An Attorney's Roadmap to the Digital Signature Guidelines By Charles R. Merrill, Esq. McCarter & English, Newark, N.J. July 24, 1996 At the American Bar Association's national convention in Orlando Florida the first week in August, 1996, the ABA Section of Science and Technology will unveil the long-awaited Digital Signature Guidelines , a 99-page book written by the Information Security Committee within the Electronic Commerce and Information Technology Division of the Section. The Information Security Committee is chaired by information security legal guru Michael S. Baum, Esq. (Now of VeriSign, Inc.), and is a rare but fruitful collaboration of experts from two professions: the legal profession and the computer security profession. Over the course of almost four years, the Committee has benefited from the joint efforts and varied views of more than seventy volunteers from all over the world, in dozens of meetings held in the U.S. and Canada, with drafting and debate focused between meetings by e-mail and a passworded "intranet" portion of the Section's website at http://www.intermarket.com/ecl . In addition, approximately 3400 copies of the preliminary October 5, 1995 discussion draft of the Guidelines were downloaded from the Section's Website by interested parties, which resulted in hundreds of worldwide computer industry comments reflected in the Guidelines as finally published. Secure Electronic Commerce in Open Systems The Guidelines focus on the incredible challenge of providing secure electronic commerce on open communications systems such as the World Wide Web on the Internet. The Internet beckons with enormous commercial opportunity for both sales and payment functionality, but there is a dark side. Reflecting the potential anonymity of the Web and the ability to spoof both identity and address on the Internet, The New Yorker cartoon reminds us, "On the Internet, they can't tell you're a dog." This security weakness is compounded by the enhanced vulnerability of Internet message packets to undetectable interception, reading and modification by sophisticated hackers, because the TCP/IP Protocol (transfer control protocol/Internet protocol) used by the Internet uses a dynamic, virtual circuit to ooze the message to its intended destination, rather than the switched circuit of the attorney-friendly POTS (plain old telephone service) carried by traditional landline telephone lines. If the hyped lure of electronic commerce continues to lure increased volume of dollars and transactions to an insecure Internet, we are likely to see the Willie Sutton Syndrome in action. ("Why do you rob banks, Willie?" "Because the money is there.") Nonrepudiation in the Technical and Legal Sense These security weaknesses, using merely the technical terminology of the computer security profession, boil down to a failure of the system to deliver the security services known as confidentiality, signer authentication (sometimes called authentication of origin), and document authentication (sometimes called authentication of document integrity). Confidentiality is relatively easy for attorneys to understand because of their familiarity with ethical obligations to preserve confidentiality, but understanding the two authentication security services is a little more difficult for the average non-technical attorney. Continuing with traditional technical terminology, that of the ISO (International Standards Organization), the successful delivery of the security services of both signer authentication and document authentication is referred to as nonrepudiation - a system which prevents a party from falsely denying the sending of a message, and the contents of the message sent. For example, assume Alice sends an Internet e-mail message to Bob, saying "Buy 100 shs of Netscape for my account. Regards, Alice." Nonrepudiation is said to exist if Alice is unable to (a) deny that she sent the message; and (b) claim that the message she sent used the word "Sell" instead of "Buy". We attorneys are trained to look for factual chinks in the technologist's oversimplified, binary view of nonrepudiation as "nonrepudiation -- yes or no." Instead, attorneys might view the question of nonrepudiation in a more analog fashion, assembling pieces of evidence and legal arguments in favor or against the ultimate legal conclusion of nonrepudiation, which can be reached only by the ultimate authority for binding resolution of disputes, such as a jury, judge, mediator or other alternative dispute resolution mechanism, after all appeals have been exhausted. Guideline 1.20, the definition of nonrepudiation, squarely adopts the legal rather than the technical view of nonrepudiation, one of the important themes of the Guidelines in their quest for secure electronic commerce. What's a Digital Signature? The Guidelines begin with a 15-page Tutorial, complete with diagrams, designed to introduce lawyers to technical issues related to public key cryptographic techniques, and to introduce technical computer security professionals to legal issues such as the legal enforceability and binding effect of a signature. This symbiotic educational relationship between the two professions is another important theme of the Guidelines. Unquestionably communication difficulties made the project more difficult and frustrating, but the Committee believes that the result was worth the extra effort. Following this paper is a copy of "A Cryptography Primer" written by the author as Chapter 2 of the Computer Law Association's The Internet and Business: a Lawyer's Guide to the Emerging Legal Issues (Joseph F. Ruh, Jr., ed., 1996). The Primer introduces some of the technical issues treated more thoroughly and systematically in the Guidelines Tutorial as well in the text and commentary of its 50-odd Guidelines. This is the technology in a nutshell: Public key cryptography (sometimes called an asymmetric cryptosystem, Guideline 1.3) uses two separate but mathematically related keys - a key pair (Guideline 1.17). If either key is used to transform data into unintelligible form, the other key is used to restore it to its original form. One key is called the private key (Guideline 1.24) and is kept secret by its holder. The other key is called the public key (Guideline 1.25) and is made publicly available. It is computationally unfeasible to derive the private key merely from knowledge of the public key. Using software, the signer of a message (Guideline 1.18) (this means a computer-based record rather than a paper-based record under the Guidelines) will use the sender's private key and a hash function (Guideline 1.12) to transform the message into a digital signature (Guideline 1.11). A party receiving the digital signature in a position to rely upon it (relying party, Guideline 1.27) will seek to verify (Guideline 1.37) the digital signature by using the sender's public key, to determine whether the digital signature was created by the private key corresponding (Guideline 1.10) to this public key, and further that the message was not altered since the time it was digitally signed. The Certification Authority: Binding Identity and Public Key It is important to note that the verification process as described in the preceding paragraph only determines that the private key corresponding to the public key used by the relying party was used to sign the message. It does not yet say anything about who actually signed the message, or who is legally bound by the message. To complete the chain of inference, it is necessary to bind the purported sender's identity to the sender's public key, so that Bob the relying party has reason to believe that public key used to verify Alice's digital signature is in fact the public key of Alice, and not the public key of an imposter which the imposter uses to spoof the public key of Alice. Under the Guidelines, the job of binding the identity of Alice to Alice's public key is handled by a certification authority (Guideline 1.6), a trusted third party which issues a certificate (Guideline 1.5) to a subscriber (Guideline 1.31). The certification authority publishes a certification practice statement (Guideline 1.8) generally setting forth statements of its practices and procedures and disclosures of the respective legal rights of the three parties controlled by the certificate and the certification practice statement, namely the certification authority, the subscriber who contract with a certification authority, and a relying party who is most likely not in privity of contract with the certification authority. In accordance with the certification practice statement, the subscriber and certification authority undertake an application/approval/issuance/acceptance procedure (Guidelines 1.1 and 1.16) pursuant to which the certification authority or its delegate (the delegate might be a notary public or latin notaire, for example) satisfies itself through traditional identification procedures that the applicant for Alice's public key is Alice. The certification authority then issues a digital certificate to this effect which the certification authority digitally signs, and once the certificate has been accepted (expressly or impliedly) by the subscriber, publishes the certificate in an online repository or otherwise makes it available to Alice and/or to potentially relying parties. Reaching a Legal Conclusion Once this is done, the relying party now is in a position to verify the digital signature of Alice pursuant to Guideline 1.37, which provides: "In relation to a given digital signature, message, and public key, to determine accurately: (1) that the digital signature was created during the operational period of a valid certificate by the private key corresponding to the public key listed in the certificate; and (2) the message has not been altered since its digital signature was created." The verification process leads to these legal conclusions, among others: A message bearing a digital signature verified by the public key listed in a valid certificate is as valid, effective, and as enforceable as if the message had been written on paper. (Guideline 5.1) Where a rule of law requires a signature, or provides for certain consequences in the absence of a signature, that rule is satisfied by a digital signature which is (1) affixed by the signer with the intention of signing the message, and (2) verified by reference to the public key listed in a valid certificate. (Guideline 5.2) In resolving a dispute involving a digital signature, it is rebuttably presumed that . . . (2) a digital signature verified by reference to the public key listed in a valid certificate is the digital signature of the subscriber listed in that certificate. . . . (Guideline 5.6) Mr. Merrill (merrill@mccarter.com) chairs the Computer and High-Tech Law practice group at 200-attorney McCarter & English in Newark, New Jersey. In addition to serving as co-Reporter of the Digital Signature Guidelines, he serves as national moderator of the Lexis Counsel Connect topical forum, "E-Mail/E-Commerce", and is a frequent speaker and writer in the field of electronic commerce. Copyright 1995, 1996 American Bar Association. All rights reserved. ISBN 1-57073-250-7. Available through Service Center, American Bar Association, 750 North Lake Shore Drive, Chicago, IL 60611-4497, Fax: 312-988-5568 (US$44.95 for Section of Science and Technology Members, $49.95 for non-Members, plus applicable sales tax, plus handling $4.95 for one copy, $5.95 for two or more copies. VISA, MasterCard and AmEx accepted). The views expressed by the Information Security Committee in the Digital Signature Guidelines have not been approved by the Council of the Section of Science and Technology, the House of Delegates or the Board of Governors of the American Bar Association, and, accordingly, should not be construed as representing the policy of the American Bar Association. The views expressed in this paper have not been approved by any of such organizations and are the personal views of the author. The Co-Reporters of the Digital Signature Guidelines project are : Alan Asay, Esq. (Formerly of the State of Utah, and now of CertCo, Inc.) 1993-95; Charles R. Merrill, Esq. (McCarter & English, Newark, NJ) and Joseph P. Wackerman, Esq. (Corporate Law Department, U.S. Postal Service) both 1996-present. In addition to Chairman Baum (1993-present) and Vice-Chair Ruven Schwartz, Esq. (West Publishing Company) (1996-present) and the Co-Reporters, the Editorial Subcommittee of the Committee has included Ted Barassi, Esq. (Formerly of US Council for International Business, now of CertCo)1996-present; Charles J. Miller, Esq. (Attorney, San Francisco) 1993-95; Randy Sabett, (Spyrus, Inc.)1996-present; and Frank Sudia (formerly Banker's Trust Co., now of CertCo) 1993-95. Rick Hornbeck (a recent law graduate, of Digital Commerce Services) has served as Webmeister of the Section Website and the password Intranet site of the Committee from 1994 to the present. Three seminar panels will be presented in Fall 1996: Sep 9 in New York (Practicing Law Institute) Oct 3 in New York (Natl Law Journal Seminars) Oct 22 in Bethesda (NIST annual conference on the Internet) Text from Charles R. Merrill (MERRILL+aME3%McCarter_&_English@mcimail.com) Converted to HTML by Deane Merrill 7/31/96 http://cedr.lbl.gov/mdocs/digsig.html 7/31/96