In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8th 2006 The Public Key Infrastructure is adjudicated by the individual States "Laws and policies for digital signatures should balance the need for consistency across state and national boundaries, the need to allow for experimentation and innovation, and need to respect traditional state jurisdictions, e.g., commerce, contracts, and state rules of evidence." American Bar Association, 1997 “Contracts involving interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because it and/or the signatures on it are in electronic form.” Electronic Signatures In Global And National Commerce Act (E-Sign) passed in the Congress of the United States, June 2000[2]. States have taken 2 approaches Electronic signature laws Secure signature laws • Clarify how current law should apply to electronic authentication. • Explicitly recognize that many different technologies are capable of creating valid signatures, including digital images of signatures, PIN numbers, and biometric devices. States include Florida, Virginia, and Texas • Give special statutory benefits (such as evidentiary presumptions and liability limits or other special recognition) for electronic signatures that have an established degree of reliability "If a law requires a signature or record to be notarized, acknowledged, verified, or made under oath, the requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable law, is attached to or logically associated with the signature or record." Texas Business and Commercial Code, Chapter 43; Uniform Electronic Transaction Act "Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if: • The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority; • The digital signature was affixed by the signer with the intention of signing the message; and • The recipient has no knowledge or notice that the signer either breached a duty as a subscriber; or does not rightfully hold the private key used to affix the digital signature." RCW 19.34, Washington Electronic Authentication Act States include Utah, Washington and Minnesota CA Certification Certification Authorities are approved: • by the State (E.g., Washington) • by a designated (non-government) registration authority (E.g., Kansas) CAs must show: • Their equipment and processes protect the CAs’ private keys adequately, • Their processes verify the authenticity of subscribers adequately, • (At least in Washington) They have an office or representative in the state. CAs document their processes in a Certification Practice Statement (VeriSign’s is 73 pages long). Washington has licensed VeriSign and Digital Signature Trust. (VeriSign bought Thawte in 2000) Classes of Certificates Class Assurance Level Purpose Subscriber Validation 3 High Code and content signing SSL tunnels Subscriber must physically visit the CA and provide proof of identity and affiliation to the represented organization. 2 Medium Same as below Matching information against a trusted source such as a credit bureau. 1 Low Signing, Encryption, Client authentication Confirmation of subscriber's email address. 0 Rudimentary Data Integrity None VeriSign offers certificates in classes 1 – 3 US Postal Service offers Electronic Postmark Service certificates in class 0 Liability CA is largely immune • CA is liable for damages resulting from inappropriate subscriber authentication to an amount determined in the CA’s own CPS • Washington law exempts the CA from liability for: • Lost or forged certificates • Punitive or exemplary damages • Damages for pain and suffering Subscriber is vulnerable to breach of contract • Subscriber is liable for damage resulting from loss or theft of certificates Relying Party carries burden of proof VeriSign’s CPS specifies that before any act of reliance, the Relying Party is responsible for understanding VeriSign’s CPS and verifying: • appropriateness of the certificate for the transaction, • verification of key usage field extensions, • the state of all certificates in the Relying Party to Root path - This is interesting since the whole process is largely automated!