[CPSR Home Page] | [CPSR Newsletter Index] | [Fall 1995 Issue--Table of Contents ]

Digital Signature Legislation: Flawed Efforts Will Hurt Consumers and Impede Development of a "Public Key Infrastructure"

by C. Bradford Biddle
Privacy Rights Clearinghouse/ Center for Public Interest Law

CPSR News Volume 13, Number 3: Fall 1995

Public key cryptography, an encryption method employing two paired keys, one of which is private and the other public, promises to change this state of affairs. Using public key cryptography, one Internet user can send another an electronic message that is completely private, guaranteed authentic and nonrepudiable, and invulnerable to alteration. Public key cryptography conceivably will allow private individuals, businesses, and government routinely to conduct secure financial and legal affairs over the Internet.

Daunting technical, political, and legal obstacles stand in the way of this vision, however. On the legal front, several states have introduced legislation to address some questions regarding the development of a "public key infrastructure." Utah's Digital Signature Act was enacted in March of this year. Identical bills have been introduced in Washington, Oregon, and California (the Washington and Oregon bills are currently stalled in committee; the California bill has been drastically altered by amendments). The authors of the Utah legislation are directing efforts to develop model digital signature legislation that could be adopted by every state.

The legislative approach of the Utah legislation and its progeny has been dubbed the "Utah Strategy" by one commentator. That term will be adopted here as well.

These legislative efforts deserve scrutiny. Legislation can be effective in promoting the development of a public key infrastructure. In its current form, however, legislation embodying the Utah Strategy is harmful to important public interests. The Utah Strategy is flawed for at least five different reasons:

1. Its liability limitations protect the incipient digital signature industry to the detriment of consumers.
2. It fails to protect users' personal privacy.
3. It fails to articulate critical issues concerning standards.
4. It offers a confusing vision of private and public sector interaction.
5. It puts unacceptable limits on entry into an emerging market.

This article provides a brief overview of public key cryptography and digital signatures, followed by a summary of the major provisions of the Utah Digital Signatures Act. It then describes each of five problems with the Utah Strategy, the approach that is currently driving the development of digital signature legislation nationally.

Cryptography
Encryption involves scrambling data into a form that is unreadable by anyone except the intended recipient. One form of encryption is secret key cryptography. It is based on two components: an algorithm and a key. The algorithm is a mathematical formula that describes the scrambling technique. The key is a piece of information (often a large random number) fed to the algorithm to select the exact scrambling pattern. The central idea is that the same algorithm can be known and used by everyone, but knowledge of the keys is carefully controlled to prevent unauthorized unscrambling of encrypted data. An example, using the standard cryptographic players, Alice (sender), Bob (receiver), and Eve (the would-be eavesdropper), may be instructive.

Alice wants to send a message to Bob that only Bob can read. Alice encrypts the message using an algorithm and a key. If Eve intercepts the message, she cannot read it. Even if Eve knows which algorithm was used to encrypt the message, she does not have the key. Bob does have the key. He uses the key together with the algorithm to decrypt the message and read it. Note that Alice and Bob both use the same secret key to encrypt and decrypt the message. DES, a widely used and highly secure form of encryption, and Skipjack, a key-escrow mechanism that forms the basis of the highly controversial Clipper Chip, are both examples of secret key encryption.

An alternative approach to secret key cryptography is public key cryptography. This method uses two different keys, one for encryption and one for decryption. They come in pairs; data encrypted using one key of the pair can be decrypted only by using the other key of the pair.

Alice and Bob might use public key cryptography in the following way. Bob will have generated a key pair: a "public key" and a "private key." He will make his public key widely available. He will keep his private key secret. When Alice wants to send Bob an encrypted message, she will locate his public key (from a publicly accessible database, for example). She will encrypt the message using his public key, and send it to him. When Bob receives the message, he will decrypt the message using his private key.

Only Bob's private key will decrypt Alice's message. Thus, although Bob's public key is also available to Eve, the would-be eavesdropper, if she intercepts Alice's message to Bob, she will not be able to read it. Even Alice cannot decrypt her message once it is encrypted with Bob's public key. RSA, the leading public key algorithm, and DSA, a public key algorithm developed by the National Security Administration, are two examples of public key cryptography.

Digital Signatures
Digital signatures are an application of public key cryptography. Public key cryptographic algorithms and another type of algorithm called a "one-way hash function" can be combined to ensure that electronic messages can be "signed" in a way that guarantees authenticity and message integrity.

Authentication is achieved by reversing the roles of public and private keys. For example, Alice could encrypt and time stamp a message to Bob using Alice's private key. When Bob received the message, he could locate Alice's public key and use it to decrypt the message. If Eve intercepted the message, she could decrypt it as well, since Alice's public key is widely available. But, since no one else has Alice's private key, no one else could have encrypted the message, which authenticates its origin.

