INET Conferences

Security and Confidence in Electronic Commerce: Certification Authorities

Isabel HERNANDO <dcphecoi@sd.ehu.es>
Universidad del País Vasco/Euskal Herriko Unibertsitatea
Spain

Abstract

The creation of a stable regulatory framework for new "information society" services is fundamental in a well-functioning international market. It is recognized that these new online services will become a source of economic growth and employment. However, an appropriate regulatory framework has to be put in place in order to provide an international, or at least a pan-European level playing field. One of the key elements for the development of these services, especially the online financial and business transactions, will be digital signatures.

In this paper, attention will be given to the legal aspects related to the use of digital signatures in electronic commerce, specifically those resulting from the identification and liability of certification authorities.

The objective of this paper will be to identify in this legal context the potential schemes and real obstacles and their effects resulting from differences in legal concepts and implementation in an international regulatory environment.

Contents

• Introduction
• 1. Identification of certification services
  • 1.1. Private certification services
    • 1.1.1. Licensed certification services
      • (a) Minimum standards of the CSs
      • (b) Type of licenses granted
    • 1.1.2. Recognition of unlicensed certification services
  • 1.2. Foreign certification services
    • 1.2.1. System of reciprocal recognition: "cross-border recognition"
    • 1.2.2. System of reciprocal certification: "cross-border certification"
• 2. Liability of certification services
  • 2.1. Classes of liability of the CSs
    • 2.1.1. Contractual liability
    • 2.1.2. Noncontractual liability
  • 2.2. Content of the liability of the CSs
    • 2.2.1. Content of the certificate
    • 2.2.2. Content of the CPS
  • 2.3. Limits of liability of the CSs
    • 2.3.1. Proposal for limits and prohibited exemptions
      • (a) Minimum obligations
      • (b) Exemptions of grave injustice
      • (c) Fraud on the part of the CS
    • 2.3.2. Limits and exemptions suggested
• Notes

Introduction

It is recognized currently that new online transactions taking place in an "open system" will become a source of economic growth and employment. However, in order for the international market to function correctly, it is essential that there should be put in place a stable, harmonized regulatory framework at an international or at least pan-European level.

One of the key elements for the development of these services, especially with regard to online financial and business transactions, will be digital signatures, which should ensure that electronic transactions are carried out in terms of authenticity, confidentiality, integrity, and nonrepudiation safeguards.

One of the difficulties encountered when using digital signatures is that of ensuring that the identity of a person who holds a pair of encryption keys is accurately known. This service is offered by trusted third parties called certification services (CSs). CSs, also referred to as certifiers, offer a means of certifying and guaranteeing that a public key belongs to the supposed owner

The objective of this paper will be to determine the legal context of certification services, specifically their identity and liability, and the possible regulatory schemes and their consequences as a result of differences in legal concepts and their implementation in an international environment (1).

1. Identification of certification services

The identification of the CSs that can operate in an online economic framework is a first step toward achieving international harmony. However, the difficulties in effecting integration do not present themselves with the dilemma of recognizing private or public CSs. With respect to the latter, and leaving aside the possible problems deriving from safeguarding free competition, their existence is accepted without further ado. On the contrary, the difficulties of homogenization arise when attempting to establish a standard operating framework in the private sector and when trying to fix the limits for the recognition of certificates issued by foreign certification services.

1.1. Private certification services

In the private sector, the creation of a standard operating framework calls for a harmonious solution to the problems raised by the two following issues:

1. The need to identify the minimum requirements necessary for certification services to be issued with operating licenses.
2. The possible recognition of unlicensed private certification services.

1.1.1. Licensed certification services

In practically all current laws and legislation on digital signatures, as well as in the Directive Proposal and in the UNCITRAL project (2), there is recognition of the existence of entities or authorities of certification authorized by a competent agency or authority (3).

The function that these authorities are called upon to provide is that of establishing the probity and efficiency of the certification service. From this point of view, usually, bodies that are recognized as licensing entities are public administration agencies subject to administrative law or independent accreditation entities recognized by the State, similar in their structure to the data protection agencies. (4)

In any case, the entity nominated to authorize the activities of the CS, in accordance with its functions, would perform the duties of monitoring and providing information on the observance of the minimum requirements legally established for the granting of licenses.

(a) Minimum standards of the CSs

It is accepted that the economic activity constituted by digital certification and, consequently, the acquisition of the corresponding authorization, cannot be limited to persons or groups already subject to professional codes of conduct (notaries, banks, attorneys) but that it must be open to all those entities that comply with the minimum standards established in a specific law. (5)

From the perspective of Electronic Commerce, these minimum standards should perform a double function. On the one hand, they should allow for the interoperability of the different participants in the Global Electronic Market and, on the other hand, they should provide sufficient security to protect citizens from any fraudulent and inappropriate conduct on the part of the CSs and from the damages resulting from the inappropriate issuing of certificates.

