Governments around the world are embracing digital signatures. Everybody loves this technology.
Oddly, that's the biggest obstacle it faces. Digital signature technology may be loved to death before it ever gets to really take off.
The Technology
Public key cryptography was first described publicly in 1975. In essence, it relies on the difficulty of reversing certain mathematical functions. For example, multiplying to find a product is easy; factoring to find the numbers that were originally multiplied together is hard. With big enough numbers, I can even keep one number private and publish the other -- without any fear that the private number can be guessed by an adversary. Then, everyone in the world can look up my public number and use it to encrypt a message that only I can read. That's the part of the public-key revolution that gives NSA and the FBI nightmares.
But the flip side of that process is just as intriguing -- and may yet become the predominant use of public key technology. If I encrypt a message with my private key, anyone in the world can decrypt it using my public key. That's no way to keep secrets, but it's a great way to tell the world that I and I alone could have sent the message. Since I'm the only one in the world who knows what my private key is, no one else could have written a message that can be decrypted using my public key.
It doesn't take a genius to see how useful this technology could be in cyberspace. It allows us to put highly sensitive material on a network, then restrict access to all except those who can be authenticated through the use of digital signatures. What's more, with only a modest infrastructure, strangers can do business with strangers all across the globe, using a few digital signatures to establish their bona fides.
What's needed to make this scenario come true is a "trust infrastructure." In the simplest case, suppose a bank issues digital signatures to every one of its customers that has maintained a $10,000 checking balance over the past year. If I want to do business online with another customer of the bank and he sends me a copy of his bank-issued digital signature, I can be pretty sure his $5,000 offer is good.
As a practical matter, the bank will probably certify a public-private key pair for its of its customers, then tell them to store the private key somewhere safe (a 3.5-inch floppy would be good; a chip card would be better). The bank could publish the public key (as well as its own) on the Internet and elsewhere. However, since they won't want to identify their clients as targets for scams or worse, it's more likely that the bank will privately issue a certificate, saying "As of October 1, the holder of this private key has maintained a $10,000 checking balance for the past year, signed, His Bank." Of course, a certificate like this isn't the same as a credit guarantee, but it does tell people who receive it that they are dealing with someone who probably has the assets and stability to enter into a binding transaction. At least that's what it tells them if they know the bank's public key and trust the bank to tell the truth.
Why the technology requires new legal rules
The efficiencies and security that this system allows are tremendously exciting, but there are a few problems. First, suppose the customer is sloppy about the security of his private key. He writes the password to his smart card on the card and then leaves the card in the washroom. Now anyone who has the card can use his identity -- and his credit. To deal with that problem, the bank needs to maintain an easily accessible list of stolen or compromised public-private key pairs. This is known as a Certificate Revocation List (CRL). And to make the system work, anyone who relies on digital signatures should check the CRL.
But this is the real world. Some people won't check the CRL. They'll get burned. They'll blame the bank, because it has the most money to pay damages. They'll sue. (Thank God, a role for lawyers after the digital revolution!)
Without a law on digital signatures and certificates, no one knows how such a suit will come out. The bank can write a contract with the customer, demanding that he be careful with his private key, perhaps even making him liable for his negligence. But consumer groups would oppose enforcement of such contracts (digital signature buffs call this the "Grandma picks a bad password and loses her house" problem). Even worse from the bank's point of view, it doesn't have a contract with the guy who got burned by the compromised signature. He's just an innocent third party who lost money -- by relying on the word of the bank, his lawyer will say.
Without more legal certainty about how to protect themselves (or how much insurance to buy), companies with deep pockets will not want to take that risk. They'll stay out of the business of issuing digital signatures and digital certificates for such transactions. In fact, for a decade or more, that's pretty much been the story: Cool math confronts corporate legal department; cool math loses.
How digital signatures are actually being implemented today
But the technology is too good to be locked up by lawyers forever. Companies that wanted to use digital signature technologies began looking for places where this open-ended liability wasn't a big problem. They found at least two.
1. Low-grade certificates. First, they offered certificates with sweeping disclaimers of liability and/or very limited warranties. These certificates aren't much good for high-value transactions, but they can be used in a lot of circumstances where even a no-liability signature is better than no signature at all.
