In the CA I trust.A look at Certification Authorities

James E. ShearerCSEP 590

March 8th 2006

The Public Key Infrastructure is adjudicated by the individual States

“Contracts involving interstate or foreign commerce may not be denied legal effect, validity, or enforceability solely because it and/or the signatures on it are in electronic form.”

Electronic Signatures In Global And National Commerce Act (E-Sign)passed in the Congress of the United States, June 2000[2].

"Laws and policies for digital signatures should balance the need for consistency across state and national boundaries, the need to allow for experimentation and innovation, and need to respect traditional state jurisdictions, e.g., commerce, contracts, and state rules of evidence."

American Bar Association, 1997

States have taken 2 approachesElectronic signature laws Secure signature laws

• Clarify how current law should apply to electronic authentication.

• Explicitly recognize that many different technologies are capable of creating valid signatures, including digital images of signatures, PIN numbers, and biometric devices.

• Give special statutory benefits (such as evidentiary presumptions and liability limits or other special recognition) for electronic signatures that have an established degree of reliability

States include Florida, Virginia, and Texas States include Utah, Washington and Minnesota

"If a law requires a signature or record to be notarized, acknowledged, verified, or made under oath, the requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable law, is attached to or logically associated with the signature or record."

Texas Business and Commercial Code, Chapter 43; Uniform Electronic Transaction Act

"Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature, if:

• The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;

• The digital signature was affixed by the signer with the intention of signing the message; and

• The recipient has no knowledge or notice that the signer either breached a duty as a subscriber; or does not rightfully hold the private key used to affix the digital signature."

RCW 19.34, Washington Electronic Authentication Act

CA CertificationCertification Authorities are approved:• by the State (E.g., Washington)• by a designated (non-government)

registration authority (E.g., Kansas)

Washington has licensed VeriSign and Digital Signature Trust.(VeriSign bought Thawte in 2000)

CAs must show:• Their equipment and processes protect

the CAs’ private keys adequately,• Their processes verify the authenticity of

subscribers adequately,• (At least in Washington) They have an

office or representative in the state.

CAs document their processes in a Certification Practice Statement (VeriSign’s is 73 pages long).

Classes of CertificatesClass Assurance Level Purpose Subscriber Validation

3 High Code and content signingSSL tunnels

Subscriber must physically visit the CA and provide proof of identity and affiliation to the represented organization.

2 Medium Same as below Matching information against a trusted source such as a credit bureau.

1 Low Signing,Encryption,Client authentication

Confirmation of subscriber's email address.

0 Rudimentary Data Integrity None

VeriSign offers certificates in classes 1 – 3US Postal Service offers Electronic Postmark Service certificates in class 0

LiabilityCA is largely immune

Subscriber is vulnerable to breach of contract

Relying Party carries burden of proof

• Lost or forged certificates• Punitive or exemplary damages• Damages for pain and suffering

• CA is liable for damages resulting from inappropriate subscriber authentication to an amount determined in the CA’s own CPS

• Washington law exempts the CA from liability for:

• Subscriber is liable for damage resulting from loss or theft of certificates

VeriSign’s CPS specifies that before any act of reliance, the Relying Party is responsible for understanding VeriSign’s CPS and verifying:

• appropriateness of the certificate for the transaction,• verification of key usage field extensions,• the state of all certificates in the Relying Party to Root path

- This is interesting since the whole process is largely automated!