Jane K. Winn

SMU School of Law

Dallas, TX 75275-0116

 Draft February 5, 2001

 

Idaho Law Review Symposium on Uniform Electronic Transaction Act

 

The Emperor’s New Clothes:  The Shocking Truth About Digital Signatures and Internet Commerce

 

I.  Introduction:  The Hype Surrounding Digital Signatures

II.      The Original Consensus:  Digital Signature as Signature

  1. Does the metaphor of "signature" make sense for asymmetric cryptography?

B.  Why do signatures matter in traditional contracting practices?

C.  What does “non-repudiation” mean?

III.     Commercial Applications of Digital Signature Technology

IV.  Law Reform and Authentication in Electronic Commerce

IV.    Conclusion

Appendix:  Asymmetric Cryptography, Digital Signatures and Public Key Infrastructure

 

So off marched the emperor in the procession under the beautiful canopy, and everybody in the street and at the windows cried: 'Aren't the emperor's new clothes wonderful!  What a lovely train he has to his robe!  What a splendid fit!'  Nobody would let on that he couldn't see anything, because then he would have been unfit for his job or very stupid.  Never had the emperor's clothes been such a success.

             'But he hasn't got anything on!' cried a little child.

            'Dear me! Listen to what the pretty innocent says!' cried its father.  And it was whispered from man to man what the child had said.

            '"He hasn't got anything on," says a little child.  "He hasn't got anything on!"'

            'Why, but he hasn't got anything on!' they all shouted at last.  And the emperor winced, for he felt they were right.  But he thought to himself:  'I must go through with the procession now.' And he drew himself up more proudly than ever, while the chamberlains walked behind him, bearing the train that wasn't there.

 

                                    The Emperor’s New Clothes, Hans Christian Anderson

translated by Reginald Spink (1960)

 

I.  Introduction:  The Hype Surrounding Digital Signatures

 

It has been an article of faith for several years now among many observers that digital signatures[1] will be the “next big thing” for in Internet commerce.[2]  Digital signatures, authenticated with reference to certificates administered within a “public key infrastructure” bear tremendous promise as a solution to the problem of establishing the identity of parties doing business in cyberspace.  That unrealized potential is consistently mistaken for actual use in the marketplace, however, leading to countless wildly inaccurate journalistic accounts of digital signatures as the “most popular” or “most important” system for Internet contract formation.[3] 

 

Yet in early 2001, the number of Internet contracts that were being formed in reliance on digital signature certificates still appears to be trivially small in number, if not actually zero.[4]  Furthermore, there is no indication that situation will suddenly change in the near future.  After years and years of enduring mind-numbingly dull explanations of asymmetric cryptography, hash functions, public key infrastructures and stories of Bob and Alice who want to communicate with the assistance of Carol certificate authority,[5] perhaps the time has come to admit that the market reality has not matched the hype.  This might also be a good time to analyze how the enthusiasm for this technology could have reached such feverish heights in the absence of any significant use in the marketplace, and how that enthusiasm can persist today in the face of fairly compelling evidence that the hype will never be realized.

 

            In the Hans Christian Anderson fairy tale, charlatans deceive the emperor and his advisors into paying for clothing that simply does not exist by claiming that anyone who cannot see the clothing is unfit for his job.  When the emperor finally walks down the street displaying what he believes are his new clothes, a child points out his nakedness.  The credibility of the innocent child finally cuts through the duplicity and fear of the adults who were afraid to say what they saw and ends the charade.

 

            The story of how digital signatures came to be over-hyped and underutilized in electronic commerce is a bit more complex than this fairy tale.   In general, digital signatures and public key infrastructures are important examples of encryption technologies that today play a major role in electronic commerce and information system security.  It seems likely, moreover, that role of encryption technologies in general and digital signatures and public key infrastructures in particular will continue to grow in the future.  So the idea that digital signatures are or will be an important element of Internet commerce is not per se a fraud or an illusion.  The specific application of asymmetric cryptography to create the functional analog of an old fashioned manual signature on a contract may well prove to be an illusion, however.[6]  There is mounting evidence that trying to use asymmetric cryptography as a signature on a contract is like trying to fit a square peg into a round hole, and the effort to get that square peg into that round hole has created a phenomenal sink hole into which countless individuals and organizations have poured vast resources with no tangible payoff in sight yet.

 

            Those promoting digital signatures and public key infrastructures have not generally been charlatans of the type Anderson describes, although most may have had pecuniary motives for promoting a particular technology as the “next big thing” in Internet commerce.  Since countless individuals and organizations with pecuniary motives promote particular technologies as the “next big thing” in electronic commerce, that is not even evidence of bad faith.  Rather promotion of proprietary technologies as supposedly essential elements of the architecture of electronic commerce is business as usual in information economy markets where vaporware and hype are standard operating procedures and parties are routinely locked in mortal combat trying to secure “first mover” advantages.  If relatively few technologies have a chance to become incorporated into the network architecture of electronic commerce, but those few that succeed have a shot at vast profits secured by strong network effects, then astute buyers should merely discount such claims accordingly.  One of the most interesting puzzles surrounding digital signatures is how so many individuals and organizations that should have known better could have been duped into falling for the hype for so long in the face of mounting evidence of its inaccuracy.

 

            The fear of the bureaucrats in Anderson’s fairy tale may have a counterpart in the story of digital signatures hype.  In the face of an apparent global consensus that digital signatures would indeed be the next big thing, those who expressed skepticism about the inevitability of the adoption of this technology risked looking like Luddites[7] or ignoramuses.   The global consensus about the inevitability of digital signatures may have at least a partial basis in fact:  it is quite likely that this technology will be widely deployed to enhance network security.  That outcome remains possible even if it is never used as the analog of a manual signature in traditional contracting practices.  The durability of the hype surrounding digital signatures seems also to be due in part to the willingness of individuals to accept at face value information they have obtained from questionable sources and repeat it without bothering to confirm the accuracy of factual allegations.

 

            The truth of the factual allegation that digital signatures the most popular form of online authentication in electronic commerce is surprisingly difficult to establish.  By all accounts from disinterested parties, it may be one of the least popular forms of online authentication if the standard is number of contracts formed or dollar value of transactions entered into in reliance on a digital signature certificate.[8]  The simple fact that no one is using digital signatures as signatures in electronic commerce is constantly obscured by references to the fact that pilot projects are underway or have succeeded, or that standards groups are making rapid progress toward completing their work, or that experts all agree that digital signatures are indeed the "next big thing" that no self-respecting electronic commerce cognoscenti can live without. 

 

As a result of apparently endless recycling of the contents of public relations press releases[9] or mistaking a description in a statute of a type of business practice for information about the actual popularity of that business practice in the marketplace, the notion that digital signatures are the most widely used form of authentication in electronic commerce today has taken on something of the status of an urban legend.  No number of thoughtful refutations of the proposition seem able to kill it off.[10]  After it has been defeated in one arena, such as the US Congress, then like the hydra it reappears in its original form and multiplies in new arenas, such as the UNCITRAL working group on electronic commerce or the EU Electronic Signatures Directive.

