Digital signature legislation: The first 10 years

Digital signature legislation: The first 10 years

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25 available at www.sciencedirect.com www.compseconline.com...
Download PDF
144KB Sizes 2 Downloads 160 Views
Report

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

available at www.sciencedirect.com

www.compseconline.com/publications/prodinf.htm

Digital signature legislation: The first 10 years Stefek Zaba HPLabs, Bristol, UK

1.

A trip down memory lane

While it is said of the 1960s that ‘if you can remember them, you weren’t there’, a mere decade ago should be well within the memory of most readers, augmented if necessary by reference to web pages, documents at the back of the filing cabinet, and commemorative T-shirts. Even so, a decade is a substantial period in the development of electronic commerce and web business models: if we follow the collective wisdom fashionable at the height of the dot-com boom that ‘Internet Time’ is to ‘ordinary time’ as dog-years are to human years, a decade of Internet time corresponds to the human Biblical lifespan of three-score-years-and-ten. And indeed, broad public availability of web technologies was at its earliest stages. In 1995:  the Mosaic web browser had been publicly available for almost 2 years;  its server-side cousin, the NCSA web server, had been available for nearly as long, with its then-upstart offspring, Apache, first appearing in April of 1995;  the Netscape browser had, in its initial 1.0 incarnation, been available since December 1994, its SSL (secure socket layer) protocol allowing for encrypted and authenticated connections between browser and server;  Microsoft’s first public release of Internet Explorer came in August 1995, as part of the Windows95 Plus Pack;  the Netcraft monthly surveys of web activity started in that same month, revealing a massive 18,957 publicly accessible websites;  the US state of Utah enacted its Digital Signature Act at the start of that year.

1.1.

The first movers

Utah’s early moves are remarkable, given that legislation usually lags a long way behind technology. This first legislation to explicitly provide for the recognition of digital signatures was

passed at an uncharacteristically early stage in the widespread use of Internet technologies and electronic commerce in particular. Of course, the core technology of digital signatures predates the year in question by almost two decades, and practical implementations of the technology were available as niche commercial products and as influential freeware – PGP 1.0 had been released 4 years earlier – but it nevertheless stands as an unusually swift legislative initiative. Other legislatures followed Utah’s example – anxious, perhaps, not to be left behind in showing a lively response to the white heat of technology. By 1996, Utah could no longer boast being the only US State with a Digital Signature Law: it had been joined by Arizona, California, Delaware, Florida, Hawaii, Michigan, New Mexico, New York, Washington, and Wyoming. The year 1996 also saw the development and enactment of digital signature legislation in countries outside the US, eager to show they too were no slackers in the honest toil of building legal on-ramps for the Information Superhypeway. By mid-1997, Germany and Italy had each passed a Digital Signature Law, as had Malaysia. These legislatures appear to have been seized by an urge to secure a ‘first mover’ advantage – the notion, particularly prevalent among start-ups seeking venture capital for new Internet ventures and their funding sources, that companies which are early to market will create a momentum in their client base making it ever more attractive for further clients to join that grouping rather than do business with later-entering competitors. While legislatures are not for the most part in direct competition with one another, there is competition among the regional and national administrations of which they are an integral part to be attractive locations for new (taxable) businesses, and this provides a justification for relatively forward-looking legislative responses to technological developments which promise to reshape commerce.1 Nearly all these early legislative responses were strongly prescriptive2 in their treatment of what constituted a ‘good’, ‘binding’, ‘secure’ digital signature. It was to be a sound implementation of what was perceived as ‘the only game in

E-mail address: [email protected] No legislature would be moved to respond merely to such crass motivations as following trends or looking modern, of course. 2 The distinction between ‘prescriptive’ and ‘minimalist’ approaches is most clearly laid out in the Electronic Law and Policy Forum’s publications of the late 1990s (Baker and Yeo, 1999; Kuner et al., 2000). 1363-4127/$ – see front matter ª 2006 Published by Elsevier Ltd. doi:10.1016/j.istr.2005.12.005 1

