In the CA I trust.
A look at Certification Authorities
James E. Shearer
CSEP 590
March 8th 2006
The Public Key Infrastructure is
adjudicated by the individual States
"Laws and policies for digital signatures should balance the need for consistency
across state and national boundaries, the need to allow for experimentation and
innovation, and need to respect traditional state jurisdictions, e.g., commerce,
contracts, and state rules of evidence."
American Bar Association, 1997
“Contracts involving interstate or foreign commerce may not be denied legal
effect, validity, or enforceability solely because it and/or the signatures on it are
in electronic form.”
Electronic Signatures In Global And National Commerce Act (E-Sign)
passed in the Congress of the United States, June 2000[2].
States have taken 2 approaches
Electronic signature laws
Secure signature laws
• Clarify how current law should apply to
electronic authentication.
• Explicitly recognize that many different
technologies are capable of creating valid
signatures, including digital images of
signatures, PIN numbers, and biometric
devices.
States include Florida, Virginia, and Texas
• Give special statutory benefits (such as
evidentiary presumptions and liability limits or
other special recognition) for electronic
signatures that have an established degree of
reliability
"If a law requires a signature or record to be
notarized, acknowledged, verified, or made
under oath, the requirement is satisfied if the
electronic signature of the person authorized
to perform those acts, together with all other
information required to be included by other
applicable law, is attached to or logically
associated with the signature or record."
Texas Business and Commercial Code,
Chapter 43; Uniform Electronic
Transaction Act
"Where a rule of law requires a signature, or
provides for certain consequences in the
absence of a signature, that rule is satisfied by a
digital signature, if:
• The digital signature is verified by reference to
the public key listed in a valid certificate issued
by a licensed certification authority;
• The digital signature was affixed by the signer
with the intention of signing the message; and
• The recipient has no knowledge or notice that
the signer either breached a duty as a
subscriber; or does not rightfully hold the private
key used to affix the digital signature."
RCW 19.34, Washington Electronic
Authentication Act
States include Utah, Washington and Minnesota
CA Certification
Certification Authorities are approved:
• by the State (E.g., Washington)
• by a designated (non-government)
registration authority (E.g., Kansas)
CAs must show:
• Their equipment and processes protect
the CAs’ private keys adequately,
• Their processes verify the authenticity of
subscribers adequately,
• (At least in Washington) They have an
office or representative in the state.
CAs document their processes in a
Certification Practice Statement
(VeriSign’s is 73 pages long).
Washington has licensed VeriSign and
Digital Signature Trust.
(VeriSign bought Thawte in 2000)
Classes of Certificates
Class
Assurance Level
Purpose
Subscriber Validation
3
High
Code and content signing
SSL tunnels
Subscriber must physically visit
the CA and provide proof of
identity and affiliation to the
represented organization.
2
Medium
Same as below
Matching information against a
trusted source such as a credit
bureau.
1
Low
Signing,
Encryption,
Client authentication
Confirmation of subscriber's
email address.
0
Rudimentary
Data Integrity
None
VeriSign offers certificates in classes 1 – 3
US Postal Service offers Electronic Postmark Service certificates in class 0
Liability
CA is largely immune
• CA is liable for damages resulting from inappropriate subscriber
authentication to an amount determined in the CA’s own CPS
• Washington law exempts the CA from liability for:
• Lost or forged certificates
• Punitive or exemplary damages
• Damages for pain and suffering
Subscriber is vulnerable to breach of contract
• Subscriber is liable for damage resulting from loss or theft of certificates
Relying Party carries burden of proof
VeriSign’s CPS specifies that before any act of reliance, the Relying Party
is responsible for understanding VeriSign’s CPS and verifying:
• appropriateness of the certificate for the transaction,
• verification of key usage field extensions,
• the state of all certificates in the Relying Party to Root path
- This is interesting since the whole process is largely automated!