 

            A major part of the problem lies in equating what asymmetric cryptography and a public key infrastructure do in the online context with what a manual signature does in traditional contracting contexts.  Traditional signatures play a surprisingly nuanced and complex role in traditional contracting practices that proving very difficult to map onto online security technology functions.  Not all contracts require a signature to be enforceable, and not all signatures evidence a signer’s intent to enter into a binding legal relationship.  To apply the term “signature” to the processes performed using asymmetric cryptography, x.509 certificates and a public key infrastructure is at best a metaphor and at worse simply misleading.  The poor fit between the metaphorical label “signature” and the security functions performed by digital signatures and public key infrastructure is not immediately apparent to casual observers.  Many sophisticated observers who noticed the poor fit had a pecuniary motive not to make the mismatch explicit.  Add to these information asymmetries and conflicts of interest the froth and manic energy of an Internet driven speculative bubble, and few were interested in hearing the rather long, complicated story of why digital signatures were not the “next big thing.”

 

            This article is part of a symposium on the Uniform Electronic Transactions Act (UETA).  Given that the UETA takes no position on the merits of digital signature technology at all, an extended discussion of the lack of success to date in the use of digital signatures in electronic contracts might appear to be a digression from the central focus of the symposium.  I will argue that, on the contrary, the UETA "technology neutral" perspective taken is clearly the most appropriate legislative response to the question of how digital signatures will be used in electronic contracts.  I will argue that a technology neutral approach is a better legislative approach than "technology specific" statutes that promote the use of digital signatures or even hybrid statutes that try to recognize digital signatures as well as alternative technologies.  A technology neutral approach to authentication and network security permits private parties to develop solutions through standard setting organization and to commit to implementing those standards through private agreements or system rules.  Managing the rights and obligations of the parties through standards and private agreements permits those with knowledge of market conditions to continue to adapt and evolve information security models more rapidly and more rationally than is possible through the cumbersome and inexact process of legislation. 

 

This article will summarize the original consensus regarding the role of digital signatures in electronic commerce, explain why that consensus was mistaken on many points, describe commercial applications of digital signatures that are gaining market share today and contrast them with the original consensus, and consider the implications of a mass misperception of this magnitude for the future of electronic commerce legislation in the global information economy.   A brief description of digital signatures and public key infrastructure is included in an appendix to the article.

 

II.  The Original Consensus:  Digital Signature as Signature

 

The first public key cryptographic system[11] was described in 1976 by Whitfield Diffie and Martin Hellman.[12]  A short time later, Ronald Rivest, Adi Shamir, and Len Adelman developed another public key system.[13]  The great advantage of a public key system is that it permits individuals to use two different but related keys to maintain the confidentiality of their communications. One key, the private key, is kept secret by the owner, while the other key, the public key, can be widely distributed. The two keys are mathematically related, but one of the features of public key cryptography is that it is computationally infeasible to derive one key from knowledge of the other.  A system within which public keys are distributed is often referred to as Apublic key infrastructures@[14] (PKI) and are designed to lower the costs associated with distributing public keys while minimizing the risks of fraud and error.  The most widely known model of a PKI is based on the model of a telephone directory.[15]  This model was first advanced by Diffie and Hellman in a paper published in 1976,[16] and expanded with the notion of Acertificates@ by a paper published in 1977 by Loren Kohnfelder, then an undergraduate at MIT.[17]

 

            It has been widely assumed for a decade or more that digital signatures used in combination with digital signature certificates distributed by trusted third parties within a public key infrastructure of some description would revolutionize electronic contracting practices.[18]  Digital signatures would provide a stable, reliable form of online identity for individuals and certificates would form a stable, reliable form of online identity card.  Individuals would safeguard their private keys, accessing them only under appropriate circumstances to authenticate electronic records.  Digital signature certificates issued and managed by responsible parties would be included with electronic contracting messages to provide counterarties with a quick, simple way to confirm the real world identity of the author of the electronic communication.  The original consensus regarding the role of digital signatures in electronic contracting assumed that a migration away from older online authentication systems[19] toward digital signatures administered within a public key infrastructure.  Within that consensus, there were vigorous debates about how the private key required to create a digital signature should be kept secure and how the public key infrastructure should be designed and administered.  Of course there were also dissenters from the consensus who argued that the gap between the state of the art of private key security and public key infrastructure design on the one hand, and the needs of transacting parties using the Internet or other networked communication systems today were simply too great to be bridged in the foreseeable future.[20] 

 

One major obstacle to wide scale deployment of digital signatures in electronic contacting systems seems to be the complexity of the business administration systems it purports to replace.  In order to use digital signatures as a functional analog of the messy patchwork of systems now used to authenticate the identity and good faith of contracting parties, the policies and hierarchies that make up a public key infrastructure would have to be integrated with other elements of business information systems that are necessary to permit contract negotiations and contract formation to be automated.  The policies and hierarchies of individual organizations as well as those supporting the public key infrastructure would have to be standardized for automated transaction processing to be possible among parties with no prior business relationship.  After nearly a decade of work in this area, the problem seems no closer to resolution that it was five years ago.

 

            There are several problems with the original consensus regarding digital signatures in electronic commerce.  One is whether the metaphor "signature" is appropriate for a technology that was originally designed to manage entries in a telephone directory.  A second is identifying the function a signature serves in traditional contracting practices.  A third set of problems are those created by borrowing concepts that make sense in technological standards and trying to insert them into legal analyses in order to change the law applicable to the technology, or borrowing legal concepts and trying to insert them in technological standards in an attempt to expand the range of functions the technology can accommodate.

 

A.  Does the metaphor of "signature" make sense for asymmetric cryptography?

 

            The standard model of digital signatures and public key infrastructure is based on the  X.509 standard established by the International Telecommunications Union.[21]  The X.500 standard was developed to facilitate the use of telephone directories over a distributed telephone network such as might be found within a multinational corporation.  Different parts of the directory could be stored at different locations on the network, such as the branch office where the individuals whose telephone numbers were listed were employed.  Any individual wishing to look up the listing for another individual would have not trouble accessing the information without regard to where the listing was actually maintained and stored.[22]

 

            When the X.500 standard was being developed during the 1980s by the ITU, the possible use of certificates issued to associate a real world identity with a particular private key was one of the issues addressed.[23]  The X.509 standard sets forth a description of how a digital signature certificate should be organized.  By standardizing the content and presentation of the information contained in a certificate, automated processing of certificates would be possible, as well as exchanges of certificates from different domains.   Within a few years, the original X.509 standard, which was designed with a distributed telephone directory in mind, was deemed to be too limited in scope to meet the needs of engineers designing network communication systems and was revised.  The X.509 standard that is widely used in electronic commerce applications is version 3 ("X.509 v.3).[24]

 

            The X.509 v.3 standard permits not just an identity to be specified in a certificate, but also policies that govern the certificate's use to be specified.  This extension of the X.509 standard to include more than a simple real world identity to include policies that might describe the scope of authorized actions in the online environment was thought to be key to extending the use of digital signature certificates into electronic contracting.  For example, an X.509 v.3 certificate might limit its use to transactions below a specified dollar amount, or within a specified geographical region, or to a specified product line.  If the electronic contracting systems of counterparties standardize their policies regarding authority to form contracts, then a vendor's fulfillment system could review the limitations in a digital signature certificate and without human intervention make a decisions whether or not to accept a purchase order submitted by a prospective purchaser.

