ABA PKI EvaluationGuidelines:

The Law and Digital Signatures

Information Security Committee

American Bar Association (ABA)

Section of Science and Technology

Presentation to The Open Group Conference

Copenhagen, Denmark

27 April 1999

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 2

Introduction

4Information Security Committee, Section ofScience and Technology, ElectronicCommerce Division

4Over 300 Technologists and Lawyers frommore than 15 countries

4Digital Signature Guidelines, 1996 (seehttp://www.abanet.org/scitech/ec/isc/dsgfree.html)

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 3

Introduction (cont’d)

4 Michael Baum - VeriSign (U.S.)

4 Joe Alhadeff - Oracle (U.S.)

4 Janjaap Bos - DSEMCO B.V. (Netherlands)

4 Emily Frye - VeriCorp (U.S.)

4 Bill Kennair - CyberNotary Association UK (U.K.)

4 Charlie Merrill - McCarter & English (U.S.)

4 Randy V. Sabett - SPYRUS, Inc. (U.S.)

4 J. F. Sauriol - Labcal Technologies (Canada)

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 4

Goals today

4Introduce PKI Evaluation Guidelines (PEG)

4Interactive dialog regarding diverserequirements and initiatives

4Collaboration/harmonization/assimilation

4Discuss need for recognized global standard

4Formalized baseline for globalinteroperability of PKI

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 5

Challenges in PKI

4Trust, confidence, certainty

4Risk management

4Interoperation

4Self-regulation

4Quality assurance

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 6

PKI Evaluation Guidelines (PEG)

4Project begun in late 1996

4Extends beyond digital signatures to supportdiverse applications and entities in a PKI

4Intended to bridge legal, business, andtechnical aspects

4Guidelines, not criteria

4Work-in-progress

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 7

The PEG Audience

4Anyone involved in PKI deployment,including:– Criteria (policy) adopting or defining bodies

– Accrediting body

– Evaluators

– Authors of CPs

– Adopters of CPs

– Those involved in dispute resolution

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 8

PEG Terminology

4“Accreditation” of evaluators of PKI

4“Evaluation”: broad term, encompassing– “Assessment” of PKI for purposes of building

legal and technical interoperability

– “Auditing” of PKI components afterdeployment to determine whether the PKIconforms to the applicable CP

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 9

One example of process…

Accreditation Process

RecognitionAuthority (7)

Policy Authority(4)

AccreditationBody (6)

Evaluator/Lab (5)Certificate

Policy

CertificationAuthority (3)

Subscriber (1) Relying Party (2)

CPS

influences

influences

influences

influences

recognizes thevalidity of

evaluates

accredits

Key

Subject

Object

Scope of DigitalSignatureGuidelines(ABA ISC1996)

adopts

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 10

PEG Structure

4Main topics:– Understanding PKI

– Process for PKI Evaluation/Accreditation

– Elements of PKI Evaluation/Accreditation

– Legal Preface

– PEG Methodology for Evaluation/Accreditation

– PKI Evaluation Guidelines

– Appendices

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 11

PEG Structure (cont’d)

4Address diverse PKI models– “One size does not fit all”

4Matrix concept– RFC2527 (also known as PKIX Part 4)

provides the rows

– Different vertical markets comprise thecolumns (e.g. the financial services industry)

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 12

PEG Structure (cont’d)

4 Introduction

4 General Provisions Covering Legal/Business Issues

4 Initial Validation of Identity and Authority

4 Certificate Life Cycle Operational Requirements

4 CA Facility and Management Controls

4 Technical Security Controls

4 Certificate and CRL Profiles

4 Specification Administration

4 Some differences from RFC 2527

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 13

Selected Legal and Policy Issues

4Legal regimes

4Consumer and privacy issues

4Distinction between CP and CPS

4Liability of parties in PKI

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 14

Selected Legal and Policy Issues (cont’d)

