory, less technology specific and more incremental approaches. For example, the states of California and Arizona enacted legislation permitting use of digital signatures for transactions with public entities in each state, respectively. This legislation authorized their Secretaries of State to promulgate regulations to achieve the purpose of the act. Still other states passed laws permitting the use of electronic signatures for particular purposes, such as for medical records in the state of Connecticut or for budget and accounting purposes, such as electronic check signing by the Treasurer of the state of Delaware. Georgia, and a number of states that had legislation resembling the Utah act, allowed the bills to die and opted for further study.
Today, a new trend is developing among legislative drafters and policy makers. The state of Massachusetts, notably, exemplifies an effort to craft laws that directly address the legal issues raised by electronic commerce but do not exclusively enshrine public key cryptography in statute. This approach seeks to remove legal obstacles to electronic communications and transactions generally, by giving legal effect to electronic signatures and electronic records. The law would also specifically provide for the admissibility of electronic signatures and records. The draft proposed statute reads, in pertinent part:
Section 1. Definitions.
As used in this chapter, the following terms shall have the following meanings:
"Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is
retrievable in perceivable form. The term "record" includes both electronic records and written records.
"Signed" or "signature" means any symbol or method executed or adopted by a party with present intention to be bound by or
to authenticate a record, including electronic or digital methods.
Section 2. Electronic Records.
(a) Where any rule of law requires a writing or provides for certain consequences in the absence of a writing, that rule is
satisfied by an electronic record.
(b) In any legal proceeding, nothing in the application of the rules of evidence shall apply so as to deny the admissibility of an
electronic record into evidence on the sole ground that it is an electronic record or that it has been retrieved in perceivable
form from an electronic or other medium. An electronic duplicate of a record or any perceivable reproduction of a record that
accurately reproduces the original is admissible to the same extent as the original record unless or in the circumstances it would
be unfair to admit the duplicate in lieu of the original. In assessing the evidentiary weight of an electronic record, the trier of fact
may consider any relevant information or circumstances, including the manner in which the record was created, stored, and
communicated and the reliability of such processes.
(c) The recipient of a record may establish reasonable requirements with respect to the choice of medium, absent agreement to
(d) This section shall not apply when:
(i) its application would be inconsistent with the manifest intent of the parties, or
(ii) its application would involve a construction of a rule or law that is clearly inconsistent with the manifest intent of the law
making body or repugnant to the context of the same rule or law, provided that the mere requirement that a record be "in
writing" or "written" shall not by itself be sufficient to establish such intent.
(iii) [Specific exceptions - under development]
Section 3. Electronic Signatures.
(a) Where any rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is
satisfied by an electronic signature.
(b) In assessing whether an electronic signature was executed or adopted with respect to a record by a particular person, the
trier of fact may consider any relevant information or circumstances, including whether the signature is unique to the signer,
unauthorized persons had the opportunity to create the signature, the signature is capable of verification, the signature is
invalidated if the record is altered, and the reliability of the method used to create, store, and communicate the signature was
appropriate for the purposes for which it was created.
(c) Where any rule of law requires a signature to be notarized or acknowledged for filing with any agency, department, board,
commission, authority, political subdivision, or other instrumentality of the commonwealth, that rule is satisfied by an electronic
signature that meets standards established by the secretary of the commonwealth.
(d) The recipient of a record may establish reasonable requirements with respect to the method used to sign the record.
(e) This section shall not apply when:
(i) its application would be inconsistent with the manifest intent of the parties, or
(ii) its application would involve a construction of a rule or law that is clearly inconsistent with the manifest intent of the law
making body or repugnant to the context of the same rule or law, provided that the mere requirement of a "signature" or that a
record be "signed" shall not by itself be sufficient to establish such intent.
(iii) [Specific exceptions - under development]
The United Nations Commission on International Trade Law (UNCITRAL) recently proposed a Model Law on Electronic Commerce. The UNCITRAL Model Law takes high level, enabling approach to electronic signatures and records, with no mention of digital signatures or cryptography. The UNCITRAL model law reads, in pertinent part, as follows:
Article 6. Writing
(1) Where the law requires information to be in writing, that requirement is met by a data message if the information contained therein is accessible so as to be usable for subsequent reference.
(2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the information not being in writing.
