1. Introduction.

This is Appendix 4 to the Report of the ILPF Working Group on Certification Authority Practices (the "Report"). This Appendix provides a "snapshot" of the industry's development by surveying the practices and policies of selected Certification Authorities ("CAs").

This Appendix first briefly summarizes the existing or prospective services of eight CAs who offer or plan to offer services which most closely match the consumer transaction-oriented model discussed in the Report. Additionally, this Appendix briefly summarizes the existing or prospective services of five other entities whose services differ from the consumer-oriented model discussed in the Report; these other entities illustrate the fact that digital certificates will be used for a variety of purposes in a number of distinct contexts.

Next, this Appendix surveys the practices and policies of certain consumer-oriented CAs in four legally significant areas: (1) subscriber authentication techniques; (2) the legal relationship established between CAs and a subscriber (including issues such as warranties, liability limitations, and legal duties imposed on CAs and subscriber); (3) the legal relationship established between CAs and relying non-subscribers (including warranties, liability limitations, and legal duties); and, (4) key management techniques (including key generation, key revocation, and root key authenticity and security). This discussion focuses primarily on four CAs which have disclosed their relevant practices and policies: VeriSign (which has disclosed a great deal of relevant information), and COST, Nortel and Signet Systems (which have made more limited amounts of information available). The other consumer-oriented CAs have offered little or no information concerning the policies on these legal issues.

This Appendix and its attachment are current through December 1, 1996. Numerous significant changes have occurred since December 1, 1996 that are not reflected in this Appendix.

This Appendix does not address other companies and organizations who have expressed a general intent to offer certification services. A list of the companies and organizations discussed in this Report, and other companies and organizations of interest, and their World Wide Web addresses are included in Attachment A to this Appendix.

2. GENERAL DESCRIPTION OF CA SERVICES.

(a) Consumer-Oriented CAs.

(i) COST Computer Securities Technologies (Kista, Sweden)

NOT YET ACTIVELY issuing certificates to individuals

COST offers certification services derived from the Internet Engineering Task Force's (IETF) Privacy Enhanced Mail (PEM) model; COST has extended the PEM model in order to transfer certificates via the World Wide Web. COST's own certificate is self-signed. COST acts as a Policy Certification Authority (PCA) for national CAs in Sweden, Holland, the U.K., Germany, Switzerland, Italy, Spain, Austria, Ireland, Malaysia, and Singapore. Two U.S.-based servers are also incorporated into the COST hierarchy. COST currently certifies only other CAs, including company CAs. In the future, they plan to offer certification services directly to individuals. COST has articulated three identity-assurance policies: Low Level Assurance, Medium Level Assurance, and High Level Assurance. COST maintains certificate revocation lists for the CAs which it currently certifies. Additionally, COST offers several sophisticated hardware and software products for use by CAs and subscribers, including a smart card-based digital signature system. [After the cut-off date for this Appendix, Sembawang Media of Singapore launched a CA pilot project based upon the COST hierarchy. This pilot effort does include the issuance of certificates directly to individuals. Representatives from COST report that other COST-hierarchy CAs are also issuing certificates to individuals, but such certificates are currently not accessible online.]

(ii) EuroSign (United Kingdom)

ACTIVELY issuing certificates to individuals

EuroSign is currently offering an "EasySign" certificate, which involves only the subscriber's self-certification of identity. No certificate-related services (i.e., revocation or validation) are available. EuroSign appears to be a recent start-up with limited resources.

(iii) GTE CyberTrust (Needham, MA USA)

NOT YET ACTIVELY issuing certificates to individuals

GTE CyberTrust plans to offer three different types of CA services. Under its SETsign program, GTE will provide CA services for credit card and other major card-issuing organizations that want to use the Secure Electronic Transaction (SET) protocol. GTE plans to provide SET-compliant certificate services for cardholders, merchants and banks. GTE's CYBERsign program is designed to provide public key certification for individuals at three different identity assurance levels: name-uniqueness only, trusted third party verification, and in-person verification. GTE's Virtual CA program will provide CA services for organizations that require CA capability but do not desire CA ownership responsibilities. [On Dec. 18, 1996 GTE CyberTrust announced that it has issued to Wells Fargo Bank the first operational digital certificates to comply with the SET protocol, and that it was providing Wells Fargo and participating merchants with a wide range of certificate management and support services.]

