5. Next Steps.

{5.1} This Report was undertaken as a "pilot project" of the Internet Law & Policy Forum; by its own terms of reference, the Report was limited in scope and not intended as a comprehensive discussion or treatment with respect to the role of certification authorities in open market consumer transactions under all legal systems. At the same time, in addition to a more comprehensive review of those systems, this Report has identified specific areas for action, through the venue of the Forum or other processes, which are recommended for consideration:

{5.2} (a) Development of a clear definition of the distinction in legal analysis required between open systems and closed systems, where the parties are all putatively bound to each other by contract, including analysis of how loss allocations should be made in a closed system.

{5.3} (b) Representative analysis of other legal systems, particularly those of emerging nations, regarding similar topics of law that might affect cross­border consumer transactions.

{5.4} (c) Completion of the analysis of the extent to which existing CAs are complying with the legal systems being enacted.

{5.5} (d) Analysis of the interplay between overlapping legal doctrines in a single jurisdiction.

{5.6} (e) Standards for CAs' treatment of confidential or private consumer information.

{5.7} (f) Extension of the analysis to other uses of certificates, such as in commercial transactions between merchants or as an access control device.

{5.8} (g) Analysis of whether existing legislative schemes resolve the legal ambiguities existing under current law.

{5.9} (h) Analysis of how loss allocations should be made in the situations where the merchant delivers a certificate to the consumer.

{5.10} (i) Development of standards about what qualifies as a trustworthy system as used by CAs, particularly to address key management by CAs and the CA's duties if it discovers its private key has been determined by third parties.

{5.11} (j) Development of standards for administrative duties of CAs, such as employee hiring and management, recordkeeping, bonding and insurance and other ministerial functions.

{5.12} (k) Analysis of liabilities of third party providers to CAs (particularly notaries, timestampers, PKI hardware and software providers and other integral players in the process).

{5.13} (l) Analysis of the effect of payment companies on the loss allocations between CAs, merchants and consumers.

{5.14} (m) Allocations of loss when more than one party in a PKI acts unreasonably.

{5.15} (n) Effect of charges for accessing CRLs on the rights and responsibilities of the parties.

{5.16} (o) Ability of third party hardware and software providers to disclaim liability or warranties when providing resources used in a PKI.

{5.17} (p) Establishment of appropriate dollar values and rules to cap consumer liability for acting unreasonably.

Certification Authorities and Related Parties Invited to Participate:

CertCo

CommerceNet

COST Computer Security Technologies

DBS/Denmark

DFN-CERT and DFN-PCA, Universität Hamburg, FB Informatik

Entegrity Solutions

GTE

Harbinger Corporation

IBM

Institut Jozef Stefan

MarketNet

Nortel Secure Networks

PGP

Signet Systems

SPYRUS

Sun Microsystems

Thawte Consulting

UNINETT

US Postal Service

VeriSign, Inc.

Parties that Provided Comments to this Report:

CertCo

COST Computer Security Technologies

GTE

IBM

Institut Jozef Stefan

MarketNet

Nortel Secure Networks

Signet Systems

SPYRUS

US Postal Service