In response to these needs, in the UNCITRAL project and in the various laws already existing, criteria have been established that include standards of a technical and economic-legal nature, plus rules relating to personnel that, as a minimum, the CSs would have to meet in order to be licensed. (6)

(1) Standards for personnel

The selection and administration of personnel is one of the basic criteria for the concession of licenses (7). According to these criteria, the CSs would be obliged to provide the following proofs:

• The adequate ethical standing of its administrators and of its representative personnel. (8)
• A proper professional level of its operating personnel to take part in the proceedings of certification. (9)
• Its experience in public key technologies and familiarity with the appropriate security procedures.

(2) Technical standards

In this second section, the criteria for authorizing CSs would be centered on the following aspects:

• Description of the technical components employed and approval of the equipment and the programs used.
• Description of the procedures used in the certification through the use of a reliable system to issue, suspend and revoke certificates including procedures for the protection of the private key of the certification authority in question.
• Notification of a plan for internal security and the existence of an emergency plan ("disaster recovery" software, "key escrow")
• Procedures for the revocation of certificates (for example, in the case of the loss of keys).
• Procedure for the cessation of activity.
• Maintenance of a documentation register. (10)

(3) Legal/economic standards

In this category, the minimum criteria would correspond to the following requirements:

• Independence of the certification services, in the sense of analyzing their separation from or the absence of financial, economic, or other interests with respect to the transactions effected through their certificates.
• The economic capacity to assume the risk of liability inherent in their activities. (11)
• Longevity of the certification services sufficient to provide the necessary proofs in the context of a legal action or of a judicial claim linked to presentation of certificates (12) or of the decoding of keys.
• Procedure for the termination of operations, including the notification of users.
• Realization of audits by an independent entity.
• Guarantees and representations.
• Limits of liability.
• Insurance.
• Interoperability with other certification services
• Isolation of the certification function from other security activities realized by the certification service.
• Compliance with the requirements laid down in the national provisions implementing Directives 95/46/EC and 97/66/EC.

(b) Type of licenses granted

Finally, the licenses issued by the licensing authority may be of a variable nature. A request for the license would be effected in writing with the payment of a fee (through the public service).

Once the previously mentioned criteria had been checked, the licensing entity could authorize the CS to operate without restriction or, on the contrary, it could opt to grant a license subject to a series of specific limitations, as, for example, the following:

• License that permits the CS to issue a maximum number of certificates.
• License that fixes the maximum value permitted for each transaction effected by the certificates of the CS.
• License that specifies the maximum limit of liability for certificates issued by the CS

Noncompliance with these limitations by the CS would bring about the annulment or suspension of the license and would have a direct effect on the liability of the CS that would be deemed to be an unauthorized entity in the Electronic Market.

1.1.2. Recognition of unlicensed certification services

With respect to the certification services that operate outside of a governmental system or other system for implementing a public key infrastructure, and bearing in mind any outstanding or pending legislation, the harmonization between sovereign states would not depend upon the prohibition of such services to participate in the Electronic Market. This prohibition would suppose, on the contrary, the generation of new conflicts on the basis of International Treaties which exist already, (for example, article 59 of the Treaty of Union in relation to the free trade in services) and of national dispositions in the matter of free competition (Defense of Competition). (13)

International homogenization, to our way of thinking, supposes the acceptance, in commercial practice, of these certification services in coexistence with the authorized certification services. Specific acknowledgment in this respect is given in the UNCITRAL Project in the following terms: "Any person who, or entity which, as an ordinary part of its business, engages in issuing certificates in relation to cryptographic keys for the purposes of digital signatures." (14)

However, the acceptance of these entities does not mean that their certification businesses could be conducted in a way such as to generate an unreasonable risk of losses on the part of subscribers to their certificates, or for third parties depending on their reliability, or for other CSs.

For the activities of unlicensed CSs to be included within the embryonic development of the Electronic Market, in which it is necessary to generate a feeling of security and confidence among the different participants, they must be legally regulated. In this sense, with a view to achieving harmonization, Sovereign States can fix the minimum operational criteria necessary for unlicensed CSs.