 

            Just because an X.509 v.3 certificate contains information about the identity of an individual and may also contain information about the authorized scope of the certificate’s use or the authorized scope of the individual’s actions online does not mean it is the analog of a signature.  A signature is defined by the Restatement (Second) of Contracts as:

 

…any symbol made or adopted with an intention, actual or apparent, to authenticate the writing as that of the signer.[25]

 

The commentary goes on to point out that a signature is not limited to a handwritten ink signature on paper, but may include a thumbprint, impression of a rubber stamp or arbitrary code.[26]  Under appropriate circumstances, the act of affixing a digital signature certificate to a message that has been signed by the private key associated with that certificate might actually constitute a signature, but anyone making such a claim would have to be able to establish a connection between the mental state of the individual to be bound and the act of affixing the certificate and digital signature.  The magnitude and complexity of the network architecture and information system security operating at each node on the network necessary to make that connection in a reliable, routine manner is one of the major obstacles now impeding the implementation of digital signature technologies.

 

            There are several obvious problems raised by trying to tie an identity described in a digital signature certificate with the intention of the identified party to be bound to the contents of an electronic record.  These include whether the correct person has accessed the private key associated with the digital signature being used; and if a person other than the identified person has used the digital signature, how that person was able to gain access without authorization and who should bear responsibility for that unauthorized access.  The breach in security may occur at the level of the end user’s failure to take reasonable steps to safeguard access to a private key, or it may occur because the software and hardware used to store the private key have not been made reasonably secure.  Before a digital signature can be presumed to be analogs to a traditional manual signature, the behavior, attitudes and sophistication of individuals using the technology will have to be analyzed as well as the security characteristics of the entire system within which an individual digital signature is used.  At present, due in part to the lack of standardization among implementations and depth of experience with actual use of digital signature technologies as signatures, that information does not yet exist.

 

B.  Why do signatures matter in traditional contracting practices?

 

            When parties form agreements that they expect will be given legal effect, a signature may or may not be part of the process of contract formation.  A signature is one type of evidence that that one of the parties intended to enter into a legally binding relationship, but it is not the only type.  In some cases, a signature may not even be a necessary piece of evidence.  Just what kinds of evidence of the intention of the parties to enter into a binding agreement will be used in any specific transaction will vary according to the context, including the subject matter for the particular transaction, the communications media the parties are using, the course of dealings between the parties, and the normal business practices in the market or industry.  In some situations, the law may require a party seeking to enforce its rights to produce a writing signed by the party against whom enforcement is sought, but such requirements are scarcely universal.[27]

 

            Once the metaphor of signature had seized the imagination of those looking for new commercial applications for digital signature technology, however, the search for the “law of signatures” began.  In light of the characterization of asymmetric cryptography and a public key infrastructure as a “signature,” an obvious research problem was to find the existing law of signatures to determine if it would validate the use of this new technology.  Such research efforts uncovered surprisingly little “law of signatures” – some references in digests such as AmJur and some discussion in negotiable instruments law treatises of the proof of signatures on negotiable instruments, but no law review articles at all prior to the 1990s.[28]

 

            Finding a reason why “the dog didn’t bark” is always a problematic undertaking, but it is possible to conjecture why signatures were largely a non-controversial subject in legal doctrine until very recently.  It is possible that the common law of contracts came to accept a signature as part of the proof that should be offered of intent to be bound so many centuries ago, and that the practice has continued for so long with relatively little change, that the topic scarcely seemed worth of discussion.  Under the medieval common law writ system, signatures were irrelevant to the formation of binding obligations in an era when few could read or write.  Rather a covenant under seal was the form of action that was used to enforce what in modern terms might be thought of as a contractual obligation.[29]  The pleading rules for covenant under seal were highly formalistic:  if a person’s seal had been used to authenticate a document, the only defense was to deny the fact that it was the defendant’s seal; mere unauthorized use of a seal was not exculpatory.[30]  Modern contract law grew out of the writ of trespass, not covenant under seal, when the cause of action for trespass on the case in assumpsit permitted enforcement of undertakings that lacked the formality of covenant.[31]  The use of the writ of trespass to give common law courts jurisdiction over undertakings that lacked the formalism of covenants occurred in the 14th century.[32]  By the 20th century, methods for proving informal agreements were so well established and so uncontroversial that the topic seems not to have merited sustained discussion outside of relatively limited contexts such as the statute of frauds or evidence law.

 

            When the technological baseline shifted from some form of handwritten signature and some form of paper record to electronic communications media, anyone trying to map the existing law of signatures onto new commercial practices found no lengthy discussions in general terms of the significance of signatures in contract law.  The definition of the issue took roughly the following form:  1) as a practical matter, digital signature technology can replace traditional manual signatures in contract practice; 2) businesses will be discouraged from adopting this new technology, however, if contracts formed with digital signatures are not enforceable to the same extent as traditional paper contracts with manual signatures; 3) if a contract is subject to a statute of frauds requirement of a signed writing, and that requirement is interpreted to mean a manual signature on paper, then that will limit the enforceability of contracts signed with digital signatures; 4) so the significance of “signed writing” within the context of the statute of frauds must be clarified.  Over the last 10 years, many attempts have been made to address this issue, although most of the resulting accounts of the role of signatures in contract law were not neutral, disinterested historical studies.[33]  Most of these very recent accounts were colored by the conviction that digital signatures were not only the logical and inevitable successor to manual signatures on paper but were also superior to traditional signatures for a variety of reasons.

 

            Studies of the role of signatures in contract law undertaken in this context suffer from at least two distorting assumptions:  the legal significance of signatures generally can be understood by generalizing doctrines found within bodies of law that make express reference to signatures, such as negotiable instruments law or the statute of frauds; and second, that current contract practices lack the technological refinement and rigor that will be possible when new, more powerful authentication technologies are used.   These distorting assumptions may result in seriously flawed conclusions if the traditional methods of contract formation never relied exclusively or even primarily on authentication of manual signatures.  For example, if the contracting parties were in a long-term relational contract,[34] authentication might rely primarily on oral communications over the telephone, or by making reference to information generated over a long-term course of dealing between the parties.[35]  Even in contracts between strangers, there may be a lack of formality that leads the parties to rely on information such as telephone or face to face conversations, references from friends, advertising and brand image, or even credit report data to ascertain reliability of an expressed intention to form a binding contract.  Obtaining a valid signature is merely one element in a larger problem that the contracting parties are trying to solve:  the creation of an agreement that is a “legal, valid and binding obligation…[that] is enforceable…in accordance with its terms.’[36]  The focus on the common law of signatures as the antecedent to digital signature laws is too narrow, and overlooks the wide range of factors that might be taken into account in assessing the likelihood that a contract formed by traditional means will be enforceable.

 

C.  What does “non-repudiation” mean?

 

In lieu of the legal notion of a  “legal, valid and binding,” obligation used by transactional attorneys to express their objective when documenting agreements, the term “non-repudiation” is often used in discussions of digital signatures and often appears intended to convey a similar meaning.  A digital signature certificate includes information such as the name of the person or entity to which the certificate was issued, and information about policies governing the contexts in which the certificate may be used.[37]  One piece of information a digital signature certificate may include is whether the digital signature is non-repudiable.  A signature is made non-repudiable through the activation of the “non-repudiation” variable in the certificate.[38]  This option was added to the X.509 standard for digital signature certificates in order to minimize the risk that a party accepting a digitally signed document would later find that the signing party “repudiated” its liability.

 

If an agreement is legal, valid and binding, then it has succeeded in modifying the rights and obligations of the parties to the agreement.  If the non-repudiation bit is turned on, then the electronic contract should be binding on the parties.  But flipping on a switch in a digital signature certificate is only one of the many pieces of evidence a court would evaluate before coming to the conclusion that an agreement is enforceable.  Notwithstanding this non-congruence between the concept of an enforceable contract and activating the non-repudiation bit in a digital signature certificate, the concept of “non-repudiation” has been creeping into the discussion of electronic contract formation.  Muddying the distinction between a legal conclusion and a technological function has contributed to the persistence of the notion that digital signatures are the “next big thing” in electronic contracting.