Millions of low-grade, liability-free or limited-warranty certificates are already in circulation. The SSL encryption that everyone uses for secure Web connections relies in part on digital signatures to identify the server and the browser to each other. No one really guarantees the server's public key, but if it's the same one every time I log on, I can be pretty sure that I am dealing with the same server, belonging to the same store, rather than to an online con artist. Other Internet-based "cheap" certificates include the "authenticode" certificates used to identify the authors of Java-like ActiveX programs. The certificates offer a modest, but better-than-nothing, security precaution for Internet users who are understandably reluctant to let code written by strangers gain access to their computer's operating system.
2. Closed system certificates. Second, some digital signature proponents have begun creating their own law, by contract. Any group of companies or individuals that does business in accordance with one or more agreements setting forth the liability and other rules that govern their relationships; many of these communicates can create a self-contained set of rules to cover digital signatures. IBM, for example, can issue digital identity certificates to all its employees; it can say that they are good for email attribution and for petty cash requests but not for private transactions unrelated to work -- or whatever rules it is comfortable with. Or, Visa and Mastercard can build (and in fact have built) digital signatures into a Secure Electronic Transaction protocol (SET) that is already being implemented in over 20 countries.
Lawyers to the rescue?
While all this was going on, the lawyers themselves began to look for legislative solutions. A committee of the American Bar Association led by Michael Baum (now the top lawyer at Verisign) designed comprehensive Digital Signature Guidelines to deal with the new legal issues arising from digital signatures. While that work was underway, the state of Utah took the plunge, enacting a variant of the ABA draft guidelines. Within three years, more than forty state legislatures were contemplating digital signature laws. So were numerous countries; indeed, by the fall of 1997 Germany, Malaysia, and Italy already had their own laws, and many more bills were in legislative hoppers around the world.
This should be good news -- lawyers and lawmakers working together to solve a legal problem and enable the birth of a new technology. But it's not.
As we'll see, it is posing a growing threat to the burgeoning use of low-value certificates and closed certificate systems.
Digital signature laws are often sold to legislators as a way to bring written signature requirements into the computer age. An image is conjured up of computer signatures being rejected by courts insisting on something executed with a quill pen. This is an overstated problem, at least in the United States and for most commercial transactions. Courts have been treating printed telegrams as "signed" documents for a century. There's nothing about a digital signature that makes it a harder legal problem than telegrams -- or telexes, or typed letters, or faxed signatures, or a dozen other ways in which real-world commercial actors have lawfully "signed" contracts over the last century.
What digital signatures need -- uniquely -- from the law is certainty about the obligations and rights of three parties:
(2) the certifying authority who vouches for the public key and ties it to the identity (or creditworthiness, or chess club membership, or whatever) of the keyholder, and
(3) the relying party who gets the public key and the certificate and who decides to trust the certificate.
The Utah law, and the ABA guidelines, decided to spell out all of these duties in great detail. To make sure that relying parties could trust certifying authorities (CAs), the Utah law went one step further and called for government licensing. The government would make sure that prospective CAs are trustworthy and that they remain so. It would check the technical and other security measures that CAs use to protect keys and would enforce rules about documents CAs should demand before certifying someone's signature. (Can the CA issue an identity certificate based on one piece of identification or must it see three? Does it have to check the keyholder's address? And so on.)
By and large, the Utah bill is also pretty tough on keyholders. If they aren't careful with their private keys, they will lose their houses. Early boosters of the technology, however, thought the alternative was worse: Relying parties and certifying authorities might refuse to participate in digital signature transactions if keyholders could invalidate transactions after the fact by making up a story about having been negligent with their keys.
How many lawmakers does it take to screw up an infrastructure?
Two problems with the Utah approach only became apparent as digital signature laws began to sweep through legislature after legislature.
1. Conflicting obligations. First, not every lawmaker saw the policy issues the way Utah did. And the more detailed the legislation, the more room there was for fatal conflicts between state laws, sometimes on the most inconsequential points.
To take one example, both Utah and Washington require a CA to suspend a certificate if the CA gets a call from the keyholder saying the private key has been compromised. (In Utah, the keyholder has a big incentive to act fast; he wants that compromised key suspended before somebody sells his house.)
