Scope And Assumptions.

The issues implicated by PKI are extensive and complex. We have not attempted to address all of these issues in this Report, although many of them warrant additional analysis. The following list represents some of the major assumptions that we have made:

(a) We have not attempted to compare the desirability of centralized trust systems for PKI with other models for authenticating trading partners or improving the security of the Internet. Among these competing approaches to authentication are challenge-response identification; the "web-of-trust" model (found most prominently among users of Pretty Good Privacy); passcards and other hardware devices; biometric systems such as those developed by PenOp and Mytec Technologies; and Electronic Data Interchange over a value added network. There are strengths and weaknesses to each of these competing approaches that are currently being debated elsewhere. Conceivably some of these alternative models for authentication may be partially incorporated into a trusted third party (CA-oriented) PKI.

(b) Throughout this Report, we have focused only on consumer transactions utilizing the services of commercial CAs. There is no intent to suggest that consumer transactions are the most important or even best application for digital signatures or that commercial CAs should preclude government CAs. However, in this pilot project, we have not attempted to address all possible scenarios.

(c) We note that digital signatures and certificates are currently being deployed in a number of other interesting applications. For example, a number of vendors are using digital signatures and CA schemes as an access control device -- either as a device for metering access to intellectual property available on the Internet, or in the "Intranet" context, where certificates are used to regulate which employees are entitled to access proprietary resources. Another increasingly common use is authentication of the source and functionality of software distributed over the Internet. The issues involved in this context could be materially different than those found in the consumer commercial context, and we have not attempted to address them here.

(d) Similarly, we note that some legislatures are authorizing the limited use of digital signatures for specified government purposes, such as the filing of court documents, tax returns or architectural design plans or for signing medical records. We do not attempt to address the issues regarding the use of digital signatures for these specified, limited purposes.

(e) Throughout this Report we address certificates designed to confirm identity. In fact, certificates are capable of providing information about consumer attributes beyond simply that consumer's "identity" -- perhaps even on an anonymous basis. For example, a certificate could certify that a person was over 21 and therefore permitted to access materials restricted to people over that age without disclosing the person's name. Although certificates are likely to find substantial uses in these ways, we have not attempted to address these issues.

(f) We have assumed that cryptographic devices sufficient to generate difficult-to-determine key pairs will be widely available across international borders. Currently the distribution of these devices is controlled by a number of governments, and such regulation is the subject of substantial debate. Further, we do not address any issues related to the escrowing of keys.

(g) Generally, we have assumed that consumers (and not other parties) will make the substantive decision about which CAs they will establish relationships with. However, it is possible that merchants or the payment systems (such as the credit card associations) will drive this decision by dictating which CAs' certificates they will accept, effectively forcing consumers to procure certificates from these CAs. Because it fundamentally alters the freedom of contract principles we have tried to support in this Report, lack of consumer choice over what CA is used raises a host of new consumer protection and other issues that we have not attempted to address here.

(h) We have assumed that CAs, if given the opportunity, would enter into contracts with merchants rather than rely on the default non-contract rules (i.e., tort principles under common law or statutory rules). We make this assumption because of the incentives CAs will have to disclaim warranties to merchants, to exclude consequential and other party-specific damages, and to impose dollar caps on liabilities. It is possible that CAs would not want to enter into contracts with merchants if these objectives cannot be met (for example, if the waivers or exclusions are unconscionable or fail of their essential purpose). However, we believe that CAs hope and expect that their relationships with merchants will be governed by contract or possibly by statute.

(i) We do not deal with issues related to agency law and actual or apparent authority. Certificates could at some point indicate a party's authority to act (see paragraph (e) above), but we do not address that here.

(j) Ensuring the long-term validity of a contract signed with a digital signature may require the services of a third party commonly referred to as a timestamper, who can specify when the message containing the digital signature was sent. We have not attempted to address issues related to timestamping.