 

            In principle, it is easy to understand what problems the non-repudiation bit is designed to solve.  For example, anyone would understand the difference in meaning between initialing a telephone message taken for another person and signing a mortgage note; between waving a hand to catch the attention of a waiter and waving a hand to make a bid at an auction house; or between shaking hands to greet someone just introduced by a third party, or shaking hands to indicate that a deal has been struck.  In the online environment, communications are stripped of many of the contextual clues that help the parties to gauge each other’s intentions.  The non-repudiation bit could provide an unmistakable signal of intent to form a binding agreement.  The problem with conflating the activation of the non-repudiation bit with the formation of a binding contract generally is that it is possible that the bit has been activated by without the conscious participation of the party who would be bound by it.  If a connection cannot be established between the activation of the non-repudiation bit and the intent of a person capable of forming a contract, then the digital signature certificate is no more effective with the non-repudiation bit activated than with it turned off.  Trying to insert the notion of “non-repudiation” into the common law of contracts is at best redundant and at worst misleading.

 

The term “non-repudiation” is not a term that currently has any significance in contract law, and its significance in other bodies of law does not clearly indicate that it a concept that contract law needs to assimilate to retain its relevance in the 21st century.  The term has been used in the context of “non-repudiation” of collective bargaining agreement under National Labor Relations Act;[39] “non-repudiation” of an earlier decision by the Atomic Energy Commission;[40] “non-repudiation” of an ERISA plan;[41] “non-repudiation” of a confession by a criminal;[42] ‘non-repudiation” by trustee of fiduciary duty to beneficiary;[43] and “non-repudiation of agent’s act by principal who accepts benefit.[44]  The first time the term was used in the context of cryptographic functions, it appeared in the recent Bernstein v. Dept of State case, but that case dealt with the issue of whether cryptographic communications were protected speech for First Amendment purposes, not contract formation.[45]

 

 

            Any form of computer security can be understood as a chain that binds the participants in the information system.  The security of the system is only as strong as the weakest link in the chain.[46]  The activation of a non-repudiation bit communicates nothing if there is a weak link in the security technology chain that purports to bind a person to the contents of a digital signature certificate.  Such a weak link might arise as a result of a confusing interface design which leads individuals to activate the non-repudiation bit without knowing what significance others assign to it; a software application that activates the non-repudiation bit without seeking any confirmation from the person whose intention it purports to express that it should be activated; or a flaw in the design of a security system which permits another person to activate the non-repudiation bit in the digital signature certificate of another person without  authorization. 

 

If there is a design flaw somewhere in the public key infrastructure within which digital signature certificates are distributed and used that permits individuals to be associated with the use of digital signature certificates with the non-repudiation option activated even though they are not aware of it, then the apparent force of contracts formed within the public key infrastructure is illusory.  The strength of security functions elsewhere in the system may be simply irrelevant in trying to determine the reliability of the system overall.  This is why any discussion of how many years it would take to break the security of a cryptographic system by using a brute force attack to guess the value of the key used[47] are usually a red herring that simply distract attention from more important issues. 

 

There are not yet any clear standards regarding what steps users can rea­sonably be expected to take to keep private keys secure, or how users should be alerted to different possible meanings that may be assigned to the use of a digital signature certificate.  If a private key used to make a digital signature is stored on the hard drive of a personal computer and can be accessed by typing in a user ID and password, then the private key is no more secure that the user ID and password are.  If the user tapes his or her user ID and password to the monitor of the personal computer, it would not be possible to say who had accessed the digital signature.  In the absence of well established standards to evaluate the reasonableness of user behavior and human-computer interface designs, the connection between the intention of an individual to be bound by an act executed by computer and the evidence that the act was executed will remain difficult to establish.  The fact that a non-repudiation bit was activated in a digital signature certificate will be one piece of information relevant to a determination that an online contract was formed, but only one of many, and hardly sufficient in and of itself to establish a legal, valid and binding obligation was formed.

           

III.  Commercial Applications of Digital Signature Technology

 

Just because asymmetric cryptography used in a public key infrastructure is not a viable substitute for a traditional signature does not mean that it is not a powerful and important security technology in wide use today.  One of the great commercial successes of digital signatures today is the Secure Sockets Layer (SSL) communication security.  Part of the key to the success of SSL in the marketplace seems to be that it does not perform any functions analogous to a “signature.”  It merely permits communications between a browser running on a personal computer and a server to be encrypted in transit, guaranteeing the confidentially of the communications between the personal computer and the server. 

 

SSL provides assurance to individuals visiting Web sites on the Internet that the sites are genuine merchant sites, and are not operated by a mere hacker masquerading as a legitimate business.  The SSL service also provides assurance that transfers of information between the local computer (or “client”) and the server are confidential and are received intact. Web server applications that support electronic com­merce come with software that manages the keys and the encryption processes in a way that is “transparent” to the visitor to the Web site. In Netscape Navigator or Microsoft Explorer, for example, the local user is only alerted to the fact that communications between the client and the server are encrypted when an icon such as a key or a padlock changes, or a dialog box pops up to inform the user that a secure session will be initiated.  When an electronic commerce site is set up on the server, public and pri­vate keys are generated by a security program, and the public key is used to obtain a certificate from a CA.[48] SSL server certificates are transferred to the client computer for use in the user’s browser, either when the browser is first installed on the local client, or in a communication with the server.[49] When a user accesses a Web site that is SSL-enabled, the server first sends a signed copy of the server’s digital signature certificate, which the local client verifies. The local client next generates a Data Encryption Standard (DES) session key that it encrypts with the server’s public key and sends back to the server. All subse­quent messages sent between the local user and the server will be encrypted with the DES session key, so credit card information or other sensitive information cannot be misappropriated even in the unlikely event it is intercepted.

 

If the metaphor of signature were imposed on the function of SSL, the best that could be said is that the server has a digital signature certificate, but the public key contained in the certificate is used to encrypt something, not to sign something.  Even if it was used to sign something, the signature would be of the server, not of the corporation or individual that owned the server.  It is hard to imagine under what circumstances a piece of machinery such as a server could be deemed to be party to a contract.  Furthermore, there would be no way to show that the user operating the browser software on the personal computer had made a conscious decision to accept something signed by the server, since the authentication of the server’s digital signature certificate is made possible through the use of certificate authority certificates that come “pre-installed” in the user’s browser software.  Given that the user made no decision to trust the certificates pre-installed in the browser software, any act taken following authentication of a digital signature certificate using those pre-installed certificates cannot be said to be taken in reliance on the authentication process performed by the browser software.  So if the SSL application creates anything like a “signature,” it would be the signature of a piece of machinery reviewed and accepted by a piece of software under conditions that do not permit either the machine or the software to be treated as the electronic agent of either machine owner or the software owner.