A one-way hash function is used to take a message of any length and create a short, fixed-length "hash" unique to that message, called a message digest. Each time a message is run through the one-way hash algorithm it will result in the same value, and no two distinct messages will return the same value. Alice creates a digital signature by encrypting the message digest of a particular message with her private key. When Bob receives the message, he uses a one-way hash algorithm to determine what the hash value of the message should be. He then decrypts Alice's digital signature using Alice's public key. If the hash value in Alice's decrypted digital signature matches the hash value that Bob calculated from the message on his own, then Bob knows that the message is indeed from Alice and has not been altered.

Certificates and Certification Authorities
Unfortunately, encryption ignores an immense and fundamental problem for public key cryptography: sender identification. Alice may not have sent the message at all. Instead, Eve may have generated a public/private key pair, and entered her public key in a public database under the name Alice.

Certificates are digital documents that attest to the connection of a public key to an individual (or other entity). Certificates help prevent someone from using a phony key to impersonate someone else. They are issued by a hierarchy of certification authorities, which results in a chain of authority traceable back to the top level. To prove her identify, when Alice sends a message to Bob, she can include this chain of certificates in the message. Bob can check each certificate in the chain against its digital signature to make sure that none of them has been forged. Thus Bob can be assured that Alice's certification authority has verified Alice's true identity, and that the certification authority itself is trusted by the top-level certifying authority.

In practice, in any large-scale system using public key cryptography, some private keys will become compromised. Therefore, there must be some mechanism to prevent people from relying on a public key/private key pair that has been compromised. Such a mechanism involves maintaining a list of revoked certificates, generally called the certificate revocation list.

The Utah Digital Signatures Act
The Utah Digital Signatures Act regulates how digital signatures are to be used in that state. More importantly, it has become the standard for digital signature acts in other states. This act contains a number of provisions. It requires that a state government agency license and regulate companies and individuals who act as certification authorities. Essentially, certification authorities verify the identity of a subscriber to their service, create a certificate which includes the subscriber's public encryption key and other information, and then make that subscriber's certificate available in an online database called a repository. Utah's bill requires that a government agency act as a centralized repository. The bill defines the duties of subscribers, certification authorities, and repositories. It also defines the legal status of digital signatures under certain circumstances.

The bill contains five parts. Part I states that the bill "should be construed liberally" to serve the following purposes: minimize the incidences of forged digital signatures, enable and foster the verification of digital signatures on computer-based documents, and facilitate commerce by means of computerized communications. Part I also details exactly what information is required to be in a subscriber's certificate, including the subscriber's name, "distinguished name" (email address), public key, expiration date, and "recommended reliance limit," as well as other information.

Part 111 of the bill concerns the licensing and regulation of certification authorities. The legislation does not require certification authorities to be licensed. However, the state can recognize only digital signatures obtained through a licensed certification authority and presumptions about the validity of signatures apply only to those that use a licensed certification authority. Only attorneys, financial institutions, title and escrow companies, and public entities can act as certification authorities.

Part 111 of the bill describes the duties imposed on the certification authority and on the subscriber. The private key is decreed to be the property of the subscriber, and the subscriber assumes a duty of reasonable care to guard access to and use of the key. Part 111 also details some liability rules.

The fourth part of the bill creates certain presumptions about digital signatures that use the certificate of a licensed certification authority. This section also creates a presumption of validity for certain digital time-stamps. The section details limited circumstances under which these presumptions can be rebutted. In addition, Part IV contains an odd provision which declares that "a digital signature that would make a negotiable instrument payable to bearer void, unless the digital signature effectuates either a funds transfer or a transaction between banks or other financial institutions." The purpose of this provision is unclear. It may affect certain "digital cash" initiatives, some of which use public key encryption to create electronic "'tokens" that can be traded anonymously over a computer network.

Part V requires, among other things, that a government agency act as a certification authority and a repository. Part V also allows the agency to recognize other repositories that meet certain standards.

Problems with the "Utah Strategy"
The Utah Strategy has some problems with respect to liability limitations, privacy, standards, public and private sector interaction, and limits on market entry.

Liability Limitations
Sorting out the rights and responsibilities of digital signature users is a useful function that legislation can perform. The Utah Strategy shifts too much liability to the subscriber, however, and fails to impose the proper liability on the certification authority and on the repository.

Liability is a complex issue, and all its possible manifestations regarding the use of digital signatures will not be raised here. By way of example, however, let us consider two scenarios.

In the first scenario, assume that Eve has procured a certificate from a certification authority posing as Alice.

