Encryption, Digital Signatures & Trust
Acc680
Jim Nellegar
Notaries Public – Lost in Cyberspace or key business
professionals of the future?
A Proposed Code of Professional Responsibility for
Certification Authorities
Legal and Technological Infrastructures for Electronic
Payment Systems
Encryption, Digital Signatures & Trust
The John Marshall Law School (1997)
Notaries Public:
Lost in Cyberspace or key business
professionals of the future?
Michael L. Closen, Professor of Law, J.D.
R. Jason Richards, Law Student
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
Focus:
Notary’s status in U.S. and Remediation through Cybernotary
 Presents similarities between notary professions and that of
Certification Authorities (a.k.a cybernotaries)
 Barriers
 Recommendations to Implement
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
 Authority of Notaries
* Administer oaths
* Attest to authenticity of signatures on documents
* Weddings, abandoned deposit boxes, produce certified
copies
 Liability of Notaries
* Negligent, reckless of willful conduct
* Not guarantors
* Not liable when acting in good faith
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
“I have but one lamp by which my feet are guided, and that
is the lamp of experience. I know no way of judging of the
future but by the past.”
- Patrick Henry (1775)
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
 Status of Notaries in the U.S.
*
*
*
*
*
*
*
*
*
Prestige not equivalent to other countries
Few qualification (education, background)
Proliferation (4.5m) diminishes importance
Clerical task requiring minimal fee
Test is nominal, few continuing education programs
Sound notarial practices not promulgated
No records (journal or logs) required
Little legislative recognition of notaries financial risk
No formal code of ethics
…contrasts value of transactions effected
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
 Advantages of Cybernotarization
* Cost-effective:
- No need to personally appear
- 24 hour availability
* Gery (Verification of signature)
* Cybernotaries can be entities
* Notaries & Cybernotaries can coexist

Barriers to implementation
*
*
*
*
*
Significantly higher costs (Systems, software, training)
Higher risk/exposure to litigation & defense costs
Continued desire to use paper
Inadequate “model” legislation
System only as good as security over keys
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
Shortcomings of Utah Model Legislation









Recommends asymmetric systems only
Law only requires “reasonable care” in controlling keys
No qualification for cybernotaries (age, experience, training)
No testing requirement (technological,legal, ethical, statutory
procedures, liability)
Felonies preclude practice, not civil convictions (fraud)
Financial liability not identified (Only “reliance limits”), surety bonds
limits & liability insurance not included.
No record maintenance requirement
Does not address inter-state transactions
Shortcoming propagate: Many other states have used Utah legislation
as a model
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
Assymetric Digital Signature Verification
Using software program,
sender uses software to
encrypt document using
"private" key
Cybernotary determines
if sender’s private key as
sent matches public-key
of recipient
If private-key and
public-key match,
cybernotary issue
a certificate of
authenticity
Software places "signature"
into document, result is a string
of digits representing document
and code produced by signer
String of digits representing
document and signature to
cybernotary’s (certification
authority) repository.
Repository also holds public
key held by intended recipient.
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
Recommendations (Corrective & Implementive)
 Federal legislation be written to address shortcomings
 Cybernotaries should understand that parties are financially
responsible and legally enforceable
…the role of CA be “undertaken exclusively by attorneys.”
 Cybernotaries should understand that parties are financially responsible
and legally enforceable
Notaries Public:
Lost in Cyberspace or key business professionals of the future?
Conclusion:
I am not an advocate for frequent changes in laws and
institutions. But laws and institutions must go hand-inhand with the progress of the human mind. As that
becomes more developed, more enlightened, as new
discoveries are made, new truths discovered and manners
and opinions change, with change of circumstances,
institutions must advance also to keep pace with the times.
- Thomas Jefferson (1816)
John Marshall Journal of Computer & Information Law
A Proposed Code of
Professional Responsibility for Certification Authorities
Dina Atanasopoulos-Arvanitakis
Marilynn J. Dye
A Proposed Code of
Professional Responsibility for Certification Authorities
Focus:
 Propose guidance to CA’s where laws or directives are silent.
A Proposed Code of
Professional Responsibility for Certification Authorities
Background
 Role of CA will taken on added importance in “paperless society.