But to guard against fraud or pranks ("Hey, guys, let's call up the bank and suspend our gym teacher's public key."), the CA can't suspend for long without checking to make sure the suspension request really came from the keyholder. Under Utah law, the check has to be done within two days, but the certificate is automatically suspended whenever the CA gets a request from someone claiming to be the keyholder. Under Washington law, the caller can ask for a four-day suspension, but the CA can only suspend the certificate if the CA is pretty sure the caller really is the keyholder.
Same basic idea in both states. But what if you are a CA doing business in both states and you get a suspension request from someone who doesn't sound very much like the keyholder? In Utah, you must suspend; in Washington, you can't. Or suppose the caller asks for three days to come in and verify his identity? In Utah, you can't wait that long; in Washington, you must. CAs simply can't obey the laws of both states.
Other states have tried to avoid such problems by writing less detailed laws, leaving a lot to regulatory authorities. But that just postpones the conflicts, and perhaps makes them harder to find. It does not eliminate the likelihood of conflicting regulations. After all, many of the questions addressed by the Utah law have no easy answer. How much risk should the keyholder bear and how much should fall on the CA? Different states, and certainly different countries, will arrive at different answers to such questions. But, if CAs must change their practice in each country or each state, there will be very few CAs in ten years, and digital signatures will not live up to their promise.
2. State licensing. An even bigger potential problem is the solution Utah used to ensure the quality of CAs. Having CAs obtain licenses from the state in exchange for accepting regulation by the state is very appealing in many ways. It is flexible, it allows the state to "back up" the digital signature of a licensed CA with a state-issued certificate, and it gives unhappy parties somewhere to go with complaints.
But what if licensing is mandatory? Suddenly, many cheap but useful certificates could become too much trouble to bother with. Take the example of a merchant that wants to improve online shopping security by issuing customer certificates: "This certifies that the holder has purchased more than five books at Amazon.com using the name 'Stewart Baker'." If Amazon.com can't issue a simple customer certificate without registering in fifty states and complying with all the security rules that apply to the high-trust certificates, it will just stop using certificates like this. And we will all have a little less security when we shop online.
So far, in the United States, licensing has remained voluntary. If a CA wants the imprimatur of the State of Utah, it must register there. If not, not. Either way, the CA can lawfully issue certificates to Utah residents. (Actually, there are still some disadvantages that will push many firms into registering in most states, but I am ignoring them for simplicity.)
Not so abroad. Germany's law contains no savings clause for cheap certificates or closed system certificates. It implies that no one may issue certificates without meeting strict standards for security; these standards include a requirement that private keys be stored only on a smart card -- they can't be sent over the Internet, and they can't even be stored on a hard disk that is guarded 24 hours a day.
If pressed, German authorities sometimes say that they will not punish those who issue "unauthorized certificates." (That seems to be what they are telling the European Commission, which is worried about the trade-restricting impact of the German law.) But privately, some officials say that within three years the licensing regime will be mature and unauthorized CAs will be stamped out.
In Malaysia, that future is now. Malaysia's recently enacted digital signature bill makes it clear that anyone who issues certificates must register in Malaysia.
And it is not just cheap but useful certificates that will be affected. SET, arguably the most sweeping and important use of digital signature technology to actually see the light of day, may also be harmed by the proliferation of registration requirements. Neither Malaysia nor Germany was willing to make a clear exception in its law even for entirely private and consensual uses of digital signatures.
Conclusion
This issue is not going to go away by itself -- at least not soon enough to avoid serious problems.
Inside the United States, efforts to write a uniform state law that would resolve some of these issues are moving forward, but slowly. There are honest disagreements about how much liability to assign to the parties to a transaction and how much "freedom of contract" should be recognized in a complex field with major implications for consumers. So even if a uniform law is agreed upon, it may not exactly sweep the nation.
On the international level, there are a number of fora in which this issue is being addressed, including the OECD, UNCITRAL, and the Trans-Atlantic Business Dialogue. Unfortunately, it is becoming increasingly likely that serious differences will arise internationally between countries enamored of the high-regulation, high-trust model and those more open to market developments in digital signature use. This opens the door to protectionism and discrimination, and makes it unlikely that a workable consensus can be achieved.
The United States needs to show leadership by engaging these issues and actively seeking ways to turn these developments away from conflicting rules. I am not here to push specific solutions, only to raise the issues and encourage this Committee to treat this as a serious problem. Hopefully, this hearing will be the beginning of a dialogue that bring about solutions and allow digital signature technology to fulfill its great potential.
--- end ---