(iv) Nortel Entrust (Toronto, Canada)

ACTIVELY issuing certificates to individuals

Nortel is currently offering free "Entrust Demo Web Certificates" to the public. These X.509-compliant certificates use Nortel's proprietary public key technology and can be installed into certain web browsers. Nortel does not investigate the accuracy of identification information submitted by subscribers. The certificates carry a two-year expiration date; there are no procedures for revoking certificates. In addition, Nortel is offering free "no assurance" certificates for web servers. Nortel's focus appears to be on licensing its technology to other companies that engage in certification services, rather than on providing CA services itself. Nortel markets its Entrust products for use by others on private computer networks and on the Internet. [In January, 1997 Northern Telecom Limited spun-out the Entrust division into a separate company, Entrust Technologies.]

(v) Signet Systems (Brisbane, Australia)

ACTIVELY issuing certificates to individuals

Signet is involved with a pilot project associated with Australia's proposed National Public Key Authentication Framework (PKAF). Signet acts as a Policy Approval Authority (PAA), issuing certificates to customers and partners who further offer certification services. On July 1, 1997, Signet's PAA certificate will be revoked and replaced with the government-issued Policy and Root Registration Authority (PARRA) certificate envisioned by the PKAF. Additionally, Signet apparently is offering certificates directly to subscribers. The scope of certification-related services available online (i.e., certificate acceptance, revocation or validation) is unclear. Signet has articulated three increasingly rigorous policies under which it will issue certificates: personal, business, and legal/financial. Signet incorporates such policies into certificates via ASN.1 notation and ISO-registered object identifiers.

(vi) Thawte Certification Services (Durbanville, South Africa and Raleigh, NC USA)

NOT YET ACTIVELY issuing certificates to individuals

Thawte plans to offer three types of certificates, which it calls "Digital IDs." Basic Certificates will involve no identity assurance; Medium Certificates will involve "some documentation" in addition to self-certification of identity; and Strong Certificates will require personal presence at a Thawte office prior to issuance. Thawte had made Beta Test Certificates available for installation in the beta release of Netscape Navigator 3.0. Beta Test Certificates required only self-certification of identity, and no revocation or validation services were available. Thawte no longer offers beta certificates, however. Thawte's website promises that the full panoply of certificates will be available on November 15, 1996, but no certificates were available as of December 1, 1996. Thawte also plans to offer server certificates.

(vii) United States Postal Service (Washington, D.C. USA)

NOT YET ACTIVELY issuing certificates to individuals

As part of the General Services Administration's Federal Security Infrastructure Program, the United States Postal Service (USPS) intends to act as a CA for members of the public who wish to interact electronically with the U.S. government and others. Subscribers will present identification at a local Post Office and receive a "smart disk" (produced by Fischer International Systems) to use to generate encryption keys. In addition to sending encrypted and digitally-signed e-mail, subscribers will utilize a proprietary secure browser (made by Frontier Technologies) to communicate securely through the Web. The system will use the government's Data Encryption Standard and Digital Signature Standard. No certification services are currently available to the public.

(viii) VeriSign (Mountain View, CA USA)

ACTIVELY issuing certificates to individuals

VeriSign offers "Digital IDs" (certificates) to the public, for use in web browsers and S/MIME compliant e-mail applications. VeriSign plans to offer four classes of Digital IDs, each with different levels of assurance of a subscriber's identity. Classes 1 - 3 are intended for use by individuals; Class 4 is intended for business use and will certify an individual's relationship with an organization as well as certify that individual's identity. Currently Class 1 and Class 2 Digital IDs are available. Under a Class 1 Digital ID, an individual self-certifies his identity. Under Class 2 Digital IDs, an individual's self-Reported information is automatically verified against a consumer database maintained by Equifax. Certificates can be revoked, and the validity of certificates can be checked, via VeriSign's website. VeriSign also offers Digital IDs for web servers, which are used to identify and authenticate particular servers and to encrypt information passed between a server and a web browser.