(3) The provisions of this article do not apply to the following [...].
Article 7. Signature
(1) Where the law requires a signature of a person, that requirement is met in relation to a data message if:
(a) a method is used to identify that person and to indicate that person's approval of the information contained in the data message; and
(b) that method is as reliable as was appropriate for the purpose for which the data message was generated of communicated, in light of all the circumstances, including any relevant agreement.
(2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences in the absence of a signature.
(3) The provisions of this article do not apply to the following [...].
The National Conference of Commissioners for Uniform State Law have been guided by the UNCITRAL approach in drafting efforts to revise Uniform Commercial Code Article 2, covering the sale of goods, and the soon to be proposed Article 2B, covering the license of digital information. The current legislative draft of electronic signature legislation for the states of Illinois and Oklahoma contain similar language and represent a similar approach. The Commonwealth of Massachusetts electronic signature law and policy web site, available at <http://www.state.ma.us/itd/legal>, contains the text, or links to, these and other relevant legislative proposals and enactments. There is an emerging realization that electronic signature statutes should be broad and general, while the policies, regulations (if any) and contracts will be more detailed and flexibly responsive to particular technologies used in particular circumstances.
Largely unnoticed, but also very significant, is the new federal Health Insurance Portability Act of 1996. This law contains provisions that would establish standards and requirements for the electronic transmission of certain health information. Most notably, the act specifically addresses the role of electronic signatures in health care transactions. The act provides for the adoption of "standards specifying procedures for the electronic transmission and authentication of signatures" with respect to the broad range of transactions covered by the act. Of particular relevance, the drafters specifically provided that electronic signatures that comply with the standards promulgated by Health and Human Services shall "be deemed to satisfy Federal and State statutory requirements for written signatures." While it remains to be seen whether the Secretary of HHS will deem fit to adopt technology specific or more general regulations, it is clear that legally recognized electronic signatures and records are on the verge of common usage in the American health care - a very significant national economic cluster.
There are several policy factors favoring a Massachusetts style approach to electronic records and signature legislation. While the capabilities of a widely used global public key system would be staggering, the technical infrastructure necessary to enable such a system is still years away. Given the dynamic and unpredictable nature of technological evolution, there is still good reason to refrain from definitive expectations about the shape, scope and type of international information security systems of the future. Yet, in the meantime, business, health care, education, government and other key economic sectors are moving toward business uses of existing technology, such as e-mail, moving documents and programs (file transfer protocol), and basic web browsing (hyper text transfer protocol). Other security systems are providing some or all of the essential elements of network communications security, from elaborate biometric devices (for finger prints or retina scans) to simple software security requiring a password or other PIN. The law, and attorneys in particular, must take account of this reality so as not to deny the legal effect of legitimate transactions that happen to occur electronically and to lend needed stability and predictability for these activities. As technology changes and the market emerges, more detailed state law will always be an option for individual or uniform statutes. The use of public key cryptography and certification authorities would more than qualify for legal recognition under the Massachusetts approach. The Massachusetts approach is consistent with the recent UNCITRAL Model Law and would provide a relatively simple legal expression for all fifty states and the federal government to adopt, thus providing a needed base-line for electronic commerce.
The legal profession, and society in general, stands at the cusp of a profound change - a revolutionary shift to the digital age. A number of voices have sounded the alarm to beware of the "wild west" of cyberspace. Some advocate enactment of an array of protective comprehensive statutes, tailored to meet the special host of issues presented by the new information technologies. It is doubtful that any particular suite of laws would be sufficient, or desirable, as a legal response to the information age. It may be more accurate to say that nearly all fields of law will undergo a transition that reflects and shapes the underlying movement toward electronically based information and communication. When our civilization transition to the industrial age, our legal system did not adapt by the mere addition of a new area of "industrial law." Rather, nearly every area of law was transformed by, and helped to create, the new economic, social and political realities associated with the industrial revolution and our subsequent industrial civilization. Similarly, the pervasive information revolution will relegate many currently familiar concepts to irrelevant historical curiosities. The meaning of a signature will certainly be among the definitions to evolve. Yet, the law has proven to be resilient and capable of undergoing dynamic reshaping over the centuries. Our principles of due process, open society, economic freedom and self-government remain ageless beacons. We would be better served by more calls to constructive action, rather than the frequent vague alarms sounded about the coming digital revolution. The change is coming - indeed it is already upon us - and the bar must rise to the challenge as a stabilizing and proactive force during the exciting transition period ahead.