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

town’: the technique first described in ground-breaking academic papers from the late 1970s, using asymmetric cryptography, with a closely-held private signature key producing a publicly-verifiable computation over a hash (‘fingerprint’) of the document to be signed. A fundamental role was to be played by certification authorities (CAs), who would issue digitally signed certificates assuring Whom-It-Might-Concern that the CA had with due caution and ceremony ascertained that the entity named in the certificate was capable of producing digital signatures, verifiable using the public key recorded in that same certificate. The legislation typically introduced licensing or approvals regimes for CAs, and laid down detailed rules concerning the liability of the CA to those who were issued certificates, and to those who relied on the information in those certificates.

1.2.

The second wave

The breathless charge to the new weightless economy as history ended all around us saw other legislatures – much of Europe and Asia, and the US Federal authorities – holding back from joining the first wave, but the increasing momentum of electronic commerce meant that doing nothing began to look positively irresponsible. Politically, merely aping the actions of swifter-acting legislatures was of course less attractive than taking advantage of the first-movers’ possibly false moves and passing more carefully considered legislation, demonstrating superior judgment while still responding to the mood of the times. The minimalist wing of this second wave of digital signature legislation is best exemplified in the US by the Federal E-SIGN Act3 (2000) and the Uniform Electronic Transactions Act, and in the Australian legislation of 1999.4 In contrast to the ‘technology specific’ approach of the Utah legislation and others following its lead, the ‘minimalist’ wave sought only to avoid overt discrimination against digital or electronic signatures. (In legislative use, ‘electronic’ signature has come to mean any kind of data performing any of the expected functions of a signature, such as identification or notice of assent, conveyed over any telecommunications network. It therefore includes a person’s name in an email’s From: header, and their casual ‘xxx – yr lvr’ signoff at the end of a mobile txt msg, while ‘digital signature’ is usually reserved for uses of a cryptographically verifiable signing mechanism.) Much of the impetus for such a ‘technology neutral’ approach can be traced to the influence of the UNCITRAL (1997) (United Nations Commission on International Trade Law) Draft Rules on Electronic Signature, which – at least 3 Signed by President Bill Clinton on 30 June 2000, not only manually but digitally too. The President subsequently let it be known publicly that the password protecting this till-then-putativelyprivate signature-making key was ‘Buddy’, the name of his dog. Whether motivated by naivety or sophisticated deliberation, this disclosure certainly ensured no further ‘binding’ digital signatures could be made with this key. 4 Disruptive as it is to the smooth flow of this historical reconstruction, honesty requires me to point out that the California legislation of 1995 was deliberately non-prescriptive as to technology.

19

when selectively cited – can be read as endorsing such an approach. Other commentators also noted that technologyspecific legislation put certain suppliers and patent-holders in a privileged market position, and cast doubt on whether this was in the best interests of public policy. Like the US Federal and Australian legislation, the final UK legislation on digital signature recognition is also at the ‘minimal non-discrimination’ end of the spectrum. However, the journey to that final position involved an extensive detour through what in retrospect look like the dying days of a phantasmagorical landscape: the Vanishing World of Key Escrow. In early 1997, the outgoing Conservative administration published proposals which yoked together the presumed irresistible attraction of Official Legal Recognition for digital signatures with the purported benefits to national security of encryption key escrow. On the stick side, the proposals would require all CAs offering certificates to the UK population to be licensed, and as a condition of holding such a license they would be required to hold a copy of all subscribers’ encryption keys. The carrot in this unrefusable (legally, if not commercially) deal was to be legal recognition of digital signatures backed by certificates from these CAs. The proposals were deeply flawed on both technical and commercial grounds: secure, uninterceptable channels could be established by users of already available mass-market software using Diffie-Hellman exchanges authenticated by the unescrowed signature-only certificated keys, while CAs operating overseas would have a commercial advantage over those established in the UK and hence forced to comply with the costly escrow requirements. The incoming New Labour administration initiated a thorough-going review of these ludicrous proposals, in the light of its ringing pre-election statement5 that ‘Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks.’ The review produced new proposals of a radically different character: CA licensing would no longer be mandatory, but voluntary – still with the incentive of legal recognition for CA-backed digital signatures, and with such recognition extended only to signatures backed by licensed CAs, for whom an absolute condition of licensing would be. the escrow of consumers’ encryption keys. Only after a number of delays and extended semi-public consultative activities was the final form of digital signature legislation advanced, with its key escrow proposals entirely excised, a minimal ‘non-discrimination’ recognition for electronic signatures, and with only a 5-year window for the introduction of a statutory accreditation scheme for CAs in the event that industry self-regulation proved inadequate.