(b) Non-Consumer-Oriented CAs.

(i) CertCo, LLC (New York, NY USA)

CertCo, which is affiliated with Bankers Trust, plans to issue certificates through banks and other financial institutions beginning in 1997. Little information is available about their planned services, but evidently CertCo intends to coordinate a consortium of companies, each with certificate authority status. Each company in the consortium will hold only part of the relevant root key, and each company will share in the liability risk associated with issuing certificates.

(ii) CivicLink (Chicago, IL USA)

CivicLink is a service which allows a user to access government records online. Currently some limited records from Prince George County, Maryland, Marion County, Indiana, and Los Angeles County, California are accessible. For Los Angeles County, limited electronic filing of court documents is possible. Electronic filing, available since May 1996, is accomplished using digital signatures or by fax via CivicLink. Ameritech Information Access (AIA), a joint venture of Ameritech and BC Systems Corporation (Canada), operates CivicLink and serves as a certification authority. Digital signatures created under this system are currently intended only for use in filing court documents with LA County. AIA indicates that they intend to expand the potential uses of their certificates.

(iii) Internet Commerce Group (Mountain View, CA USA)

Sun Microsystem's Internet Commerce Group offers Certification Authority services to customers of its SunScreen product line; the certificates are used primarily for access control. SunScreen is a turnkey security system comprised of hardware, software, and services, designed for complex commercial networks. Sun provides two certification services: SunCA (1024-bit certificates), and SunCAglobal (export-oriented 512-bit certificates). The self-signed public certificates of each of these CAs are published on the Internet Commerce Group's website. Certificate revocation lists, updated monthly, are also published on the website.

(iv) TradeWave TradeAuthority (Austin, TX USA)

TradeWave's TradeAuthority program performs certification services for customers of TradeWave's TradeVPI software system. TradeVPI allows businesses to set up "Virtual Private Internets" in order to utilize the public Internet to establish a secure private network. TradeAuthority is a self-certified online CA which issues certificates enabling users to access a particular VPI. Potential subscribers ask to become VPI members by filling out an online membership form using a proprietary TradeWave browser and submitting it to the TradeAuthority. The subscriber must then be approved by a designated Local Registration Agent (LRA) appointed by the VPI owner. The TradeAuthority then issues certificates to subscribers upon LRA approval. Certificates can be revoked by the LRA, and certificate revocation lists are updated daily. TradeAuthority uses public key technology licensed from Nortel Entrust.

3. CERTIFICATION AUTHORITY POLICIES.

(a) Subscriber Authentication Techniques.

Three active certification authorities (VeriSign, Nortel Entrust and EuroSign) offer certificates that do not authenticate a subscriber's identity. Certificates are issued based solely on unverified information submitted online by a subscriber. GTE CyberTrust and Thawte have indicated that they intend to issue this type of certificate as well. It is unclear whether Signet offers this type of certificate.

VeriSign also currently issues Class 2 certificates, for which VeriSign automatically compares information submitted by a subscriber against a database maintained by Equifax before issuing a certificate online. A criminal could still defeat this system by submitting information that matches an individual's information in the Equifax database. GTE CyberTrust indicates that it plans a similar third-party verification scheme for some of its certificates. No other CA currently offers a similar service.

VeriSign's planned Class 3 certificates will require submission of a notarized copy of a signed application, in addition to registering online. The notary is required to check and list three forms of identification documents, including at least one with a picture. VeriSign generally will not process applications that fail to comply with this requirement. VeriSign will not investigate or otherwise certify notaries.

Signet indicates that under its "Personal" policy, subscriber identity will be verified based only on information the subscriber submits on an application form. Under, Signet's "Business" policy, identity will be authenticated using various specified business documents. Authentication techniques under the "Legal" policy have not been publicly specified.

The USPS has indicated that it will require "a picture ID" before issuing encryption keys. No other CAs have publicly detailed the steps they intend to take in order to authenticate the identity of subscribers.

(b) Legal Relationship Between CA and Subscriber.

