| From: Carl Ellison cme@cybercash.com To: HQ.SAT4(ELECMEDIA) Date: 5/9/98 12:41am Subject: issues forconsumer protection in electronic media -----BEGIN PGP SIGNED MESSAGE----- I write today to focus on the issue of digital certificates for digital signatures and secure channels in electronic communication. A number of states have passed laws to the effect that: 1. whatever a consumer's private key signs unconditionally binds the registered owner of that private key (sometimes called "non-repudiation"); and that 2. the government should not be in the business of issuing certificates. I write as a researcher in digital certification. Our research has shown that both of these items are anti-consumer and in need of change. They should certainly not be imitated at the Federal level and, if possible, should be overturned at the State level. (1) ignores the fact that a consumer's private key is almost impossible to protect, given today's computer systems. Unless we can guarantee that a user's private key has not been stolen, that the user's software (that employs that key) has not been tampered with and that the user's computer could not have been physically accessed by any other person, we can not reasonably claim that the user controls his or her private key. To pass laws assuming otherwise is to put a burden on the user in violation of the spirit of laws like "Reg. E". (2) ignores the need for a consumer to have certificates from a true authority, when the true authority is a government agency. For example, if certificates were to be used to access Social Security records, they should be issued by the Social Security Administration. They should have one purpose only (allowing access to SSA records). They might contain the SS Number, but if so that number should not be readable by anyone but the SSA (because it can be used to violate a person's privacy). For another example, when a consumer connects to a web site, he might want to be assured that the key to which he connected was owned by the company whose trademark appears on the page. The authority for such a certificate (and therefore the proper issuer of it) would be the USPTO (or a trademark office in a State). I ask that you consider such needs in formulating your policy and especially that you not merely listen to salesmen and lawyers from commercial Certification Authorities (who are advancing the two items to which I object, among others). Their advocacy of those two items is self-serving and not in the interest of US consumers. Thank you. - Carl Ellison P.S. You can find more on the subject of digital certification in my documents: http://www.clark.net/pub/cme/html/congress1.html and http://www.clark.net/pub/cme/nist-7-24/ -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.5.3 iQCVAwUBNVPegRN3Wx8QwqUtAQEBtQP9GomZ99+GIKkkBwffqyo2kM/KPjb -----END PGP SIGNATURE----- +------------------------------------------------------------------+ |Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme | |CyberCash, Inc. http://www.cybercash.com/ | |207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | |Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 | +------------------------------------------------------------------+ |