The Role Of Certification Authorities In Consumer Transactions

2. INTRODUCTION.

(a) Summary of the Problem.

{2.1} Despite its impressive size, scope and reach, the Internet has not yet become a predominant vehicle for consumer transactions. In part, consumers are reticent to use the Internet for commercial transactions due to perceived and actual security threats online. Merchants also have reasons to be concerned about online commerce -- the integrity, authenticity and nonrepudiability of electronic messages are not automatically ensured.

{2.2} One possible way to improve the integrity, authenticity and nonrepudiability of electronic messages is to develop a robust public key infrastructure ("PKI," also referred to as Public Key Authentication Framework) -- and in particular, foster the use of digital signatures in commerce. Appendix 6 to this Report serves as a brief primer on digital signatures, certificates, and public key cryptography; we suggest that readers who are not familiar with these concepts review this Appendix prior to reading this Report.

{2.3} One difficult problem encountered when using digital signatures is ensuring that the identity of a person who holds an encryption key pair is accurately known. Trusted third parties called Certification Authorities ("CAs", sometimes referred to as "intermediate systems" or "certifiers") offer a way to confirm that a public key belongs to the claimed owner. The CA does this by issuing a certificate which associates an individual with a particular public encryption key.

(b) Focus of this Report.

{2.4} This Report addresses the use of certificates in consumer transactions, and thus does not explore the issues raised by the use of certificates in a business-to-business setting. Even within the framework of consumer transactions, however, the scope of this Report is limited. The issues implicated by digital certificates are extensive and complex, and certificates are being used in increasingly novel and imaginative ways. We briefly highlight some of the issues we have not addressed, and some of the major assumptions we have made, in Appendix 1, and readers will benefit by reviewing that Appendix prior to reading the main body of this Report.

{2.5} This Report focuses largely on what might be called the "open system" or "open loop" model. The open system model assumes that consumers will obtain a single "identity" certificate from an independent third-party CA and then use that certificate to facilitate transactions with potentially many different merchants.

{2.6} There are several reasons why we focused on the open system model:

{2.7} First, the open system model raises some extraordinarily difficult, and perhaps unprecedented, legal and policy questions regarding the rules that will govern a complex set of interrelationships between parties. By way of contrast, in closed systems, the relationships between the relevant parties may be governed by contract law and/or existing payment system legislation and regulation--both relatively well-understood and predictable frameworks for analyses. However, if the applicable contract law or other laws fails in the closed system model, the default rules likely to apply are those discussed with respect to the open system model.

{2.8} Second, nearly all legal efforts to date which address PKI issues implicitly assume an open system model. The "digital signature" laws that have been enacted to date in the United States are largely aimed at promoting development of a PKI based on this independent third-party CA model. Similarly, U.S. government efforts at promoting the development of a PKI assume an open system model, as do the Digital Signature Guidelines published by the Information Security Committee of the American Bar Association's Section of Science and Technology. References to these documents are available in Appendix 5.

{2.9} Third, this project was initially conceived in Spring 1996. At that time, it appeared that industry efforts were being primarily directed towards developing open systems and therefore that open systems were going to be the prevailing business model. In fact, in the period during which this Report was written, the open system model has appeared to become an increasingly less viable business model. Instead, we believe that many consumer transactions which utilize certificates will occur in a "closed system" or "closed loop" model. A definition of closed systems and further discussion about the differences between closed and open systems can be found in Appendix 2. Closed systems primarily fall into two categories: systems where a payment mechanism serves to "close the loop" by forming contractual agreements with the relevant parties, and systems where certificates are used as an access control device to meter out usage of intellectual property or to limit access to proprietary resources.

{2.10} Despite our growing doubt over the desirability and viability of the open system model in the context of consumer transactions, this Report focuses on some of the difficult legal and policy questions raised by this model. We do interject discussion of closed systems where we believe such discussion is illuminating. Furthermore, because the lines between the models we have identified are blurry, and because new business models continue to evolve in the marketplace, we believe that some of our discussion concerning open system models will also be applicable in other contexts.

{2.11} This Report attempts to identify certain issues that are relevant to both entities participating in an open system-oriented PKI and to policymakers interested in shaping the continuing development of such an infrastructure. These issues include:

• {2.12} What practices should be expected of a CA in connection with that CA's relationship with consumers who are the CA's customers? What limitations, if any, should be placed on that CA's ability to disclaim liability for failure to adequately perform these practices?
• {2.13} What practices should be expected of consumers of CA services? Should potential liability for failure to perform these practices be limited in any fashion?
• {2.14} What practices should be expected of merchants who rely on certificates issued by a CA? What legal relationship should a CA have to merchants who rely on a certificate but who have no other connection with the CA? Should a CA's potential liability to merchants be limited in any fashion? What mechanisms could potentially be used to limit liability?
• {2.15} Which party in the relationship (CA, consumer, or merchant) is best able to assess and price against the risk of loss?

(c) Goal of this Report

{2.16} This Report is intended to be a concise, non-comprehensive summary and analysis of the emerging legal rules and business practices regarding CAs serving consumers in an open system. If successful, this Report will serve as a building block for further analysis of the issues and for the ultimate development of a set of legal and policy guidelines that may be consulted by both the public and private sectors.

{2.17} Ultimately, this Report will be most helpful if it contributes to the process of developing sensible, uniform and predictable rules in this area. As noted throughout the Report, there is a strong likelihood that the participants in a PKI will be confronted by a patchwork quilt of unpredictable rules, making compliance -- and even the process of analyzing rules with a view towards compliance -- difficult. The lack of uniform and predictable rules is a major deterrent to the development of a PKI and the participation by a substantial number of players. We view the development of clear and predictable rules as an essential step in the development of a robust electronic marketplace.

{2.18} This Report omits footnoting to enhance its readability by a wide range of audiences. Supplementary resources are listed in Appendix 5.

{2.19} While the members of the Working Group all have a commercial interest in the development of electronic commerce through a PKI, this Report has deliberately attempted to avoid favoring, evaluating or endorsing any particular standards, vendor, product or business model. CAs and working group members have been invited to submit their own written comments to this Report. Any comments that were received are attached as Appendix 9.

{2.20} This Report is for informational purposes only and is not intended to form an attorney-client relationship. Readers should seek professional legal counsel for advice regarding their specific situation.

{2.21} In total, this Report consists of this document and the following appendices:

Appendix 1: Scope and Assumptions of the Drafters of this Report.

Appendix 2: Analysis of Open vs. Closed Systems

Appendix 3: Survey of Laws Relating to Digital Signatures

Appendix 4: Comparison of Current Business Practices of Selected Existing CAs (including a list of known CAs).

Appendix 5 Bibliography of Selected Resources About Digital Signatures and CAs, including a list of passed and pending digital signature legislation and the location for obtaining electronic versions of some legal resources referenced in this Report.

Appendix 6: Description of Digital Signatures

Appendix 7: Analysis of existing CAs' compliance with existing legal systems (Note: this appendix is merely the structure for this analysis.)

Appendix 8: Terms of Reference and Work Plan for the Working Group.

Appendix 9: Written comments submitted by CAs and working group members.

{2.22} As a pilot project of the ILPF, this Report by necessity does not address or analyze all of the interesting or difficult questions related to CAs. The Working Group believes that additional work should be done in this area to address these questions.