Appendix H: E-Mail to UNCITRAL List Serve.
(This e-mail list is run by Temple Law School Professor Amy Boss, and is an example of a valuable online forum in which the public debate over electronic commerce policy is beginning to be had. [NOTE: this message occurred in the context of a larger discussion and is provided only as flavor for the valuable dialogues now underway. The names of other correspondents have been edited out of this excerpt])
Subject: Re: Licensing CAs -Reply
Date: Fri, 18 Jul 1997 12:27:23 -0400
From: Dan Greenwood <dan@CIVICS.COM>
Reply-To: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
I would like to respectfully challenge some of the assumptions that underlie . . . arguments [submitted to this list] for a Utah style law and against technology neutral, minimalist law.
[it has been stated on this list]:
"The draft California regulations even allow individual agencies to determine for themselves whether a digital signature even needs to be validated against a certificate at all, so presumably any village idiot that can create a public/private key pair can digitally sign something, without having that signature vouched for by anyone."
That is correct. A lot depends on who you think should be in charge of decisions. Do we regard agencies and citizens as village idiots or do we assume some minimal capacity for rational decision making? My agency uses public/private key pairs in a number of ways, including an implementation of PGP without the benefit of a trusted third party. This has worked fine for the purposes it was intended. We also use CyberTrust as an outsourced semi-open style CA. Banks and other financial institutions can generate their key pairs and get a certificate from CyberTrust after the Commonwealth vouches for their identity as authorized users of a particular system. We also use key pairs that are generated as part of an SSL2 session which merely encrypts http data but does not authenticate the parties or devices in a transaction. [Expressions of] dismay at allowing agencies to consider various PKI (and non-PKI) security options for the purpose of deploying cost-effective and tailored systems do not make sense to me. I believe the opposite is true. Decision making should be pushed down to the lowest level practicable at this early phase of development in the market.
Lets face it, there is NO PKI TODAY. It does not exist. The CAs are neither accredited, cross-certified or licensed in a uniform manner. The ABA Guidelines were, and remain, a nice try. They raised the right questions and have lead to the right types of activity. Though they are unambiguously inappropriate for legislation, they are a fine place to begin (not to end) the broader dialogue on business, technical, legal and policy directions. There is NO RUSH. In fact, time is our friend. In the Commonwealth, it seems that every time we reconfigure our servers or talk to another information security vendor or look at our statutes in a fresh light, we sharpen our thinking and evolve our perspectives about the best way to proceed. Electronic commerce is moving fine without comprehensive regulatory and proscriptive rule making. It aint broke. However, we have it in out power to do some serious damage to the market that drives these evolving solutions with a few well meaning, but ill-advised statutes.
[it has also been stated on this list]:
"Although Massachusetts would at least require a certificate, they would allow a digital signature to be substituted for a notarized signature, but without any of the protections provided by a licensed/accredited CA, or any legislative determination of who bears what risk of loss."
It is true that Massachusetts does require a certificate for some transactions (we came up with our technical and business requirements all by ourselves without so much as a statute to guide us - or limit us). However, it is not accurate that a notarized signature would necessarily be substituted for a digital signature. In our current draft, we only say that where any rule of law requires a signature to be notarized or acknowledged for filing, that rule is satisfied by an electronic signature that meets standards established by the secretary of the commonwealth. The Secretary could determine that a digital signature is necessary and that it must be verifiable with reference to a certificate issued be an accredited CA. In fact, I project that this is likely to be among the methods that would be found acceptable in the Commonwealth because we are among the lead states in the accreditation efforts for CAs. However, I don't know what you mean by the "protections provided" by accreditation. It is clear what you might view as "protections" from Utah style licensing - statutory warranties, presumptions, liability limits (though these all seem to weight protection heavily in favor of certain parties). But with accreditation, the protection would be, at best, more like the protections you get by an accurate label on a product or an accurate rating of a bond. You could term this "quality assurance" - but I think "protection" goes beyond what we need to be doing at this stage by statute. Your further point about the lack of legislative determination of who bears what risk of loss is considered a feature -`not a bug. Our proposal does not presume to tamper with existing bodies of law in this regard. If a large scale or widely used implementation of PKI arises and deserves special treatment in legislation we can handle that when the time comes. I really fail to see the merit in pretending to know how the market will evolve and preemptively apportioning risks between private parties for products they are not yet using and problems they have not yet had. I bet we will see a suite of problems - but they will largely consist of causes and results that we can not predict today. It is prudent to wait and see how the market evolves, what problems emerge, and then to tailor legislative action where necessary to address those issues.