 

            Just because asymmetric cryptography has not yet successfully been used in a “signature” application in electronic commerce in the US does not mean it never will be, however.  It is possible that standards for the implementation of digital signatures within a public key infrastructure are now being developed and tested, and will be deployed successfully in the next generation of electronic commerce technologies.  There are at least two possible strategies that might make it possible for digital signatures to gain widespread acceptance:  the issuance of digital signature certificates by trusted third parties who are prepared to guarantee the accuracy of the contents of digital signature certificates, and a workable system of cross-certification that would permit certificates issued within different “closed” systems to be accepted by individuals or organizations outside the issuing system.  If a trusted third party were willing in effect to guarantee the enforceability of transactions executed in reliance on the certificates, then digital signature certificates would have an obvious value to prospective online trading partners that have no prior relationship with each other.  At present, no one has yet found a viable business model for issuing certificates and guarantying the contents of those certificates, but this problem may be solved at some point.  Cross-certification might be based on a closed system such as a corporation that issues identity certificates to its employees and permits employees to gain access to resources or perform actions within the system based on the information contained within the certificate.  In order for the second corporation accept the first corporation’s certificates in making decisions whether to grant access to its own resources or permit actions to be taken by employees of the first corporation, the two corporations will have to standardize many internal policies and procedures.  At present, that degree of standardization of corporate policies and procedures has not yet been achieved, but it remains possible that it will be at some point in the future.

 

IV.  Law Reform and Authentication in Electronic Commerce

 

Never try to teach a pig to sing.  It wastes your time and it annoys the pig.

 

                                                                                    American proverb[50]

 

            The Uniform Electronic Transactions Act sensibly refrained from trying to teach any pigs to sing when it adopted a “technology neutral” perspective to the formation of electronic contracts.  Laws such as the Utah Digital Signature Act, which describe a specific implementation of asymmetric cryptography within a public key infrastructure, have been consigned to the margins of electronic commerce when the marketplace failed to embrace their vision of digital signatures.  Merely because a statute does not refer to a particular computer security technology does not mean that the security technology is not vitally important to electronic commerce.  Silence within a statute with regard to technological specifics may rather indicate a decision to leave decisions about the network architecture of electronic commerce to private agreements among the parties and technological standard developing organizations.  Furthermore, silence within a statute with regard to technological specifics does not imply that the statute does not allocate responsibility among the participants to an electronic transaction for the adequacy of the security systems they adopt.

 

            The two most important provisions in UETA that have the effect of allocating responsibility among participants to an electronic transaction for the adequacy of the security systems they adopt are Section 5(b) which provides that UETA applies only to transactions in which the parties have each agreed to the use of electronic media; and Section 9(a) which provides that an electronic record or signature is attributable to a person only if it is in fact produced by an act of that person.  Because UETA does not contain any presumptions that shift the burden of proof, a person seeking enforcement of rights under a contract executed using electronic media wishing to rely on the general validation of such transactions provided by UETA will have to prove the other party’s consent to the use of electronic media and the other person’s actual use of the electronic media in forming the contract.  Because there is not yet in wide use a system that reliably binds a person with online actions, including manifesting assent to the use of electronic media or execution of an electronic signature or writing, the party seeking enforcement will have a very considerable burden of proof to meet as a practical matter.  The risk that an agreement will not be enforceable because the party seeking enforcement could not meet its burden of proof creates economic incentives for parties that wish to enter into electronic agreements on a regular basis to participate in standard setting efforts or the development of system rules along the lines of the Visa and MasterCard system rules or clearing house-type agreements that govern the rights and obligations of parties wishing to enter into electronic contracts.

 

            The UETA approach to dealing with the fact that there is no widely accepted, strong electronic authentication system in place today that can be used in Internet commerce creates a rational risk allocation both for the present and for the future.  At present, there is a bewildering array of pilot projects and press releases touting solutions to the problem on strong authentication for electronic contracts, but no clear indication of which way the market will move when eventually some more advanced form of authentication technology becomes the new market standard.  In a world of many choices but few widely accepted standards, the UETA puts the risk a contract will be denied enforcement on the party that would like to switch from whatever method of forming contracts works today – face-to-face agreement; exchange of faxes; telephone or mail order – to a new method.  That party will have to absorb the costs of researching alternatives and implementing new technologies until more secure alternatives to today’s Internet communications become available.  As a practical matter, that party is more likely to be a business than a consumer, because as repeat players, businesses stand to reap considerable savings by switching from communications media in use today to more sophisticated alternatives.

 

            While it is not possible to predict the future legal framework of online contract formation with any certainty, the automated teller networks in wide use today in the US and around the world offer an interesting vision of what the future may hold.  ATM networks are secured using various security technologies, many of which rely on advanced cryptographic processes that resemble digital signatures created with asymmetric cryptography and administered within a public key infrastructure.  Many of the technological standards that govern those technologies and assure uniformity and interoperability are the product of the American National Standards Institute X.9 Accredited Standards Committee for financial services security standards.[51]  Among the parties free to set their rights and obligations by private agreement, such as depository institutions and merchants, those agreements may require participants in the system to conform to those standards.  Bank supervisory agencies oversee the participation by regulated financial intermediaries in ATM networks to insure that their risk exposure is kept to acceptable levels within the scope of their respective legislative mandates.  Consumer liability for using the ATM network, by contrast, is limited by statutory mandates that force the business parties developing, maintaining and using the network to accept responsibility for the security and reliability of the network.  ATM networks have expanded their reach outside the borders of the US through private agreements with foreign banks, merchants and networks.  There is no analog in the law of consumer electronic funds transfers to the kind of technology specific legislation that has been used to promote the adoption of digital signatures.

 

V.  Conclusion

 

The other day upon the stair, I met a man who wasn’t there.

He wasn’t there again today – oh, how I wish he’d go away.

 

                                                            Ogden Nash

 

            The problem of online authentication is proving more difficult to solve than Internet commerce pioneers anticipated a decade ago.  Notwithstanding the vast sums of money that have been poured into developing and marketing promising potential solutions, the problem today seems nearly as intractable as it was several years ago.  Over the next five or ten years, huge quantities of additional resources will be poured into finding solutions to the problem of secure online authentication.  It is very possible that a standard for secure online authentication will be developed that meets the diverse objectives of transacting parties and that can be incorporated into the next generation of electronic commerce technologies.  It is possible that the “next big think” in strong online authentication systems will be digital signatures, but that outcome now seems much less likely than it did a few years ago.

 

            With so much present uncertainty regarding what standards will ultimately be developed to meet the needs of contracting parties and which among those standards will achieve widespread market acceptance, it seems clear that electronic commerce legislation should not try to promote the use of a particular technology.  The early digital signature statutes did not merely promote a specific technology, they also promoted a specific application for a specific technology: the use of asymmetric cryptography within a public key infrastructure to create the analog of a traditional manual signature.  Many years and untold millions of dollars later, no major market participants have been able to promote widespread use of that technology based on that vision.  Legislators around the world seem unaware of the difference between the projections of future utilization by interested parties and actual use of a technology.  Years of experimenting has revealed that digital signatures are poorly suited for use as a substitute for a manual signatures.  The effort to make a digital signature work like a signature has resulted in the widespread misperception of the role of signatures in the formation of binding contracts.  This confusion over appropriate uses of this technology and its contribution to contract formation has in turn led to the introduction of extraneous and unhelpful concepts into the discussion of electronic contract formation such as “non-repudiation” which only serve to obscure further the terms of the discussion.

 

The UETA is a notable exception to that trend.  In incorporates simple, rational risk allocation rules that can accommodate both the lack of a widely accepted standard today for strong authentication and the possible future development of such standards through the work of technical standard developing organization and private agreements and system rules.  While legislation is poorly suited to either describing specific applications for electronic commerce technologies or promoting market adoption of specific technologies, it is well suited to providing rational incentives to the parties capable of shaping the architecture of electronic commerce in the future. 

