Post on 21-Dec-2015
transcript
Encryption, Digital Signatures & TrustAcc680 Jim Nellegar
Notaries Public – Lost in Cyberspace or key business professionals of the future?
A Proposed Code of Professional Responsibility for Certification Authorities
Legal and Technological Infrastructures for Electronic Payment Systems
The John Marshall Law School (1997)
Notaries Public:Lost in Cyberspace or key business
professionals of the future?
Michael L. Closen, Professor of Law, J.D.
R. Jason Richards, Law Student
Encryption, Digital Signatures & Trust
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Focus:
Notary’s status in U.S. and Remediation through Cybernotary Presents similarities between notary professions and that of
Certification Authorities (a.k.a cybernotaries) Barriers Recommendations to Implement
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Authority of Notaries
* Administer oaths
* Attest to authenticity of signatures on documents
* Weddings, abandoned deposit boxes, produce certified
copies
Liability of Notaries* Negligent, reckless of willful conduct
* Not guarantors
* Not liable when acting in good faith
Notaries Public:Lost in Cyberspace or key business professionals of the future?
“I have but one lamp by which my feet are guided, and that is the lamp of experience. I know no way of judging of the future but by the past.”
- Patrick Henry (1775)
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Status of Notaries in the U.S. * Prestige not equivalent to other countries
* Few qualification (education, background)
* Proliferation (4.5m) diminishes importance
* Clerical task requiring minimal fee
* Test is nominal, few continuing education programs
* Sound notarial practices not promulgated
* No records (journal or logs) required
* Little legislative recognition of notaries financial risk
* No formal code of ethics
…contrasts value of transactions effected
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Advantages of Cybernotarization * Cost-effective:
- No need to personally appear - 24 hour availability
* Gery (Verification of signature)* Cybernotaries can be entities* Notaries & Cybernotaries can coexist
Barriers to implementation * Significantly higher costs (Systems, software, training) * Higher risk/exposure to litigation & defense costs * Continued desire to use paper * Inadequate “model” legislation * System only as good as security over keys
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Shortcomings of Utah Model Legislation Recommends asymmetric systems only Law only requires “reasonable care” in controlling keys No qualification for cybernotaries (age, experience, training) No testing requirement (technological,legal, ethical, statutory
procedures, liability) Felonies preclude practice, not civil convictions (fraud) Financial liability not identified (Only “reliance limits”), surety bonds
limits & liability insurance not included. No record maintenance requirement Does not address inter-state transactions Shortcoming propagate: Many other states have used Utah legislation
as a model
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Using software program, sender uses software to encrypt document using "private" key
Software places "signature" into document, result is a string of digits representing document and code produced by signer
String of digits representing document and signature to cybernotary’s (certification authority) repository. Repository also holds public key held by intended recipient.
Cybernotary determines if sender’s private key as sent matches public-key of recipient
If private-key and public-key match, cybernotary issue a certificate of authenticity
Assymetric Digital Signature Verification
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Recommendations (Corrective & Implementive) Federal legislation be written to address shortcomings Cybernotaries should understand that parties are financially
responsible and legally enforceable
…the role of CA be “undertaken exclusively by attorneys.”
Cybernotaries should understand that parties are financially responsible and legally enforceable
Notaries Public:Lost in Cyberspace or key business professionals of the future?
Conclusion:
I am not an advocate for frequent changes in laws and institutions. But laws and institutions must go hand-in-hand with the progress of the human mind. As that becomes more developed, more enlightened, as new discoveries are made, new truths discovered and manners and opinions change, with change of circumstances, institutions must advance also to keep pace with the times.
- Thomas Jefferson (1816)
John Marshall Journal of Computer & Information Law
A Proposed Code of
Professional Responsibility for Certification Authorities
Dina Atanasopoulos-Arvanitakis
Marilynn J. Dye
A Proposed Code of Professional Responsibility for Certification Authorities
Focus:
Propose guidance to CA’s where laws or directives are silent.