Bob entered into a transaction with '"Alice," and has taken a loss. Eve disappears with her ill-gotten gains. Bob will want to recover his loss from the certification authority. After all, it was required to check "Alice's" identity. Interestingly, the Utah Digital Signatures Act does not explicitly define the certification authority's responsibilities under this scenario. Bob might be able to recover his loss under the theory of negligent misrepresentation. This strategy requires Bob to prove that the certification authority was negligent in failing to correctly confirm "Alice's'' identity. The certification authority, of course, will claim that it did everything realistically possible to confirm identity, and thus was not negligent. Each time a similar situation arises, the question of whether the certification authority was negligent must be litigated.

The Act defines limits on the certification authority's liability to Bob. First, Bob can recover only up to the "recommended reliance limit" on the fraudulent certificate. This limit, set by the certification authority, represents the amount of risk it is willing to assume in the transaction. Whereas this limitation is sensible, a second way in which Bob can be prevented from recovering his full loss is not. The certification authority's liability in any one year is limited to a "suitable guarantee." This guarantee, which usually takes the form of a surety bond, is generally set at 35 percent of the certification authority's total recommended reliance limits. So Bob's ability to recover may be limited by activities of the certification authority over which Bob has no control or even knowledge.

If Eve managed to perpetrate widespread fraud using the certificate she procured from the certification authority, the victims of her fraud would bear the bulk of their loss, even if the certification authority had been negligent in ascertaining Eve's identity. If the private key was compromised, for example, by a disgruntled or incompetent certification authority employee, then this type of widespread fraud could be easily accomplished.

Certification authorities are in the best position to guard against these problems. They can implement stringent identification requirements; they can guard their private key vigilantly. Moreover, the certification authority is in a position to obtain insurance against this type of loss. But, under the Utah Strategy, certification authorities do not have adequate incentive to take these actions. They would not implement costly safety procedures if the cost of the measures was greater than the amount of their "suitable guarantee." The cumulative loss to society if a certification authority's private key were compromised, for example, could be immense. But because certification authorities would not have to bear the brunt of the loss, they would not have the incentive to take costly precautions. Thus, the Utah Strategy allows the certification authorities to externalize the costs of their negligence.

Now let's look at a second scenario. Imagine that Alice negligently loses control of her private key. Eve obtains control of it, and uses it to perpetrate $10,000 in fraud before Alice discovers that her key has been compromised and revokes it. Documents signed with a digital signature are presumed valid and binding unless it can be shown that the rightful holder of the private key lost exclusive control of it ,without violating the duty of reasonable care imposed by the Act. Alice was negligent, having violated the duty of reasonable care. Thus, any documents signed with Alice's key are presumed valid, and Alice must bear the $10,000 loss.

It's useful to compare this scenario with an analogous situation involving a credit card. Imagine that Alice negligently lost control of her credit card, and Eve used that credit card to perpetrate $10,000 worth of fraud before Alice discovered her card was missing and reported it. Under the Electronic Fund Transfer Act (EFTA), Alice would be strictly liable for $50 of the loss; she would not be liable for the balance.

Alice's credit card company would bear the bulk of the loss in this situation. Of course, the company would eventually pass along the costs of that loss to other card holders in the form of higher interest rates and fees. However, Alice's fellow card holders share a benefit from this arrangement. They can use credit cards routinely, and not have to be concerned with suffering any sudden, drastic financial losses. Moreover, this arrangement forces credit card companies to implement card approval systems that reduce the likelihood of fraud. Card companies that do so more effectively gain a competitive advantage.

In contrast, under the Utah Digital Signatures Act, consumers who hold private keys subject themselves to an extraordinary amount of risk. Imposing this level of risk on consumers is contrary to the policies embodied in the EFTA. Furthermore, imposing this sort of risk on consumers is likely to retard the development of a public key infrastructure. People will not participate in a system that subjects them to the risk of devastating financial losses. A more sensible policy would be for certification authorities to bear the risk of loss, and to spread the costs of insuring against this sort of loss among all users of the public key infrastructure. Consumers could undertake some risk in order to ensure that care is taken to protect private keys, but they should not face unlimited liability.

Again, these examples do not demonstrate all the possible ramifications of the liability limitations set forth in the Act. The examples do, however, demonstrate that the Act's liability limitations which protect certification authorities both disadvantage the consumer using the system and impede the development of an effective public key infrastructure.

Privacy
A subscriber's certificate is normally published in a recognized repository, the government agency's database, and possibly other databases. The subscriber can choose to not publish his or her certificate. If a certificate is not published, however, none of the presumptions concerning the effect of a digital signature apply. Thus, in order to achieve any of the benefits of participating in the public key infrastructure created by the Act, one must publish one's certificate in a recognized repository.