 

 

Appendix:  Asymmetric Cryptography, Digital Signatures and Public Key Infrastructure[52]

 

Cryptographic security techniques permit information to be shared between two remote parties by minimizing the risk that the information will be intercepted by unfriendly parties or surreptitiously modified in transit.  The communicating parties first establish a “cipher” that is used to transform a text into a secure form. The original text is called the “plaintext”; the text after cryptography has been applied is known as the “ciphertext.” 

 

The process of converting plaintext to ciphertext is a function of the encryption algorithm.  In modern cryptography, encryption algorithms are complex mathematical functions incorporated into software that combine the plaintext with a “key” to produce the ciphertext. The key is a long, seemingly random number, the size of which is measured in bits.[53] The unique value of the key causes the encryption algorithm to produce a unique ciphertext; if the plaintext is modified in any respect, the ciphertext will vary.  The better able a cryptosystem is to resist attacks, the more secure it is thought to be.  Keys in commercial encryption soft­ware use 40-bit, 48-bit, 56-bit, 64-bit, and 128-bit keys; the more bits, the stronger the encryption.[54]

 

In conventional or symmetric cryptography, the same key is used to en­crypt and decrypt the message. Asymmetric cryptography uses two different but mathematically related keys.  One key is the “public key,” which can be distributed widely without regard to confidentiality; the other is the “private key,” which must be kept confidential and carefully secured. The public key may be used to encrypt information that may only be decrypted by the private key; the private key may be used to encrypt information that may only be decrypted by the public key. Because the private key cannot be extrapolated from the public key, the public key may be widely distributed without risk to the secrecy of the private key. Encryption with a public key might be useful in sending a message to the holder of the related private key because such a message can only be decrypted and read by the person in possession of the private key. Encryption with a private key may be useful in sending a message from the holder of the private key because anyone who uses the public key to decrypt the message is reassured that it was sent by no one other than the holder of the related private key.

 

One problem with public key cryptography is that it may be more computa­tionally intensive than some forms of conventional (symmetric key) cryptography, making it impractical to use public key cryptography to encrypt large files. This drawback of public key cryptography can be solved in several ways, including the use of message digests to ensure the integrity (but not the confidentiality) of the transmitted file, and the use of conventional cryptographic session keys to encrypt the file in combination with public key cryptography to transmit the session key securely.  Message digests, or hash functions, help solve the practical problems asso­ciated with encrypting entire messages. A message digest produced using a “one-way hash function” is a unique mathematical digest of an entire data file. Identical texts run through the hash function will produce the same digest, but even the smallest change in the text will produce a different digest, altering the recipient to the fact that the integrity of the message has been compromised.  If a guarantee of message integrity rather than confidentiality of the message text is all that is required, a message digest can be an effective solution to the security problem.

 

It is also possible to combine symmetric key cryptography and asymmetric key cryptography to improve communication security while minimizing the demands made on computing resources. In order for this application to be executed, the sender must already be in pos­session of the recipient’s public key, and the recipient must already be in pos­session of the sender’s public key. The secure e-mail application of the sender of the message generates a “session key” or symmetric key for only one use, usual­ly using a well-accepted form of conventional cryptography such as DES or the Interna­tional Data Encryption Algorithm (IDEA). The e-mail application then encrypts the contents of the message with the session key before encrypting the session key with the recipient’s public key and sending both the encrypted message with the encrypted session key. The recipient uses her private key to decrypt the session key and then uses the session key to decrypt the message.

 

            A digital signature consists of using a private key to encrypt a message digest and then affixing the resulting record to the message itself.  In this sense, a digital signature is part of a message that indicates the source of the message and signifies that the message has not been altered in transit.  In order for a digital signature to function as the equivalent of a traditional manual signature, there must be a reliable, secure system that permits only the authorized signer to access the private key and affix the digital signature to a message.  As with the secure e-mail application, the sender and the recipient must have exchanged public keys prior to sending the digitally signed message. For a digi­tal signature to be affixed to a message, first the signer runs the message through the hash function to produce the message digest. The message digest is then encrypted with the signer’s private key, and the result is the digital signature which is affixed to the message. Although the text of the message is not confi­dential, it is now accompanied by a digital signature unique to the message that can be verified only with the use of the signer’s public key.

 

The verification process takes place when the recipient of the message uses the same hash function as the sender to produce a digest of the message inde­pendently. The recipient then takes the public key of the sender and decrypts the message digest from the sender. If the two match, the digital signature has been verified. If a digital signature is removed from the message it was intended to authenticate and attached to a different message, or the original message is modified in any way, then the verification will fail.

 

The reliability of any cryptographic system depends in large part on the reliability of the system for distributing keys.  Symmetric key distribution systems are difficult and expensive to manage.  For example, a simple, secure system for distributing symmetric keys is to require a face-to-face meeting between the individuals who will use a key to communicate in the future.  Reliable key distribution systems for groups with many members in different geographical locations may require travel by couriers or the use of other cumbersome or expensive secure communication systems.

 

Key distribution problems remain in systems that depend on asymmetric cryptography may be less difficult that rely exclusively on symmetric key cryptography because a public key can be widely distributed without fear of compromising the security of the private key.  Key management remains an issue with public key cryptography, however, because once the private key has been created and the related public key distributed, the owner of the private key is at risk if the security of the private key is compro­mised, because an attacker could then impersonate the true owner of the key.

 

After keys have been distributed, then their use must be managed.  Private keys must be kept secure and under the exclusive control of the person or object associated with the key and users must be notified whenever the security of a private key is compromised so that the corresponding public key is no longer be used. Systems developed to manage keys are referred to as public key infrastructures (PKIs). There are many different approaches to designing a PKI: systems that facilitate the verification of digital signatures between strangers over the Internet are usually referred to as “open PKI” solutions; systems that rely on binding in advance all the relevant parties to a digitally signed transaction with a system of contract that spell out the legal consequences of using public key cryptography or that implement a PKI in a bound community with a defined group of mem­bers are usually referred to as “closed PKI” solutions.

 

One solution to the key distribution problem that may lower the costs of maintaining the public key infrastructure is to find a trusted third party to be responsible for binding an individual with a public key.[55] One type of trusted third party is a certification authority (CA). The certification authority reviews some evidence that a particular individual is appropriately using a digital signature, and then issues a “certificate” containing a copy of the public key of the individual signed by the CA.  The individual seeking certification is known as a “subscriber.” Anyone who wishes to verify the digital signature of that individual may use the public key of the individual in the certificate. A person who uses the certificate to verify the digital signature is known as the “relying party.” A CA establishes policies that govern the circum­stances under which it issues certificates; these policies are then pub­lished in a “certification practice statement” disclosing those policies to any potential sub­scribers or relying parties.

 

In order for a certificate issues by a particular CA to be acceptable to a prospective relying party, the CA must establish its trustworthiness in some way.  That trustworthiness may depend on its reputation in traditional business transactions, or the CA may in turn be a subscriber of a higher CA, and use the certificate of the higher CA to reassure subscribers and relying parties that it is not a bogus CA. The CA at the pinnacle of the CA hierarchy is known as a “root” CA in such a system; a government might provide root CA services to reduce the possibility of rogue CAs.[56]

 

Another fundamental key management issue to be resolved is how the revocation or termination of keys should be handled once they have been widely distributed. A key owner may wish to revoke a public key if the security of the private key has been compromised, or may have a policy of retiring keys after a certain period of time has passed to reduce the probability of the key being broken in an attack. In addition, the CA may wish to cancel a certificate if it becomes aware of improprieties in its issuance or at the request of the sub­scriber. A relying party should investigate the current status of a certificate before relying on it to learn if it is still effective. A CA might provide an authorization service like that provided by credit card companies, in which a potential relying party contacts the CA before relying to learn if the certificate is still outstanding and has not been revoked for any reason. However, if the CA’s practice statement limits its review to the time of issuance, then there is no ongoing monitoring by the CA of the subscriber’s status. The CA may maintain a “certification revocation list” where notices by subscribers are posted as soon as received, and that any prospective relying party should check before verifying a digital signature.