A Proposed Code of Professional Responsibility for Certification Authorities
Background
Role of CA will taken on added importance in “paperless society. CA will be a position of public trust demanding extensive skill and
understanding of trusted systems Standards do not carry force of law CODE = 10 Guiding Principles (composed of Directives) Designed with model acts in mind, harmonization with (more rigid)
notary standards in other countries
A Proposed Code of Professional Responsibility for Certification Authorities
Guiding Principle IThe CA shall be be a licensed attorney
- Notary should be able to substantiate validity of contract
The CA shall be licensed in information technology- Qualified to act per specialization rules by ABA- No American “license” to date
The CA shall update and continue his education in IT- Recommend establishing governing body to ID mandatory programs- Recommend 20 hours per year
The CA shall be competent at all times- Refer or recuse
A Proposed Code of Professional Responsibility for Certification Authorities
Guiding Principle IIThe CA has International Jurisdiction
- Addresses fact that Internet activities transcend boundaries
The CA Shall be commissioned in every state- Reciprocity
The CA shall pass an international notary exam- If candidate wishes to issue certificates for international business- Structure similar to the U.S. International Patent Bar
A Proposed Code of Professional Responsibility for Certification Authorities
Guiding Principle IIIThe CA shall be a public official
- Notaries are in a position of public officer
The CA shall be a fiduciary- Acknowledges cybernotary has a public trust (sans contract)
The CA shall be a fiduciary to his/her subscriber & 3rd parties- Acknowledges cybernotaries duties to sender/recipient as provided by contract or law
A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle IVThe CA owes a standard of care to their clients
- Confirm facts related to the transactionThe CA shall safeguard private keys
- Including information contained within the keysThe CA shall maintain proper records
- Shall maintain a record of each transaction, details, adequate time periodThe CA shall maintain confidences
- Related to the transaction and partiesThe CA shall disclose facts that adversely or materially affect reliance
- Any facts or circumstances impacting reliance on certificate- Any facts that would indicate an actual or potential conflict of interest ~ Risk~
The CA shall have sufficient financial resources- Resources sufficient to bear risk of liability. Surety bonds, liability insurance, etc. (may differ by jurisdiction) .
A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle VThe CA shall pass a criminal background check
- includes civil convictions for fraudThe CA must procure proper identification
- Deterrent. Photo/thumbprint/tele. Must maintain identifications in e-journalThe CA shall verify information
- Information relative and critical to transactions. E.g., intent to engage in a transaction.
The CA shall time stamp certificates- Including person that created the certificate
The CA shall suspend/revoke a cert. if private key is compromised- May include taking action for sender, requires “public” notice, parties
The CA shall report fraudulent activity- To “appropriate” law enforcement or disciplinary authority
A Proposed Code of Professional Responsibility for Certification AuthoritiesGuiding Principle VIThe CA shall refrain from notarizing his own transactions and from accepting improper gains
- Avoid appearance of impropriety- Cannot use information gained (directly or collaterally) for personal gain
Guiding Principle VIIThe CA shall not purposefully and knowingly engage in misconduct
- No false, deceptive, inaccurate or incomplete information.- Criminal and civil liability may result
Guiding Principle VIII The Certification Authority Shall Treat All People Equally
- Race, religion, national origin, age, physical disability, gender, etc.
A Proposed Code of Professional Responsibility for Certification Authorities
Guiding Principle IX The Certification Authority Shall Charge Reasonable Fees
- Does not define reasonable or how market will be set (legislated fee schedule, free competition, etc.) - No CA’s shall enter into an agreement charging an excessive fee.
Guiding Principle X The CA shall maintain the integrity of the profession
- Act in accordance with role of a public officialThe CA shall report misconduct
- Of colleagues. Statement does not include clients.The CA shall make dignified advertisements
The CA shall refrain from making endorsements
A Proposed Code of Professional Responsibility for Certification Authorities
Conclusion:
Valuable as a first step and framework* Requires further development* May require regular practice statements (public trust) ,
certifications* Objective not dissimilar to WebTrust* Requires wide-spread adoption (international acceptance)* Organizations must be self-policing
Questions:* Attorney language focuses on prestige, ethics, technical Too limited?
Rutger Computer and Technology Law Journal (1996)
Legal and Technological Infrastructures for Electronic Payment Systems
Henry H. Perritt, Jr.
Legal and Technological Infrastructures for Electronic Payment Systems
Focus
Infrastructures necessary to ensure Internet Payment Systems include:
Acceptor of credit card or cybercash has a claim against the issuer
An assured funds against which redemption can be made
Legal and Technological Infrastructures for Electronic Payment Systems
Acceptor of credit card or cybercash has a claim against the issuer
Risk of forgery is primary risk giving rise to dishonor: - Digital signatures protect vendor from spoofing of customer or forgery or
spoofing with respect to the issuer- Acceptance of PKI as solution: an appropriate legal framework must be adopted.
Legal and Technological Infrastructures for Electronic Payment Systems
An assured funds against which redemption can be made
- Legal infrastructure for forgery and dishonor in traditional commerce
* Banking regulations impose capital requirements, insurance
* Much of Internet business will be conducted out of reach of banking regulators
Legal and Technological Infrastructures for Electronic Payment Systems
Focus Risk of Forgery
- Technology: IETF standard X.509, RFC 1422, VISA/MC promulgates standards for management and use of PKI.- Legal: Technology complemented by VISA/MC framework, Model legislation (greater adoption needed)- More CA’s created and marketed
Risk of Dishonor– Risk greater: Not controlled– Banking-type regulation more difficult by Internet– Clearinghouse mechanisms better solution than banking mechanism
* faster to create, set up administration* faster response to problems, technological changes* Can regulate across national boundaries (Overreaching risk)* Exists in credit card model