The Role Of Certification Authorities In Consumer Transactions

1. EXECUTIVE SUMMARY.

{1.1} This Report represents a preliminary analysis of certain questions relating to legal issues involved in the emerging service business of certification authorities, particularly those arising in consumer transactions. The scope of this Report has been limited intentionally to focus on the selected legal environment in the United States, although additional information has been provided on German law, the directives of the European Commission and laws in other jurisdictions. In addition, this Report only addresses consumer transactions taking place in an "open system," where a CA provides services to any consumer desiring services without regard to the contractual obligations between the consumer or the merchant and any payment system. As a "pilot" project of the Forum, a more comprehensive analysis, though appropriate, was not within the scope of available resources.

{1.2} This Report analyzes the complicated relationships between CAs, merchants and consumers. In the absence of specific "digital signature legislation," existing legal principles indicate that:

* As between CAs and consumers who procure a digital certificate, the relationship is likely to be governed by existing contract laws. In particular, we believe that digital certificates will be treated as a service, not a good, and therefore the common law is likely to apply (instead of the Uniform Commercial Code or other rules covering "goods"). However, there are a number of reasons that the contracts formed between CAs and consumers will not completely resolve the matters that could arise from the relationship, and default rules will be needed.

* As between CAs and merchants who receive the digital certificate from consumers, the CA/merchant relationship is likely to be governed by existing tort law, not contract law. In particular, the "negligent misrepresentation" tort is likely to provide the most applicable set of rules to govern the CAs' liability to merchants if the digital certificate is incorrect.

{1.3} Within this context, we believe that a party's liability for losses arising from this structure should generally be connected to whether or not the party acted reasonably. As a result, generally if one of the parties acts unreasonably and the other parties act reasonably, the party acting unreasonably should bear the resultant loss. However, if all parties act reasonably and yet a loss is suffered, we believe that loss should be borne by the merchant. Further, if the consumer acts unreasonably, we believe that consideration should be given to limiting the consumer's losses, and any losses not covered by the consumer would then by borne by the merchant. In both cases, the merchant may be in the best position to take the necessary efforts to avoid the loss or, alternatively, to insure or otherwise spread the loss among all consumers.

{1.4} This Report provides some suggested parameters on what behavior should be categorized as reasonable. As with other issues raised by this Report, additional study should be done on these parameters.