Three of the four CAs currently issuing certificates to individuals -- VeriSign, Signet and Nortel -- demand that subscribers manifest agreement to certain legal terms as a condition of accepting or using a certificate. EuroSign does not require assent to any legal terms as a precondition to obtaining a certificate. COST, while not currently offering certificates to individuals, had outlined some aspects of its approach to the CA/Subscriber legal relationship. GTE CyberTrust, Thawte, and the U.S. Postal Service have not publicly disclosed the legal terms under which they plan to offer their services, or the legal mechanisms they intend to use to implement such terms.

Nortel's legal agreement with subscribers is brief and straightforward. Prior to beginning the certificate-issuance process online, a potential subscriber is confronted with a web page containing two paragraphs of legal terms. The potential subscriber must click on a button marked "acknowledge" in order to proceed to the next step.

Signet's "Certification Authority Service Agreement" with subscribers is a ten page contract which resembles a commercial software license in language and format. Signet intends for subscribers to manifest assent to this contract by signing a paper document. The agreement specifies that it is governed by Australian law.

VeriSign's "Subscriber Agreement" is presented to potential subscribers during the online certificate application process in much the same fashion as Nortel's agreement. In addition to containing a number of significant legal terms, VeriSign's agreement incorporates VeriSign's Certification Practice Statement (CPS) by reference. The CPS is a lengthy (83 pages when printed) hypertext document which details VeriSign's certification practices and policies and contains numerous legally significant provisions.

(i) Warranties to Subscribers.

Nortel's agreement indicates that Nortel "accepts no responsibility or liability" arising from use of its demo certificates and indicates that the certificates contain unverified information. Otherwise, its agreement does not explicitly address the issue of warranties.

Signet's agreement states that Signet "will endeavor" to provide certification services in accordance with certain stated goals, which relate primarily to availability of online resources. Signet does appear to accept liability for failure to meet certain service goals, with damages set at a fixed amount. However, the agreement also notes that Signet "gives no warranty or guarantee in relation to the performance, features or compatibility of co-operating electronic certification products or services." Furthermore, the agreement states that, subject to some limitations, "all terms, conditions, warranties, undertakings, inducements or representations whether express, implied, statutory or otherwise relating in any way to the provision of the Certification Service or other obligations under this agreement will be excluded."

VeriSign's subscriber agreement states: "AS STATED IN THE CPS, [VERISIGN] DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE" (throughout this Appendix, capitalization in quotes mimics the original). VeriSign does offer certain limited warranties, detailed in twelve separate sections of the CPS. Among other things, VeriSign warrants that it will follow certain key management practices and that it will follow certain identification authentication procedures for each class of certificate.

COST also that indicates that it is willing to offer some warranties. Under its Medium Assurance Policy, COST states that it will accept some limited liability as to the validity of certificates and the correctness of identification information in certificates, under circumstances negotiated with customers. Under its High Level Assurance Policy, COST indicates that it accepts "full liability" as to validity and identification. The exact meaning of "full liability" is unclear and may have specific meaning under Swedish law. It is also unclear whether COST has issued any certificates to CAs under either of these policies (COST does not yet issue certificates to individuals).

(ii) Liability Limitations.

Concerning liability limitations, Nortel's agreement simply states that Nortel accepts no liability arising from the use of its certificates. Further, the agreement requires the subscriber to agree that to the following: "I will indemnify Nortel for any claim or liability arising from my misrepresenting myself to any third party."

Signet's agreement states that, with certain qualifications, "Signet will not be under any liability (including liability as to negligence) to the Customer or to any third party in respect of any loss or damage (including consequential loss or damage), however caused, which may be suffered or incurred or which may arise directly or indirectly as a result of or in connection with the provision of the Certification Services ...." In its description of its policies Signet suggests that liability levels will vary based on the relevant policy, but this is not currently reflected in its Service Agreement.

VeriSign's subscriber agreement states that VeriSign's CPS places limits on VeriSign's liability and that VeriSign refuses all liability for incidental, consequential and punitive damages. VeriSign's CPS also imposes dollar limits on damages of all types: liability for Class 1 certificates is capped at U.S. $100, for Class 2 certificates at U.S. $5,000, and for Class 3 certificates at U.S. $100,000. The liability caps are intended to apply to the aggregate liability arising from any particular certificate, regardless of how many transactions or parties utilized such certificate. If aggregate damages exceed the liability cap, the CPS states that the "available liability cap shall be apportioned first to the earliest claims to achieve final dispute resolution, unless otherwise ordered by a court of competent jurisdiction."