(k) "Caching" occurs when remote information is duplicated and stored locally. It is likely that information being transmitted through the PKI will be cached both at the client level and at the proxy server level (internally in an organization or at their service provider's servers). This issue is mostly likely to be seen in the case of Certificate Revocation Lists, which merchants may cache (much like merchants used to keep hard copy printouts of revoked credit cards next to cash registers for real-time verification by cashiers). Caching creates the possibility that parties are knowingly or unknowingly relying on outdated information, and will also potentially implicate difficult issues under copyright law or other intellectual property rules applicable to databases. We have not attempted to address these issues, although there may be technological methods that minimize this problem.

(l) CAs will acquire significant private information about its consumers. Not only will consumers directly submit personal information to the CA, but the consumer's conduct will leave a "digital trail" of information that, analyzed properly, would give insights into the consumer's affairs. We do not address the laws (or desirability of laws) relating to keeping this information confidential. We note, however, that the CA's disclosure of consumer information may be governed by the E.U.'s Directive on Data Privacy Protection (95/46/EC), among other rules.

(m) We have not addressed the bandwidth, computer and other costs associated with the use of digital signatures. We assume that senders and recipients of digital signatures, certificates or other electronic messages do not bear any marginal costs attributable to sending or receiving these files. In practice, per-byte or per-message pricing could become standard, making the marginal costs of using or verifying digital signatures greater than zero. In addition, the computational power required to generate and process digital signatures is significant and will continue to increase as the length of public and private keys increases. Significant marginal costs attributable to computer processing or bandwidth are likely to alter the way that senders and recipients perceive and use digital signatures in ways we have not attempted to address.

(n) We do not address evidentiary issues associated with digital signatures, such as the admissibility of digitally-signed documents, the appropriate evidentiary weight to be accorded such documents, and legal presumptions arising from the use of digital signatures. These issues can include whether a document signed with a digital signature satisfies the "writing" requirement under applicable statutes of frauds, whether an electronic record signed with a digital signature satisfies the best evidence rule, and so on. Though seemingly procedural, these issues can raise important public policy concerns. For example, some enacted U.S. state legislation creates a presumption that, under certain circumstances, the person who owns a particular key pair used to sign a document is the person who did in fact sign the document. Holding an individual presumptively bound by obligations entered into under their digital signature could be inequitable if the individual is the victim of the fraudulent use of such a signature.

These issues could also be significant in non-US jurisdictions that have extensive statute of frauds. For example, Germany has a set of legal rules ("Schriftform") similar to the statute of frauds in other jurisdictions. There are thousands of German statutory law provisions that require certain declarations to be given in written form; in such cases, "written form" is defined by statute to mean a written signature made by pen on paper. Important examples of such provisions in German law are consent to the use of personal data under the Data Protection Law, covenants and transfers with respect to real estate, and the transfer of shares in a limited liability company. Presumably digitally-signed documents will not qualify as being in written form under these laws.

(o) Generally, this Report does not address "cooling off" laws designed to give consumers the opportunity to reject transactions for some period of time following the execution of the contract.

(p) There are multiple conventions for the technical specifications of certificates. This Report only addresses Standard X.509 of the International Telecommunications Union, although the analysis may apply to other certificate conventions.

(q) Some visions of a PKI require that each participant obtain, register and use a unique "distinguished name." These naming conventions may implicate privacy concerns, agency law and even trademark law. We do not address issues related to naming in this Report.

(r) In order to analyze the CA's digital signature attached to a certificate, the party receiving the certificate must obtain the CA's public key. Just as there are issues regarding whether a consumer's public key belongs to the person who claims it, there could be issues about whether the CA's public key belongs to the CA who claims it. To resolve this, some visions of the PKI assume that a CA will have the CA's certificates signed by another CA whom the public can trust that its public key belongs to this CA. This Report assumes that, if a chain of certificates is developed to allow CAs to include certificates regarding the CA's signature, the "root certificate" -- that is, the certificate of the public key of the CA at the top of this chain -- can be trusted, whether it is issued by a government or private entity.

(s) We do not address the duties, if any, of higher-level CAs for the duties of CAs whose public keys are certified by the higher-level CA.

(t) The mechanisms by which certificates are delivered to potential relying parties can vary. This Report assumes that a consumer who is identified in a certificate will present that certificate directly to the merchant who intends to rely upon it. The Report does not analyze the situation where certificates are stored in a database or directory maintained by a certification authority or other third party and accessed by merchants on an as-needed basis.