General Practice, Solo & Small Firm DivisionBest of ABA Sections
Science & Technology
Digital Signature Guidelines for Electronic Commerce
Charles R. Merrill
Alice is Bob’s customer. Alice maintains an active trading account, and often uses Internet e-mail to instruct Bob as to purchases and sales. Bob has printed out the following document from a file on the hard drive of his PC, which he claims to be a true copy of an e-mail message he received via the Internet. Alice has an active securities trading account with Bob, in which she maintains a credit balance of securities and cash. Alice has often used Internet e-mail to instruct Bob as to purchases and sales of securities in her account.
Date: Feb 27, 1997 10:00
Please buy 100 shs of Netscape common stock for my account immediately, at the prevailing market. /s/ Alice
On Thursday, Feb. 27, Bob bought 100 shares of Netscape common stock for Alice’s account. On Friday, Feb. 28, the market price of Netscape plummeted producing a substantial loss on this transaction. Upon receiving her month-end statement, Alice repudiates the transaction and says that she never sent any e-mail message to Bob.
The example illustrates the challenge of conducting secure electronic commerce on the insecure Internet, an "open system" where there are no trusted gatekeepers to authenticate identity of users entering the system. Technically sophisticated hackers are demonstrably able to send messages that "spoof" the identity and e-mail address of others. They can also intrude in private communications—intercepting, reading, modifying, and sending modified messages on their way again, without detection, all without detection.
In a legal dispute where parties have an economic incentive to repudiate electronic communications after the fact, an effective demonstration that electronic communications are technologically insecure can cast serious, perhaps fatal, doubt on the legal certainty of electronic commercial transactions.
Attacking this problem directly, in August of 1996, the Information Security Committee of the ABA Section of Science and Technology published the Digital Signature Guidelines, http://www.abanet.org/ scitech/ec/isc/dsg-toc.html (tutorial and table of contents) and http:// www.abanet.org/scitech/ec/ (ordering a full hardcopy), a four-year collaboration by 70 technologists and attorneys from a dozen nations. The Guidelines define a system of "public key infrastructure" (abbreviated PKI) that merges the technological capabilities of an "asymmetric cryptosystem" (sometimes called "public key" cryptography) with familiar legal principles of commercial law.
Terminology of the computer security profession defines a number of "security services" that must be delivered by a system of electronic communications if it is to be considered secure or trustworthy:
Authentication of Sender—WHO sent the message?
Data Integrity—WHAT were the contents of the message?
Time-Stamp—WHEN was the message sent?
Nonrepudiation—BLOCKS FALSE DENIAL of the sending of the message, and the contents of the message.
Although a number of leading public key cryptographic algorithms are capable of providing both encryption for confidentiality and digital signatures, the principal focus of the Guidelines is the digital signature mode only—the WHO, WHAT, and NONREPUDIATION security services. Public key cryptography is not by itself capable of providing the WHEN security service. See http://www. surety.com for one example of a proprietary time-stamping service, known as the Digital Notary Service of Surety Technologies, Inc. NONREPUDIATION deals with the same subject matter as WHO and WHAT security services, but from the perspective of a sender and recipient of a message who are on opposing sides of a dispute.
Here’s a brief summary of the technology and terminology of an asymmetric cryptosystem. For more detail, see http://www. abanet.org/scitech/ec/isc/dsg-toc.html. Conventional cryptography, sometimes referred to as a "symmetric cryptosystem," uses a single secret key to encrypt/transform data and to decrypt/restore it to its original form. The knowledge of the secret key needs to be shared by others. Public key cryptography (sometimes called an asymmetric cryptosystem, Guide-line 1.3) uses two separate but mathematically related keys known as a key pair (GL 1.17). If either key is used to encrypt/transform data, the other key is used to decrypt/restore it to its original form. One key is called the private key (GL 1.24) and is kept secret by its holder and shared with no one. The other key is called the public key (GL 1.25) and is made publicly available on-line.
Using cryptographic software, the signer of a digital message will use the sender’s private key to transform the message into a digital signature (GL 1.11). A relying party receiving the signed message will use the sender’s public key to verify (GL 1.37) that the digital signature was created by the private key corresponding (GL 1.10) to this public key. Confidentiality of a message is not required for digital signature purposes, but if desired, a public key algorithm may be reversed, to allow the sender to encrypt for confidentiality. The sender encrypts the message with the recipient’s public key, and the recipient decrypts the message by using the recipient’s corresponding private key.
It is important to realize that we have not yet anything about who actually signed the message, let alone who is legally bound by the message. To complete the chain of attribution to Alice, the critical step is to bind the purported sender’s identity to the sender’s public key. Under the Guidelines, the job of binding the identity of Alice to Alice’s public key is handled by a certification authority (GL 1.6), a trusted third party that issues a digital certificate (GL 1.5) to a subscriber (GL 1.31), and is publicly available to a relying party in a repository (GL 1.28).
Our hypothetical example illustrates a classic case of where a robust system of nonrepudiation is needed to block Alice’s false denial that she sent the message produced by Bob. If in fact Alice did send that message, a plausible motive could be the intention to remain unfairly flexible at the expense of Bob, by waiting to see the future market price before confirming or denying that she sent the message.
The central dilemma for electronic commerce in an open system is that a digital environment is based on bits rather than atoms. The jury and the opposing counsel will be deprived of cues or clues that would normally be available for the resolution of disputes in a paper-based and human-contact-based world. Here are the possible factual theories that face the dispute resolution authority:
(A) Alice Is Lying and Bob Is Truthful. Alice did send the message, and Bob did not falsify it. Alice intended to buy the stock, but after the market dropped, she is repudiating her message in order to avoid the loss, committing laches at Bob’s expense.
(B) Bob Is Lying and Alice Is Truthful. Alice really did not send the message, and Bob has falsified the message and the printout, to avoid loss on a transaction Bob made for his own account.
(C) Alice and Bob Are Both Telling the Truth!! Alice did not send any message, but Bob did in fact receive the message from an imposter on, who spoofed Alice and sent the message in her name.
Under the facts of the hypothetical example, the e-mail message is "naked" of any cryptographic authentication of any kind. The Digital Signature Guidelines are a pioneering first view of the additional technological and legal tools available to decide such a case where the parties have used an asymmetric cryptosystem for secure commercial communication.
Charles R. Merrill is a partner of the law firm of McCarter & English, Newark, N.J., and Co-Reporter of the Digital Signature Guidelines .
This article is a short summary of the author’s remarks at the ABA Annual Meeting in San Francisco, August 2, 1997, at the Electronic Commerce Seminar.