[1] This article follows what is now a widely followed convention in electronic commerce circles by referring to a specific application of a specific technology as a "digital signature" and using the term "electronic signature" to refer to electronic authentication technologies that serve the same purpose as manuals signatures.   In this context, a digital signature refers to a transformation of a message using an asymmetric cryptosystem and a hash function such that a person having the initial message and the signer's public key can accurately determine (1) whether the transformation was created using the private key that corresponds to the signer's public key, and (2) whether the initial message has been altered since the transformation was made.  By contrast, an electronic signature may refer to  a name in the "From" header in an electronic mail message, a digitized handwritten signature such as are used by some retail electronic point of sale payment systems, or a typed electronic version of a paper-based holographic signature such as "/s/Jane Winn." Information Security Committee, American Bar Ass'n, Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Secure Electronic Commerce 42, 43 (1996) [hereinafter Digital Signature Guidelines].

[2] Carl Ellison and Bruce Schneier, Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, Computer Security Journal, v 16, n 1, 2000, pp. 1-7, available at http://www.counterpane.com/pki-risks.html

[3] See, e.g., Sheryl Canter, Electronic Signatures - Now it's legal to sign documents electronically, but should you?, PC Magazine, January 2, 2001 at 102 (available in Lexis News) [“The most common technology used for electronic signatures is the digital signature.”]; Leslie Brooks Suzukamo, E-Signatures Gain Force of Law, But Users Face A Learning Curve, Saint Paul Pioneer Press, October 1, 2000 (available in Lexis News) [“In its most common form, a digital  signature is, quite simply, extremely long strings of numbers and letters put together by a mathematical formula.”]; James K. Watson, Jr. and Carol Choksy, Legal status for digital signatures will mean faster commerce. InformationWeek, September 18, 2000 (available in Lexis News) [“Digital signatures can be any form of electronic seal agreed to by the two parties. The most common approach relies on digital certificates and encryption.”]; Thomas E. Crocker, Resolve State Conflicts with Federal Electronic Authentication Law, Legal Times, March 1, 1999 at S43 (available in Lexis News) [“The most widely accepted form of electronic authentication currently is based on cryptographic measures, such as digital signatures, which involve mathematical formulas.].

[4] The figure of zero Internet contracts formed in reliance on digital signatures may be accurate if pilot projects are excluded.  See, e.g., Tony Heffernan, Digital Signatures Still 3 to 5 Years Away, The American Banker, January 8, 2001 at 2A (available in Lexis News); Jamie Lewis, PKI Won’t Hit the Mainstream Until Vendors Reduce Complexity, InternetWeek, January 8, 2001 at 25 (available in Lexis News); Kelly Jackson Higgins, Public Key Infrastructures – Few and Far Between, InternetWeek Online, November 2, 2000, available at http://www.internetweek.com/lead/lead110200.htm;  Tara C. Hogan, Now that the floodgates have been opened, why haven’t banks rushed into the certification authority business?, 4 N.C. Banking Inst. 417 (2000).

[5] See generally, Jane K. Winn, Couriers without Luggage, SCLR at n150.

[6] Carl Ellison and Bruce Schneier, Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, Computer Security Journal, v 16, n 1, 2000, pp. 1-7, available at http://www.counterpane.com/pki-risks.html; Roger Clarke, Conventional Public Key Infrastructure:  An Artefact Ill-Fitted to the Needs of Information Security, November 13, 2000 available at http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html; M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis, "The Role of Trust Management in Distributed Systems Security." Chapter in Secure Internet Programming: Security Issues for Mobile and Distributed Objects, (Vitek and Jensen, eds.) Springer-Verlag, 1999 available at http://www.crypto.com/papers/trustmgt.pdf; Dan Geer, Risk Management is Where the Money Is, available at http://www.atstake.com/security/risk_management.pdf.

[7] Luddites were weavers whose trade was being destroyed by mechanized textile mills in England in the late 18th century.  Luddites understood the technology they opposed, but tried to destroy it as an act of political protest at the impact it was having on their livelihood.  See “Luddites,” Encyclopedia Brittanica Online, http://www.britannica.com/bcom/eb/article/0/0,5716,50450+1+49263,00.html?query=luddite

[8] See, e.g., Tony Heffernan, Digital Signatures Still 3 to 5 Years Away, The American Banker, January 8, 2001 at 2A (available in Lexis News); Jamie Lewis, PKI Won’t Hit the Mainstream Until Vendors Reduce Complexity, InternetWeek, January 8, 2001 at 25 (available in Lexis News); Kelly Jackson Higgins, Public Key Infrastructures – Few and Far Between, InternetWeek Online, November 2, 2000, available at http://www.internetweek.com/lead/lead110200.htm;  Tara C. Hogan, Now that the floodgates have been opened, why haven’t banks rushed into the certification authority business?, 4 N.C. Banking Inst. 417 (2000).

[9] A search of the “wires” database in Lexis Nexis on February 5, 2001 for stories that included a reference to digital signature, pilot and success or succeed turned up more than 60 press releases issued between 1995 and 2001.

[10] See the sources cited in Roger Clarke, Conventional Public Key Infrastructure:  An Artefact Ill-Fitted to the Needs of Information Security, November 13, 2000 available at http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html

[11] See appendix for a discussion of the difference between conventional cryptography, which depends on the use of two identical or "symmetric" keys, and public key, or asymmetric key, cryptography, which depends on the use of two separate but related keys.

[12] Simson Garfinkel, PGP: Pretty Good Privacy 49 (1995).

[13] Id.

[14]In this article, the term "public key infrastructure" is used to mean any system for regulating the distribution of public keys in a networked environment.  The term is often associated with specific designs for distributing public keys, such as the system described in the ABA Digital Signature Guidelines (Information Security Committee, Section of Science and Technology, American Bar Association, Digital Signature Guidelines (1996)).  However, the idea of a "web of trust" associated with the use of Pretty Good Privacy (PGP) encryption program might also be described as a "public key infrastructure" since PGP is based on asymmetric cryptography.  See Simson Garfinkel, PGP: Pretty Good Privacy 213 (1995) for a description of PGP and the web of trust.

[15]Joan Feigenbaum, Towards an Infrastructure for Authorization, Position Paper, 3rd USENIX Workshop on Electronic Commerce (September 1998).

[16]Whitfield Diffe and Martin Hellman, ANew Directions in Cryptography,@ IEEE Transactions on Information Theory, IT-22 (1976), cited in Feigenbaum.

[17]Loren M.  Kohnfelder, Towards a Practical Public-Key Cryptosystem, B.S. thesis supervised by Len Adelman, May 1978 (cited in Rohit Khare and Adam Rifkin, Weaving a Web of Trust, v.  1.126, November 30, 1997 at http://www.cs.caltech.edu/~adam/local/trust.html, fn.  37).

[18] Cross reference sources cited in intro

[19] Jane K. Winn, Open Systems, Free Markets, Tulane L. Rev.

