E Law: Digital Signature, Certification Authorities and the Law

Notes

[1] European Directive on a Community Framework for Electronic signatures 1999/93/EC.

[2] See for example the report of the National Electronic Authentication Council, Liability and other Legal Issues in the Use of PKI Digital Certificates (May 2002).

[3] See further Thomas J. Smedinghoff & Ruth Hill Bro, "Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce", 17 John Marshall Journal of Computer & Information Technology Law 723 (1999).

[4] See further B. Schneier, Applied Cryptography (John Wiley & Sons 1994), W. Diffie, The First Ten Years of Public-Key Cryptography, 78 Proceedings of the IEEE 560-77 (1988) which provides an excellent history of the development of public key cryptography, and RSA Laboratories, RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1 2-1-1 (2000), available at <http://www.rsasecurity.com/rsalabs/faq/2-1-1.html> accessed 11/03/01.

[5] One of the most widely known PKI model is based on the model of the telephone directory first put forth by Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography", IT-22 IEEE Transactions on Information Theory 644 (1976). See also Joan Feigenbaum, "Towards an Infrastructure for Authorization, Position Paper", 3rd USENIX Workshop on Electronic Commerce (September 1998).

[6] It is believed that the notion of "certificates" was first put forth in 1977 by Loren Kohnfelder, then an undergraduate at MIT, see L. M. Kohnfelder, "Towards a Practical Public- Key Cryptosystem" (1977) (unpublished B.S. thesis), cited in Rohit Khare and Adam Rifkin, "Weaving a Web of Trust", v. 1.126 (Nov. 30, 1997), available at <http://www.cs.caltech.edu/~adam/local/trust.html, n.37 accessed 11/03/01.

[7] The alternative model is the "Web of Trust" model " used in the Pretty Good Privacy system (PGP). Individuals indicate their trust in the public keys of other individuals by "certifying" them with their own digital signatures; the PGP program reviews the digital signatures that certify the validity of a new public key to determine if it has been signed by someone the recipient trusts. See further Simson Garfinkel, PGP: Pretty Good Privacy (O'Reilly 1995) at 235.

[8] National Electronic Authentication Council, Liability and other Legal Issues in the Use of PKI Digital Certificates (May 2002).

[9] Ibid at 3-16.

[10] Ibid at 7.