As discussed above, COST has indicated its willingness to accept limited liability under its Medium Assurance policy and "full liability" under its High Assurance policy. COST negotiates liability issues directly with customers and does not publicly release the details of its liability policies.

(iii) Subscriber Legal Duties.

As noted above, Nortel requires subscribers to indemnify Nortel. No other legal duties are expressly addressed in the Nortel agreement.

Under Signet's service agreement, a subscriber agrees to certain "customer responsibilities" such as "comply[ing] with all reasonable directions and instructions," agreeing not to use or permit others to use the "Certification Services" in order to commit a crime, and taking every reasonable precaution to avoid contaminating any software or hardware with any "'viruses,' 'worms,' or 'trojans.'" The subscriber also agrees to not disclose any of Signet's confidential information.

Signet's agreement also imposes indemnity obligations upon subscribers for any liability arising out of (a) the use of the Certification Service by the subscriber or anyone authorized to use the service by the subscriber, or (b) "any software or hardware contamination" resulting from the subscriber's use of the service.

Signet's agreement does not mention or discuss any duties a subscriber might have to keep a private key secure or to revoke a compromised key.

VeriSign's CPS attempts to impose a number of legal duties upon subscribers. These duties are sprinkled throughout the CPS, but some of the more significant duties are imposed in portions of Sections 7.2, 7.3, and 7.4:

[T]he subscriber certifies and agrees with the [Issuing Authority (IA)] and to all who reasonably rely on the information contained in the certificate that at the time of acceptance and throughout the operational period of the certificate, until notified otherwise by the subscriber,

(i) each digital signature created using the private key corresponding to the public key listed in the certificate is the digital signature of the subscriber and the certificate has been accepted and is operational (not expired, suspended or revoked) at the time the digital signature is created,

(ii) no unauthorized person has ever had access to the subscriber's private key,

(iii) all representations made by the subscriber to the IA regarding the information contained in the certificate are true,

(iv) all information contained in the certificate is true . . .

By accepting a certificate, the subscriber assumes a duty to retain control of the subscriber's private key, to use a trustworthy system, and to take reasonable precautions to prevent its loss, disclosure, modification, or unauthorized use. . . .

BY ACCEPTING A CERTIFICATE, THE SUBSCRIBER AGREES TO INDEMNIFY AND HOLD THE IA, VERISIGN, AND THEIR AGENT(S) AND CONTRACTORS HARMLESS FROM ANY ACTS OR OMISSIONS RESULTING IN LIABILITY, ANY LOSS OR DAMAGE, AND ANY SUITS AND EXPENSES OF ANY KIND, INCLUDING REASONABLE ATTORNEYS' FEES, THAT THE IA, VERISIGN, AND THEIR AGENTS AND CONTRACTORS MAY INCUR, THAT ARE CAUSED BY THE USE OR PUBLICATION OF A CERTIFICATE, AND THAT ARISES FROM (I) FALSEHOOD OR MISREPRESENTATION OF FACT BY THE SUBSCRIBER (OR A PERSON ACTING UPON INSTRUCTIONS FROM ANYONE AUTHORIZED BY THE SUBSCRIBER); (II) FAILURE BY THE SUBSCRIBER TO DISCLOSE A MATERIAL FACT, IF THE MISREPRESENTATION OR OMISSION WAS MADE NEGLIGENTLY OR WITH INTENT TO DECEIVE THE IA, VERISIGN, OR ANY PERSON RECEIVING OR RELYING ON THE CERTIFICATE; OR (III) FAILURE TO PROTECT THE SUBSCRIBER'S PRIVATE KEY, TO USE A TRUSTWORTHY SYSTEM, OR TO OTHERWISE TAKE THE PRECAUTIONS NECESSARY TO PREVENT THE COMPROMISE, LOSS, DISCLOSURE, MODIFICATION, OR UNAUTHORIZED USE OF THE SUBSCRIBER'S PUBLIC KEY.

(c) Legal Relationship Between the CA and Relying Non-Subscribers.

