1. In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006

2. The Public Key Infrastructure is adjudicated by the individual States “Contracts involving interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because it and/or the signatures on it are in electronic form.” Electronic Signatures In Global And National Commerce Act (E-Sign) passed in the Congress of the United States, June 2000[2]. "Laws and policies for digital signatures should balance the need for consistency across state and national boundaries, the need to allow for experimentation and innovation, and need to respect traditional state jurisdictions, e.g., commerce, contracts, and state rules of evidence." American Bar Association, 1997

3. States have taken 2 approaches Electronic signature lawsSecure signature laws Clarify how current law should apply to electronic authentication. Explicitly recognize that many different technologies are capable of creating valid signatures, including digital images of signatures, PIN numbers, and biometric devices. Give special statutory benefits (such as evidentiary presumptions and liability limits or other special recognition) for electronic signatures that have an established degree of reliability States include Florida, Virginia, and Texas States include Utah, Washington and Minnesota "If a law requires a signature or record to be notarized, acknowledged, verified, or made under oath, the requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable law, is attached to or logically associated with the signature or record." Texas Business and Commercial Code, Chapter 43; Uniform Electronic Transaction Act "Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if: The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority; The digital signature was affixed by the signer with the intention of signing the message; and The recipient has no knowledge or notice that the signer either breached a duty as a subscriber; or does not rightfully hold the private key used to affix the digital signature." RCW 19.34, Washington Electronic Authentication Act

4. CA Certification Certification Authorities are approved: by the State (E.g., Washington) by a designated (non-government) registration authority (E.g., Kansas) Washington has licensed VeriSign and Digital Signature Trust. (VeriSign bought Thawte in 2000) CAs must show: Their equipment and processes protect the CAs’ private keys adequately, Their processes verify the authenticity of subscribers adequately, (At least in Washington) They have an office or representative in the state. CAs document their processes in a Certification Practice Statement (VeriSign’s is 73 pages long).

5. Classes of Certificates ClassAssurance LevelPurposeSubscriber Validation 3High  Code and content signing  SSL tunnels Subscriber must physically visit the CA and provide proof of identity and affiliation to the represented organization. 2Medium  Same as below Matching information against a trusted source such as a credit bureau. 1Low  Signing,  Encryption,  Client authentication Confirmation of subscriber's email address. 0Rudimentary  Data Integrity None VeriSign offers certificates in classes 1 – 3 US Postal Service offers Electronic Postmark Service certificates in class 0

6. Liability CA is largely immune Subscriber is vulnerable to breach of contract Relying Party carries burden of proof Lost or forged certificates Punitive or exemplary damages Damages for pain and suffering CA is liable for damages resulting from inappropriate subscriber authentication to an amount determined in the CA’s own CPS Washington law exempts the CA from liability for: Subscriber is liable for damage resulting from loss or theft of certificates VeriSign’s CPS specifies that before any act of reliance, the Relying Party is responsible for understanding VeriSign’s CPS and verifying: appropriateness of the certificate for the transaction, verification of key usage field extensions, the state of all certificates in the Relying Party to Root path - This is interesting since the whole process is largely automated!