[it has further been stated on this list]:
"Without any statutory basis for differentiation, I am very much afraid that the courts might be forced to accept a simple e-mail "signature" as the legal equivalent of a cryptographic digital signature, despite the obvious difference in reliability. Whether this could be handled by attorneys arguing the "preponderance of the evidence" I don't know. But I do know, having talked to many corporate attorneys, that many businesses might suddenly decide that the legal uncertainty surrounding digital signatures was suddenly too great, and would offset any possible advantage in electronic commerce."
I appreciate the gravity of this point, but I respectfully disagree with the premise and the conclusion. The premise that courts might be "forced to accept" a simple electronic signature as the equivalent of a cryptographic signature because they have no statute to guide is not warranted. Every court case occurs in a fact specific and law specific context. If a dispute arises in which reliance was unreasonable on a simple electronic signature (of the typed and e-mailed variety) then we should either trust courts to come to that conclusion or we need to reconsider our judicial system as a whole. No matter what happens with legislation, as electronic commerce gains wider acceptance, we will see more litigation. It is not reasonable to imagine a jurisprudence will emerge that fails to distinguish between better and worse security because there is no statute laying down the law. Courts do this all the time. That is why we pay the judges. Let them do their jobs.
[The] final point that legal uncertainty surrounding digital signatures may "suddenly" be found to be too great and would result in slower adoption or reversal of electronic commerce tools by business is a very serious allegation. I think electronic commerce, in general, is a good thing and should be promoted. However, the creation of certainty by statute is not necessarily the optimal first step. The certainty created by the UCC took decades to develop (and is still in flux) and reflected - not led - business practice. We can easily create certainty by statute, but the question of the desirable exact scope and content of those statutes has yet to be determined and, in the area of PKI, law makers should make those determination based on markets that have already emerged. No government has ever regulated a market into existence. We shall not do so with PKI legislation. This market will emerge as a result of the interplay between supply and demand - and that is how it should be. Is it true that rational business people would chose not to enter this market in the absence of legislation giving them liability limits, special evidentiary presumptions and a list of proscriptive business process and technical requirements to follow? It so, then the market is not ready to emerge. If, on the other hand, the market is viable and capable of standing on its own, then we have a public duty to create a sound legal infrastructure to support it. That includes attacking regulation, unwise taxes, bizarre industrial age writing/signing laws and other defined obstacles. In time, we may also wish to enact some of the legal models proposed by members of this list. Those decisions should be based on a close examination of the market and any problems that can be conclusively linked to defined market failures and for which there is a high likelihood that legislative action is the most appropriate tool to remedy the problem.
[Finally, it has also been stated on this list]:
"I confess that I am somewhat dismayed by all of this, for it as though the last five years of intensive effort that over 100 of us invested in trying to draft the ABA Guidelines has gone for naught, as the individual states and the various vested interests have all gone off in their own individual directions."
Don't despair, we are engaged in a longer (and better) process than you previously thought you had signed up for. It is fair to say that the last five years of work by one committee of one division of one section of one professional association (the ABA) of one country did not result in the final word on this matter. Though I was quite late to the process, my name is also on the ABA guidelines as a Contributing Author. Thanks to the work of the committee, and Utah, and several other sources, we are now in a position to work out more of the issues than we otherwise would have been at this point in time. Did you really expect states to stand up and salute? We are blessed with a system of 50 legislatures that forces an amazing depth and breadth of critical debate on such issues. Between the state legislatures, the executive branches, the courts and the other levels of government now involved in these matters, I believe we are less likely to arrive at an ill-advised course of action. However, all branches and levels of government would do well to resist the impulse to regulate, legislate and otherwise pronounce on electronic commerce and to get out of the private sectors way at this vital early phase of market development.