With regard to the criteria themselves, these can be specified in similar terms to the technical, personnel and economic standards established for the licensed CSs. On the other hand, this comparability of requirements would not imply an assimilation of both types of entities since the differences would be maintained at various levels in regard to which the following are worth mentioning:

• In the agreed effects of the digital signatures
• In the limits of liability recognized
• In the application of regulations against unfair competition

1.2. Foreign certification services

The issue here concerns the validity of certificates issued by foreign CSs that are not established locally as CSs in the country in which they intend to be active (15).

The systems of effectiveness which are proposed at the level of international harmonization are those referred to as reciprocal certification and reciprocal recognition.

1.2.1. System of reciprocal recognition: "cross-border recognition"

According to this system, governments arrange between themselves to regulate the scheme for granting validity to foreign certificates, following criteria that respond to international principles of reciprocity of recognition (16) and of equivalence in matters of security (17).

This recognition, in its various forms, would be put into effect through Bilateral or Multilateral Agreements, with the exception of those countries belonging to the EEC and the EEA respectively where, in the absence of a Directive of standardization of security procedures, the aforementioned international principles would remain directly expressed in their national laws.

This institutional intervention, which in itself does not ensure harmonization as a consequence of the diversity of interpretations of the concepts of reciprocity and equivalence within each State, can coexist truly in the same country with the second of the certification systems which is described below.

1.2.2. System of reciprocal certification: "cross-border certification"

This second system of effectiveness makes it possible that national CSs authorize and guarantee certificates issued by a foreign CS (18). The levels of accreditation that have been identified are various and they are determined in relation to the degree of liability that the national CS is disposed to assume with respect to the possibility of a defective foreign certificate. (19)

Certainly, the possibilities encountered are numerous. Thus, a national CS might guarantee, amongst other things, the aspects listed below, in order of diminishing liability:

• The content of the foreign certificate based on its declared knowledge of the certification proceedings of the foreign CS
• The content of the foreign certificate on the basis of information that it has obtained about the reliability of the foreign CS.
• The reliability of the foreign CS without assuming any liability for the content of the certificate.
• The identity of the foreign CS based on a verification of its public key and of its digital signature.

This system, in contrast with the former, constitutes a regulated system for the attribution of liability to a national CS and makes it possible for certifying entities to establish general agreements for mutual recognition.

2. Liability of certification services

The civil liability of CSs is the fundamental problem to be dealt with in the matter of digital signatures. Certainly, clarification of the minimum rules that govern civil liability would contribute towards the acceptance of the services of certification entities and would prevent the creation of barriers to international communication. In this sense, harmonization, once the nature of liability has been clarified, affects both the content and the limits permitted.

2.1. Classes of liability of the CSs

The liability of CSs can be contractual and noncontractual depending on the existing legal relationship between the parties. (20)

2.1.1. Contractual liability

Contractual liability is that which exists between the CS that issues a certificate and the subscriber to the same. The rights and obligations of both parties are determined by the agreement subscribed to by the same, in the certificate and, according to the individual case, in the certification practice statement (CPS).

Freedom of action, the principle that governs these agreements, is linked to the liability system applicable to the CSs, about which there would appear to exist a consensus in demanding that the activity of the CSs be subject to a set of minimum binding contractual requirements.

2.1.2. Noncontractual liability

Noncontractual liability is the liability that the CS has for the damages or losses caused to third parties that have placed their trust in a certificate issued by the CS.

The first issue that is raised at the international level concerns the legal nature of this liability. Certainly, an initial option is to apply a regime of objective liability (either strict, or non-negligence).

According to this system of liability, the damages procured as a consequence of the use of the certificate would be compensated for independently of the professionalism of the CS in having issued the certificate except for the wrong use on the part of the users or for being put to a different purpose from the one stated. This system, to our understanding, would be the most appropriate of those possible, for the following reasons:

• First, for the development of electronic commerce through the degree of security and high level of confidence it would engender amongst its users.
• Second, for reasons of public interest in relation to the kinds of risk-bearing activities carried out.
• Third, and last, for the high level of technical sophistication that can be expected of the CSs.

The second option consists in applying to the CS the traditional liability regime for negligence in which the injured party is obliged to provide proof of negligence on the part of the CS. This system, which comes up against the difficulty and scarcity of means faced by the plaintiff in trying to prove negligence on the part of the CS, is moderated through the application of the refutable presumption of liability.

This system, which is the one adopted by the UNCITRAL Project (21), means that all actions or omissions on the part of the CS determining the recoverable damage shall always be deemed to be liable unless their author (CS) can establish that it has acted with the due care and diligence called for by the pertinent circumstances in the specific case.

2.2. Content of the liability of the CSs

There would appear to exist a consensus to the fact that, as much as with contractual liability as with noncontractual liability, the content of the liability will be determined in accordance with the content of the certificate and of the CPS of the CS.