Let's consider the government agency's repository. It is a database containing the name, "distinguished name," and "recommended reliance limit" (RRL) of potentially every citizen. The RRL is a good indicator of a person's financial worth. The "distinguished name" is the person's email address. This database is a gold mine for direct marketers. Nothing in the Act would prevent marketers from using this database for "junk" emailings or other marketing purposes.

If the distinguished name is entered using the ITU X.509 standard for email, there could be other problems as well. X.509 addresses can use geographic location to establish a unique name. So, for example, a stalker could connect to the government repository, search for his would-be victim's name, and then determine the victim's geographic location from the distinguished name. And, of course, if the certification authority required that physical addresses be published in certificates, locating a public key holder would be simple.

The certificates could contain other personal information as well. Certification authorities are required to request identification documents from the subscriber. Could they require a social security number? Fingerprints'? A retinal scan'? A DNA sample? Could the certification authority publish a subscriber's social security number in a certificate? Or other information? The Act is silent on these issues. Privacy protections need to be built into the legislation.

Additionally, it's important to consider the ramifications of the fact that the government acts as both a certification authority and a repository. Certification authorities must keep records supporting the identity of each subscriber. When the government keeps these records, are they subject to state public records act requests'? (See Connors article, this issue.)

Standards
The Utah Strategy empowers a government agency to make decisions by administrative rule that will have a profound effect on the nature of the developing public key infrastructure. Whether the infrastructure will support true confidentiality as well as authenticity (unbreakable encryption as well as digital signatures) is a fundamental policy decision. For example, a public key system based on the National Security Administration's Digital Signature Standard (DSS), which does not support encryption, could be used only for authentication, while a system that used Skipjack would be available to law enforcement authorities and thus would not be truly confidential.

The drafters of the Utah legislation undoubtedly avoided this dicey question on purpose. The political controversy surrounding the issue is explosive. Nonetheless, it must be addressed. Confidentiality and authenticity are both problems when using an open network like the Internet. To expend the vast resources necessary to develop a key infrastructure to solve only one of these problems would be foolish. This fundamental policy issue should be explicitly addressed in any legislation concerning public key cryptography.

Public and Private Sector Interaction
The Utah Strategy projects a government-run database of certificates and certification revocation lists. It also assumes that the government will operate a digital time-stamping service. Apparently there would be other private sector databases providing essentially the same services. It is not clear how the public and private sectors would interact. Would they compete? Should the government be involved in providing these services at all, if a private market can develop? Conversely, if the government is the appropriate entity to provide these services, is a private market necessary or useful?

The Utah Strategy does not address the issue of access, other than to say the government is empowered to charge fees that can be determined by administrative rule. Yet the issue of access is one of basic public policy. Public key cryptography promises to serve as the tool that will make electronic commerce a routine part of life. If the state is going to take a leading role in creating the public key infrastructure that makes it possible to fulfill this vision, then the state should also address the consequent questions of public policy: who will have access to the infrastructure, and what will it cost?

Limits on Market Entry
Only attorneys, financial institutions, title and escrow companies, and public entities can act as certification authorities under the Utah Digital Signatures Act. This restriction is incompatible with the vision of a vibrant competitive market of certification authorities. Oligopolies rarely serve consumers well.

Conclusion
A public key infrastructure will develop. Indeed, it is already developing: private companies are serving as certification authorities for other companies; PGP users are serving as certification authorities for other PGP users; federal government agencies (such as the U.S. Postal Service) are jockeying for a role as a top-level certification authority. Effective legislation can help this process; poor legislation can hinder it.

The American Bar Association's Information Security Committee is in the process of creating model digital signature legislation. A uniform law that could be adopted by every state, akin to the Uniform Commercial Code, would serve to avoid patchwork laws and jurisdictional difficulties. However, the authors of Utah's Act are directing the effort to draft this model legislation. Hence, the legislation that emerges may share the Utah Strategy's problems.

As it currently stands, the Utah Strategy is flawed. It fails to set out the rights and responsibilities of digital signature users in a way that sufficiently protects important public interests. The problems with the Utah Strategy, though significant, are correctable. Liability limitations need to be revisited, privacy protections must be implemented, certain minimum algorithmic standards should be articulated, the role of the private sector needs to be clarified, and fundamental public policy questions must be answered. If amended in this fashion, the Utah Strategy could serve as a framework for the development of an effective and useful public key infrastructure.

Brad Biddle as a legal intern at the Privacy Rights Clearinghouse and a law student at the University of San Diego School of Law He can be contacted via e-mail at biddle@acusd.edu, at by e-mail at biddle@acusd.edu, at by phone at 619-298-3396.

[Previous Article] | [Table of Contents] | [Next Article]

© Computer Professionals for Social Responsibility
P.O. Box 717 Palo Alto, CA 94302-0717
Tel. (415) 322-3778 Fax (415) 322-3798 webmaster@cpsr.org