5

Contrary to popular memory, this was not in fact part of the Labour Party’s 1997 election manifesto. It occurred in a 1995 Party policy document entitled ‘Communicating Britain’s Future’. The 1997 Manifesto itself mentions the Information Superhighway only in the context of ‘wir[ing] up schools, libraries, colleges and hospitals. free of charge’; thus, the apparent reversal of policy was not a breach of a manifesto commitment, which would have been a unthinkable, shocking instance of the very way in which ‘broken promises taint all politics’ which that Manifesto itself roundly decried.

20

1.3.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

Synthesis: ‘hybrid’ approaches

If the ‘prescriptive’ approach represents the ‘thesis’, and the ‘minimalist’ its antithesis, a commentator dabbling in historical analysis might expect a ‘synthesis’ to emerge from these two competing approaches. A hybrid approach is indeed evident in much digital signature legislation of the late 1990s and early 2000s, but is more of a pragmatic compromise than a truly illuminating synthesis. The clearest instance of such a ‘hybrid’ approach is the European Union’s Directive 1999/93/EC (2000). This approach is a drawing together of the ‘minimalist’ and ‘prescriptive’ approaches – or, unkindly, establishes two tiers of recognition: the useless at the bottom end, and the unachievable at the top end. As an EU Directive, it does not itself have direct legal force, but is instead ‘transposed’ into the national legislation of each of the (then 15, now 25) Member States of the Union – a process which allows for considerable national variation. The history of the Directive’s evolution and eventual transposition into national law is less than straightforward. Among the political spurs to creating a Directive in this area, beyond the wish to Do Something to generally encourage electronic commerce and the evolution of an Information Society, were the increasing emergence of national laws in Member States creating incompatible frameworks for digital signature recognition – which is inconsistent with the EU’s overall goal of removing barriers to trade among Member States – and the provision of support to distinctive EU capabilities in the ICT field, particularly the well-developed smartcard supplier industry. Initial moves towards the creation of a signature Directive were coloured by the belief that while encryption was a contentious and difficult matter – the debate on key escrow and other exceptional-access requirements being a hot topic during the mid-1990s – mere authentication/signature was likely to prove a much less contentious matter. It soon became clear, however, that the legal traditions of the Member States produced very different starting positions in the matter of (traditional, handwritten) signatures and their putative digital/electronic analogues. At one end was the UK, with its common-law framework, an established tradition of treating various forms of signature (witnessed or unwitnessed, handwritten, mechanically marked, faxed, or the station identifiers of adequately supervised Telex terminals) as merely producing differently persuasive degrees of evidence towards establishing the willingness of the apparent signatory to be bound by the terms of the signed document, and in which commercial parties were free to establish by contract whatever form of transaction authentication they felt to be appropriate. At the other were countries – Germany and Italy notable among them – whose civil-code tradition placed considerably greater emphasis on particular requirements of form, made much greater use of notaries as formally recognised witnesses, and under whose traditions signatures which fulfilled the form requirements are considered binding in all but the most exotic circumstances. Despite the emergence of this yawning chasm, the political pressure to produce a single Directive which would avoid the fragmentation of digital signature practice among the Member States was considerable. The final text of the Directive