4Legal presumptions

4Evidentiary issues

4Separation of roles in certificate lifecycle

4Incorporation by reference

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 15

Current state of international law

4 UNCITRAL

– Model Law on Electronic Commerce

– Electronic Signature Rules

4 OECD: Cryptography Guidelines

4 ICC: GUIDEC

4 European Union

– Directives on Electronic Signatures

– Directives on Electronic Commerce

4 UINL: Ongoing educational process

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 16

Civil law and common law

4 Codification versus precedent through litigation

4 Possible differences– Binding nature of judicial decisions

– Legal Presumptions

– Incorporation by reference

– Form requirements

4 Base all future actions on legislation in either typeof jurisdiction or leave it to the open market?

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 17

Consumer and privacy issues

4 Does the concept of “consumer” map to specificparties in a PKI?

4 Need for minimum requirements between parties?– obligation to protect private key

– obligation to verify certificate status

– liability allocation

– notice and disclosure

4 Collection & use of personal information

4 Applicability of various guidelines & initiatives

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 18

Distinction between CP and CPS

4CP specifies the requirements (the“what’s”)

4CPS specifies how the CA complies withthose requirements– the “how’s”

4Which governs rights between the partieswhen difference between the CP and CPS?

4Model independent...

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 19

Separation of rolesin the certificate lifecycle

CA = Certification Authority

CMA = Certificate Management Authority

RA = Registration Authority

LEGEND

CA CMA

RA

Users (subscribers and/orrelying parties)

- 1 -

Repository

Users (subscribers and/orrelying parties)

- 2 -

RA

CACMA

Repository

RA

Users (subscribers and/orrelying parties)

- 3 -

CMA

CA Repository

RA

Users (subscribers and/orrelying parties)

- 4 -

CACMA

Repository

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 20

Liability of parties in PKI

4CA liability to relying party for wrongfulissuance of certificate

4Liability of subscriber to relying party whencompromise of private key

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 21

Legal Presumptions

4 Traditionally the relying party has burden ofauthenticating signer’s identity.

4 “Electronic signature,” “digital signature,” othertypes of enhanced signatures

4 Understanding burdens and presumptions

4 Digital Signature Guidelines proposed newrebuttable presumption that the digital signaturewas signed by the subscriber named in thecertificate issued by a CA

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 22

Legal Presumptions (cont.)

4 Rebuttable presumption by legislation:– EU Mar 98 Draft Directive, Utah (95), 5 other U.S.

States (1996-99), Germany (97), Italy (98), Spain (99)

4 Rebuttable presumption allowed by regulation:– Canada Electronic Signatures Bill C-54

4 Little or no effective presumption:– UNCITRAL Draft Model, NCCUSL Uniform

Electronic Transactions Act, U.S. S.761 MillenniumDigital Commerce Bill

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 23

Legal Presumptions (cont.)

4Arguments FOR a legal presumption

4Arguments AGAINST a legal presumption

4Broad commercial use of PKI will not waitfor the legislative outcome

4Absence of a legislative presumption willsimply mean more business for trial lawyersuntil a judicial presumption emerges.

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 24

Evidentiary coverage

4What is a signature?

4Elements? (e.g. public key, signature, CRL,time and date stamp)

4Extrinsic evidence involving the facts andcircumstances of the transaction?

4Expert testimony as foundation

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 25

Incorporation by reference

4Technical limitations of size of certificate

4Publication of terms (ETERMS repository)

4Incorporation of legal terms (CP)

4Notification (end user software)

4Legal limitations (civil/common law)

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 26

Related Activities

4ETERMS Project

4Certification Services Agreements andModel Clauses

4PKI Industry Association

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 27

ETERMS Notices/Disclosures

4Practice variations becoming obstacle to thegrowth of global electronic commerce

4ETERMS provide market-based solution toinconsistent notice/disclosure terminology

4Initial application will be betweencommercial entities

4Result: harmonize the implementation ofnotices/disclosures in end-user applications

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 28

Relationship Models

4Open/Unbounded Models– CA ßà Businessà

– CA ß à Consumer/Individualà

4EDI / Existing Relationships to PKI(Addendum)– Business ßà Business over a PKI

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 29

Relationship Models (cont’d)

4Privity Models– [CA ßàBus] ßà Consumer

– CA ßàBusiness ßà [Business orConsumer]

4Non-transactional / communication model– Individual ß à Individual over a PKI

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 30

Global PKI Industry Association

4General education

4Promotion of self-regulation

4Policy development and advocacy

4Develop and advance industry practices

27-Apr-99 The Open Group Conference, Copenhagen, Denmark 31

Wrap up

4Liaisons (who else?)

4Harmonization or unification?

4Collaboration: next steps