As discussed in detail in the Report, the nature of the legal relationship between relying third parties and CAs is difficult to analyze. Of the CAs who have publicly addressed the legal questions surrounding certification services, only VeriSign and Signet have directly tackled this particular issue. VeriSign attempts to establish a contractual relationship with relying parties in three different ways. First, when a relying party checks the status of a VeriSign certificate, a statement is inserted just above the online "submit" button: "By submitting this query, I agree to be bound by VeriSign's CPS." Similarly, when one searches the VeriSign site for a particular certificate, the same statement is expressed just above the "submit" button. Additionally, VeriSign certificates have the following information in one field:

www.verisign.com/repository/CPS Incorp. by Ref., LIAB. LTD(c)96

It is unclear whether a binding contract can be formed in such a fashion, particularly in light of the sheer volume of the CPS.

Signet intends to establish direct contractual relationships with relying third parties. Signet's view is that accessing a certificate revocation list (CRL) is an integral part of the process of utilizing a certificate. Third parties who wish to rely on a certificate will enter into a "service agreement" with Signet prior to accessing Signet's CRL. This service agreement will be similar or identical to the service agreement signed by subscribers. Signet expects that Australian legislation will provide that parties who rely on certificates without checking CRLs will bear any resulting loss.

No other CA explicitly attempts to create a contractual relationship with relying parties.

(i) Warranties to Relying Third Parties.

If VeriSign forms a contract with relying third parties with the CPS as the contract terms, then the relying party could take advantage of the limited warranties VeriSign offers (described above) but would also be subject to the warranty disclaimers made in the CPS.

Similarly, relying third parties who enter into a service agreement with Signet will benefit from any warranties provided in the contract, but will also be subject to contractual disclaimers of warranties.

Nortel's legal agreement does not address this issue.

(ii) Liability Limitations.

As with warranty disclaimers, if VeriSign forms a contract based upon the CPS with relying third parties, then the liability limitations stated in the CPS would be implicated. If the VeriSign/relying third party relationship is not governed by contract, then, as discussed in the Report, only statutorily-imposed limitations of liability would apply.

Signet's relationship with relying third parties will be governed by a traditional contract; presumably any liability limitations in the contract will be enforceable, subject to the provisions of general contract law.

As noted above, both VeriSign and Signet do attempt to limit by contract their liability to third parties through indemnification and by requiring a subscriber to make express representations or warranties as part of a subscriber agreement. If enforceable against parties with sufficient assets, these clauses could shift liability to a subscriber under specified circumstances.

(iii) Legal Duties.

The VeriSign CPS imposes few or no legal duties on relying third parties.

Signet's service contract with relying parties will presumably impose similar duties on third parties as it does on subscribers (see Section 3(b)(iii) above). Additionally, Signet expects that Australian legislation will impose certain duties on relying third parties, such as a duty to check the relevant CRL.

No other CA attempts to impose legal duties on relying non-subscribers.

(d) Key Management Techniques.

A detailed analysis of the complex technical issues related to key management is not attempted here. Rather, certain key management practices of current CAs will be briefly discussed in an effort to highlight potentially significant legal issues.

(i) Key Generation.

Most of the currently-operating CAs rely on browser software to generate key pairs. A subscriber generates a key pair on its own computer using the browser software and transmits the public key to the CA. Thus, the CA never controls the subscriber's private key. In contrast, the USPS plans to issue subscribers a "smart disk" with which they would generate encryption keys.

(ii) Key Revocation and Validation.

VeriSign is the only CA which currently offers online key revocation and validation. COST publishes a CRL on its site, but does not publish formal revocation policies.

(iii) Root Key Authenticity and Security.

All currently-operating CAs are self-certified. VeriSign is the only CA that has gone to significant lengths to establish the authenticity of its public key. In March of 1996, VeriSign held a well-publicized "key ceremony" that was "designed to provide irrefutable evidence of VeriSign's secure technical and procedural infrastructure," according to a VeriSign press release. No other CA has publicly revealed its security standards; all appear to rely solely on their reputation to establish the authenticity of their self-published keys. The remaining CAs apparently publish their own public key exclusively on their websites.