2.2.1. Content of the certificate

The content and type of certificate determine the level of liability that is applied to the CS. Certainly, in the electronic market there exist different types of certificates, from those which solely confirm that the identification contained in the record maintained by the CS coincides with the name of the user and his e-mail, to those which provide all kinds of security measures concerning the identity of the subscriber. This last kind of certificate is the one that is used in electronic commerce for applications in electronic banking, for the exchange of electronic data (EDI) and for transactions over a certain value (22).

Efforts aimed at achieving harmonization are related to these last types of certificates, given that their basic components must necessarily be fixed in specific laws. These elements, whose existence can generate potential conflicts with legislation on data protection, would be the following: (23)

• Identification of the CS that issues the certificate.
• Identification of the subscriber/holder of the signature, machine or electronic agent authorized by the subscriber.
• Identification of the public key that corresponds with the private key of the subscriber
• Specification of the period of operational validity of the certificate (and, if it should be the case, information on the existing restrictions/limitations in the range of application of the public key)
• Digital signature of the CS that issues it.

2.2.2. Content of the CPS

Finally, it is accepted that the standard of quality of the service and of liability that governs the relation between the CS and its clients is determined by the certification practice statement (CPS), consisting of the following basic components (24):

• Description of the procedures used to authenticate the identity of the applicant for the certificate
• Description of the physical and personal checks and the procedures used by the CS to carry out safely the generation of keys, the issuing and annulment of certificates and of the auditing and filing of information
• Description of the security measures adopted by the CS to protect its own cryptographic keys
• Any type of related information

This declaration, which can take the form of a contract or of public information directed to all the interested parties, is considered to be essential as much for the subscriber to the certificate as for the third party that carries out transactions on the basis of the issued certificate, trusting in the appearance of security given by the CPS of the CS. Moreover, a set of minimal fixed obligations on the part of the CS can be inferred from both documents.

2.3. Limits of liability of the CSs

Within the sphere of harmonization, there has been analysis of the possibility of establishing a minimum standard of liability that would affect contractual liability as much as noncontractual liability.

2.3.1. Proposal for limits and prohibited exemptions

(a) Minimum obligations

In the first place, it is suggested that the CS be obliged to comply with a set of minimum obligations that would be independent of the free will of the parties involved and that, if observed, would permit the CS the exclusion of its liability if this were to be alleged.

According to the UNCITRAL project, in its two versions (25), the CS, through the act of issuing the certificate, would effect a declaration confirming the following aspects:

• (That) it has processed, approved and issued the certificate in accordance with the norms (UNCITRAL), according to the specific laws in the matter and, with the CPS, stated or incorporated by reference in the certificate or published document.
• (That) it will administer and revoke the certificate in accordance with the previously stated dispositions.
• (That) it has verified the identity of the subscriber with the extension declared in the certificate or in the CPS or, in the absence of this, the CS has verified the identity of the said subscriber in a reliable way.
• (That) it has verified that the person requesting the certificate has the private key that corresponds to the public key of the certificate.
• (That) with the exception of that which is in the certificate or in the CPS, all information contained in the certificate is, to the best of its knowledge, correct in the date of its issue.
• (That) the certificate, once published by the CS, has been accepted by the subscriber identified in the said document.

(b) Exemptions of grave injustice

The second of the prohibitions proposed is inspired by the principles of UNIDROIT concerning International Commercial Contracts (26). Thus, it is proposed that the clause that limits or excludes the liability of the CSs could be invoked if is estimated gravely unjust or prejudicial in relation to the purpose of the contract. (27)

(c) Fraud on the part of the CS

The third of the exemptions of liability prohibited relates to the situation of loss or damage procured by the intentional conduct of the CSs or of its agents. This prohibition is, moreover, contained within the national laws on civil liability and in article 18 of the Model Law of UNCITRAL on International Credit Transfers (28).

2.3.2. Limits and exemptions suggested

With respect to exemptions of liability on the part of the CSs and to the quantitative limits of the compensation, the criteria that are being considered in order to bring about a harmonized environment are numerous.

As reasons for the exclusion of liability, the following circumstances are suggested:

• The CS would not be responsible for damages caused by the use of the certificate for purposes other than those established in the same.
• Furthermore, the CS would be exempted of liability if it were demonstrated that, given the state of the art, it was impossible for the CS to adopt all the necessary measures to avoid the mistakes in the certificate.
• Equally, the CS would not be responsible if the subscriber does not comply with the obligations established in the certificate and in the CPS (29).