[20] Cross reference sources cited in intro

[21]. Information Security Committee, Section of Science & Technology American Bar Association, Digital Signature:  Legal Infrastructure for Certification Authorities and Secure Electronic 18 (1996)  The ITU X.500 series of technical standards provides the basis for constructing a multipurpose distributed directory service by interconnecting computer systems belonging to service providers, governments, and private organizations, on a potentially global scale. Warick Ford & Michael Baum, Secure Electronic Commerce:  Building the Infra Structure for Digital Signatures and Encryption 213 (1997).

[22] It is not clear that the X.509 standard works for telephone directories, but that issue is beyond the scope of this paper.

[23] Carl Ellison, What do you need to know about the person with whom you are doing business?’ 1997 testimony to the US House of Representatives Science and Technology Subcommittee, October 28, 1997 Hearing, available at http://world.std.com/~cme/html/congress1.html

[24]International Telecommunication Union ITU-T X.509 Recommendation  (06/97) Data Networks and Open System Communications Directory; Information Technology – Open Systems Interconnection – The Directory:  Authentication Framework.

[25] Restatement (Second) of Contracts §134.

[26] Restatement (Second) of Contracts §134, comment 1.

[27] Winn and Wright (4th edition, 2000), chapter 5 on statute of frauds

[28] See Winn, Open Systems, Free Markets for a survey of what law could be found.

[29] J. H. Baker, An Introduction to English Legal History, 3rd ed. (1990) at 360.

[30]Frederick G. Kempin, Jr. Historical Introduction to Anglo-American Law, 3rd ed. (1990) at 215. This formalism is similar to that of many “digital signature” statutes which create a “presumption” that a signature is that of the owner of the private key that created it.  While a presumption is not the same as a liability rule, the lack of any reliable system for demonstrating who had access to a private cryptographic key at any particular time makes such a presumption tantamount to a liability rule.  See Jane Winn & Carl Ellison, comment to FTC available at http://www.ftc.gov/bcp/icpw/comments/revwin~1.htm.

[31] Id at 374.

[32] Humber Ferry Case of 1348, Baker at 375.

[33] Even a recent account that attempted neutrality on the question of technological successors to manual signatures on paper would nevertheless be biased by the context of the discussion, namely, identifying what necessary functions manual signatures served in contract practices that could now be served better by electronic equivalents to manual signatures.  See, e.g, Winn, Open Systems

[34] Ian Macneil, relational contracts article, Northwestern ULR

[35] For example, a bank customer service representative might ask a bank customer to identify the last three deposits into an account before disclosing sensitive information over the phone.

[36] Illustrative Opinion, contained in Legal Opinions to Third Parties:  An Easier Path, 34 The Business Lawyer 1891 (1979) at 1925. Paragraph 4 of the illustrative opinion letter states in full:  “The Agreement is a legal, valid and binding obligation of the Corporation and is enforceable against the Corporation in accordance with the terms of the Agreement, except as may be limited by bankruptcy, insolvency, or other similar laws affecting the enforcement of creditors’ rights in general.  The enforceability of the Corporation’s obligations under the Agreement is subject to general principles of equity (regardless of whether such enforceability is considered in a proceeding in equity or at law.)”

[37] Ford & Baum at 227.

[38] The X.509 v.3 standard ¶ 12.2.2.3 defines “key usage fields;” one of which is a space for the “non-repudiation” bit.  This bit can be used “[f]or verifying digital signatures used in providing a non-repudiation service which protects against the signing entity falsely denying some action…”  ITU-T Recommendation X.509 ¶ 12.2.2.3 (August 1997)

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46] Carl Ellison and Bruce Schneier, Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure, Computer Security Journal, v 16, n 1, 2000, pp. 1-7, available at http://www.counterpane.com/pki-risks.html

[47] E.g., “Refined Standards, New Concepts Taking Shape,” eWeek, December 4, 2000 at 103 (available in Lexis News) (“A code-breaking scheme that takes only 1 second to defeat today's DES [Digital Encryption Standard] would need 149 trillion years to crack a 128-bit implementation of the forthcoming AES [Advanced Encryption Standard.”); cf. Bruce Schneier, Security Pitfalls in Cryptography, http://www.counterpane.com/pitfalls.html (“Magazine articles like to describe cryptography products in terms of algorithms and key length. Algorithms make good sound bites: they can be explained in a few words and they're easy to compare with one another. "128-bit keys mean good security." "Triple-DES means good security." "40-bit keys mean weak security." "2048-bit RSA is better than 1024-bit RSA." But reality isn't that simple. Longer keys don't always mean more security.”)

[48]For a more detailed explanation of this process, see Simson Garfinkel, Web Security and Commerce (1997).

[49]In fact, several public key certificates are included in the initial installation of recent re­leases of Netscape’s browser. These certificates can be viewed by choosing Security Preferences from the Options pull-down menu in any recent release of Netscape Navigator.

[50] Cited in Alice M. Batchelder, Some Brief Reflections of a Circuit Judge, 54 Ohio St. L. J. 1453 (1993).

[51] The work of the ANSI X.9 committee is available from its web site at http://www.x9.org/  The ANSI Web store includes a list of standards used in financial services industry, including many based on encryption technologies.  See http://webstore.ansi.org/ansidocstore/dept.asp?dept_id=80

[52] The following discussion is based on Jane K. Winn and Benjamin Wright, The Law of Electronic Commerce (4th ed. 2001) §  1.04.

[53]The basic unit of information in programming is a bit, or binary digit. Because computer circuits recognize two levels in electronic current, these two levels of current form the basic binary on/off or 0/1 switches used to communicate data in a digital format. A bit is one unit of information. A byte comprises eight bits. Volumes of digital data are measured in bytes, as in kilobytes (KB), which consist of 1024 bytes, or megabytes (MB), which consist of 1,048,576 bytes.

[54]Responding to a $1,000 challenge from RSA Data Security, a 23-year-old U.C. Berkeley graduate, Ian Goldberg, broke a 40-bit key—the most secure data encryption the US government allows for export—in 3½ hours. There are a trillion possible combinations for a 40-bit key. Goldberg broke it by linking 250 workstations and programming them to run all possible combinations at a rate of 100 billion per hour. Sharon Machlis, RSA Stunt Shows Up Encryption Weakness, Computer World, February 3, 1997. In June 1997, responding to a $10,000 challenge from RSA Data Security, a loosely organized group of 14,000 volunteers managed to break a 56-bit key after five months of work. The group distributed code-breaking software over the Internet and used idle computers around the world to perform the calculations, with the key being found after trying about a quarter of the 72 quadrillion possibilities. Lynda Radosevich, Hackers Prove 56‑bit DES Is Not Enough, Infoworld, June 30, 1997. RSA Data Security used the fact that the 40- and 56-bit keys could be broken in its efforts to block legislation introduced in Congress to require regulation of encryption using 56-bit or stronger keys, and to encourage the Commerce Department to relax export restric­tions on stronger forms of encryption.

[55]Other solutions include the “web of trust” used in the Pretty Good Privacy system of digital signatures. Individual indicate their trust in the public keys of other individuals by “certifying” them with their own digital signatures; the PGP program reviews the digital signatures that certify the validity of a new public key to determine if it has been signed by someone the recipient trusts. See Simson Garfinkel, PGP: Pretty Good Privacy 235 (1995).

[56]For a summary of recent legislation on electronic commerce, including the attempts by sev­eral states to set up CA licensing procedures, see Chapter 14.