 CA will be a position of public trust demanding extensive skill and
understanding of trusted systems
 Standards do not carry force of law
 CODE = 10 Guiding Principles (composed of Directives)
 Designed with model acts in mind, harmonization with (more rigid)
notary standards in other countries
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle I
The CA shall be be a licensed attorney
- Notary should be able to substantiate validity of contract
The CA shall be licensed in information technology
- Qualified to act per specialization rules by ABA
- No American “license” to date
The CA shall update and continue his education in IT
- Recommend establishing governing body to ID mandatory programs
- Recommend 20 hours per year
The CA shall be competent at all times
- Refer or recuse
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle II
The CA has International Jurisdiction
- Addresses fact that Internet activities transcend boundaries
The CA Shall be commissioned in every state
- Reciprocity
The CA shall pass an international notary exam
- If candidate wishes to issue certificates for international business
- Structure similar to the U.S. International Patent Bar
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle III
The CA shall be a public official
- Notaries are in a position of public officer
The CA shall be a fiduciary
- Acknowledges cybernotary has a public trust (sans contract)
The CA shall be a fiduciary to his/her subscriber & 3rd parties
- Acknowledges cybernotaries duties to sender/recipient as
provided by contract or law
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle IV
The CA owes a standard of care to their clients
- Confirm facts related to the transaction
The CA shall safeguard private keys
- Including information contained within the keys
The CA shall maintain proper records
- Shall maintain a record of each transaction, details, adequate time
period
The CA shall maintain confidences
- Related to the transaction and parties
The CA shall disclose facts that adversely or materially affect reliance
- Any facts or circumstances impacting reliance on certificate
- Any facts that would indicate an actual or potential conflict of
interest ~ Risk~
The CA shall have sufficient financial resources
- Resources sufficient to bear risk of liability. Surety bonds, liability
insurance, etc. (may differ by jurisdiction) .
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle V
The CA shall pass a criminal background check
- includes civil convictions for fraud
The CA must procure proper identification
- Deterrent. Photo/thumbprint/tele. Must maintain identifications in ejournal
The CA shall verify information
- Information relative and critical to transactions. E.g., intent to
engage in a transaction.
The CA shall time stamp certificates
- Including person that created the certificate
The CA shall suspend/revoke a cert. if private key is compromised
- May include taking action for sender, requires “public” notice, parties
The CA shall report fraudulent activity
- To “appropriate” law enforcement or disciplinary authority
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle VI
The CA shall refrain from notarizing his own transactions and from
accepting improper gains
- Avoid appearance of impropriety
- Cannot use information gained (directly or collaterally) for personal
gain
Guiding Principle VII
The CA shall not purposefully and knowingly engage in misconduct
- No false, deceptive, inaccurate or incomplete information.
- Criminal and civil liability may result
Guiding Principle VIII
The Certification Authority Shall Treat All People Equally
- Race, religion, national origin, age, physical disability, gender, etc.
A Proposed Code of
Professional Responsibility for Certification Authorities
Guiding Principle IX
The Certification Authority Shall Charge Reasonable Fees
- Does not define reasonable or how market will be set
(legislated fee schedule, free competition, etc.)
- No CA’s shall enter into an agreement charging an excessive fee.
Guiding Principle X
The CA shall maintain the integrity of the profession
- Act in accordance with role of a public official
The CA shall report misconduct
- Of colleagues. Statement does not include clients.
The CA shall make dignified advertisements
The CA shall refrain from making endorsements
A Proposed Code of
Professional Responsibility for Certification Authorities
Conclusion:
Valuable as a first step and framework
* Requires further development
* May require regular practice statements (public trust) ,
certifications
* Objective not dissimilar to WebTrust
* Requires wide-spread adoption (international acceptance)
* Organizations must be self-policing
Questions:
* Attorney language focuses on prestige, ethics, technical
Too limited?
Rutger Computer and Technology Law Journal (1996)
Legal and Technological Infrastructures for Electronic
Payment Systems
Henry H. Perritt, Jr.
Legal and Technological Infrastructures
for Electronic Payment Systems
Focus
Infrastructures necessary to ensure Internet Payment Systems
include:
 Acceptor of credit card or cybercash has a claim against the issuer
 An assured funds against which redemption can be made
Legal and Technological Infrastructures
for Electronic Payment Systems
 Acceptor of credit card or cybercash has a claim against
the issuer
Risk of forgery is primary risk giving rise to dishonor:
- Digital signatures protect vendor from spoofing of customer or
forgery or spoofing with respect to the issuer
- Acceptance of PKI as solution: an appropriate legal framework
must be adopted.
Legal and Technological Infrastructures
for Electronic Payment Systems
An assured funds against which redemption can be made
- Legal infrastructure for forgery and dishonor in traditional
commerce
* Banking regulations impose capital requirements,
insurance
* Much of Internet business will be conducted out of reach of
banking regulators
Legal and Technological Infrastructures
for Electronic Payment Systems
Focus
 Risk of Forgery
- Technology: IETF standard X.509, RFC 1422, VISA/MC
promulgates standards for management and use of PKI.
- Legal: Technology complemented by VISA/MC framework,
Model legislation (greater adoption needed)
- More CA’s created and marketed
 Risk of Dishonor
– Risk greater: Not controlled
– Banking-type regulation more difficult by Internet
– Clearinghouse mechanisms better solution than banking
mechanism
* faster to create, set up administration
* faster response to problems, technological changes
* Can regulate across national boundaries (Overreaching risk)
* Exists in credit card model