Finally, it is suggested that the level of compensation be established according to the following parameters (30):

• with reference to a maximum level previously established.
• in proportion to (a) the sum paid to the CS for the emission of the certificate, and (b) the value of the transaction for which the certificate is valid.
• according to a percentage on the current loss suffered by the injured party. In any event, the consequential damages would be excluded.

Notes

¹ See Communication from the Commission to the European Parliament , The Council, The Economic and the Committee of the Regions Ensuring Security and Trust in Electronic Communication, (COM (97) 503). Commission Green paper: Legal Protection for encrypted services in the internal market, Consultation on the need for community action (COM(96)76)

² Draft Uniform Rules on Electronic Signatures, UNCITRAL (A/CN.9/437; A/CN.9/WP.71; A/CN.9/WG.IV/WP.73), art. 7 (a). Proposal for a European Parliament and Council Directive on a Common Framework for Electronic Signatures, December, 1997.

³ See Ian TAYLOR, "Licensing of Trusted Third parties for the provision of encryption services," JILT, 30-V-1997

⁴ There exists no single criterion of designation and the possibilities are numerous, for example: transnational or intergovernmental bodies, such as the European Commission, or international bodies, such as the WWW consortia. However, those organizations could provoke conflicts of international effectiveness.

⁵ See T.S. BARASSI, "The Cybernotary: Public Key Registration and Certification and Authentication of International legal Transactions," http://www.intermarket.com/ecl/cybrnote.html

⁶ UNCITRAL Project, A/CN.9/437/p.39-50 y 90-97; A/CN.9/WG.IV/WP.71, p.18-45 y 57-58; A/CN.9/WG.IV/WP.73, p.47-48. Art. 4, Directive Proposal, cit.

⁷ UNCITRAL Project, art.8 and Directive Proposal, cit., art. 4 (4) (b).

⁸ Utah Law on Digital Signature (1996) p.(2), art. 46-3-201 (b), http://www.state.ut.us/ccjj/digsig/dsut-egs.htm , Italian Law, n. 59, 15_III-1997, art. 8 http://www.notariato.it y art.10 Ordinance of German Digital Signature into force 1-IX-1997

⁹ Utah Law, art. 46-3-201. German Federal Law on Digital Signature 22-VII-1997, art. 3 (4)

¹⁰ German ordinance, art. 13

¹¹Utah Law, art.46-3-201, Italian Law, art. 8(3)(a)

¹² Italian Law, art.8 (2)

¹³ As European commercial initiatives, see, among others, Siscer: http://www.siscer.com/siscer.en.html , IPS, http://www.ips.es, Belsign, http://www.belsign.be, DUNKEL, http://www.ca.dunkel.de

¹⁴ See Carl M. ELLISON, "Establishing Identity without certification authorities", 22 July 1996, http://www.clark.net/pub/cme/usenix.html

¹⁵ Art. 17 of UNCITRAL project states the principle that foreign entities should not be discriminated against, provided that they meet the standards set forth domestic certification authorities. Directive proposal, cit., art. 7(1).

¹⁶ Italian Law, art. 8

¹⁷ German Law, art 3(15) and UNCITRAL project, art 19

¹⁸ Art. 18 UNCITRAL Project and art. 7 (2) Directive Proposal, cit.

¹⁹ A/CN.9/437, p.78-83

²⁰ About liability, A.M. FROOMKIN "The essential role of Trusted Third Parties in Electronic Commerce," 75 Oregon L. Rev.49(1996); Bradford BIDDLE, "Misplaced priorities: The Utah Digital Signatures Act and Liability Allocation in a Public Key Infrastructure," 33 San Diego Law Review (1996)

²¹ UNCITRAL project, art 10(2) and art 6 (3), (4) Directive Proposal, cit.

²² See, concerning certificates, Dr. J.K.OMURA, "Digital Signatures and Certificates," http://www.cylink.com/products/security/digsig

²³ UNCITRAL project, art. 8; German Law, art.3(7); art. 5 Directive Proposal

²⁴ UNCITRAL project, art. 8 and art. 4 (4) (g) Directive proposal. See, S. CHOKHANI y W. FORD, "The certificate policy and certification statement framework", 3 November 1996, http://csrc.ncsl.hist.gov/pki

²⁵ UNCITRAL project, art. 10 versions A and B

²⁶ Principles, art. 7 (1) (6)

²⁷ In this context, consumer protection laws could apply against the liability exemptions

²⁸ UNCITRAL Model Law on International Credit Transfers (19949

²⁹ In any case, attention will be given to consumer protection laws

³⁰ UNCITRAL project, art.12