therefore created a two-tier framework. At the low end, an ‘electronic signature’ is defined very broadly and permissively, and the Directive requires that such a signature should not be denied recognition or admissibility as legal evidence ‘solely’ on the grounds of its electronic nature – while leaving the door open for disputes of fact in any particular case on such grounds as ready duplicability, lack of uniqueness, and a myriad of other perfectly reasonable objections to being bound by mere mechanical indicia. At the high end, an ‘advanced electronic signature’ based on a ‘qualified certificate’ is accorded equivalence with handwritten signatures. An ‘advanced’ electronic signature must fulfil all the following criteria – which are difficult, if not impossible, to unambiguously meet with current consumer-grade technologies (as discussed in a later section):  it is uniquely linked to the signatory;  it is capable of identifying the signatory;  it is created using means that the signatory can maintain under his sole control;  it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. The ‘qualified’ certificate must be identified as such, and be issued by a CA (in the Directive known as a CertificationService-Provider) acting under strict information assurance procedural guidelines, which include the following:  verification, by appropriate means in accordance with national law, of the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;  the use of trustworthy systems and products which are protected against modification, and ensuring the technical and cryptographic security of the process supported by them;  accepting liability, limited by an amount disclosed in the certificate, for reasonable reliance upon the information recorded in the certificates it issues. The ‘hybrid’ nature of the Directive makes for a fine exercise in logical reasoning. There is nothing, for example, to prevent a Member State passing legislation which recognises even the least sophisticated forms of electronic signature as equivalent to handwritten signatures – the Directive makes being an Advanced Electronic Signature based on a qualified certificate a sufficient rather than a necessary condition for such recognition. At the other end of interpretation, national legislation which requires electronic signatures to have all or most of the characteristics of Advanced Electronic Signatures before being considered to have any value is also consistent with the Directive: signatures falling below such a high standard could not be excluded solely because they are ‘electronic’, but could be denied formal recognition, along with those resulting from rubber stamps, audio recordings, and similar, on the grounds of being far too easy to duplicate. Without such flexibility, ‘acceptable’ compromise agreements in multi-country negotiations would be difficult to reach indeed: whether the resulting implementations provide for a clear cross-border regime is another matter.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

The Directive treads a very fine line on the matter of regulatory regimes for CAs. On the one hand – perhaps partially in response to the UK’s attempts, described earlier, to yoke together digital signature recognition and key escrow – it explicitly forbids regimes which require ‘prior authorisation’ for CA operation. On the other, it explicitly allows voluntary accreditation schemes for CAs, and goes on to mandate the supervision of CAs which offer qualified certificates (and, in keeping with the EU’s trading-zone function, requires such supervision to be mutually recognised across all Member States). In practice, those countries which have stressed the ‘high-end’ aspects of the Directive in creating or amending their national legislation have adopted demanding statutory rules for CAs, while those whose legislation stresses the lower-end requirements have favoured self-regulatory approaches.

1.4.

Issues

Despite the flurry of legislative activity surrounding digital signatures, the widespread uptake of ‘generic’ certificates by ordinary consumers who subsequently replace all their paper dealings with private companies and public authorities has been conspicuous by its absence – multiple reports of ‘successful trials’ notwithstanding. There seem to be several substantial legal, commercial, and technical reasons for this outcome.

2.

‘Closed’ versus ‘open’ systems

The model underpinning the legislative efforts to date – entirely so in the ‘prescriptive’ approaches, and broadly so even in the ‘minimalist’ ones – has been to legislate for the case where certificate authorities issue general-purpose identity certificates to members of the public. Where these CAs are private companies, the customer relationship here is with the certificate holder only, not with those who rely on the information in that certificate (the ‘relying party’ in legal analyses of this area). It is, however, the relying party who is most at risk from a misrepresentation in the certificate – whether caused by careless behaviour of the CA, its failure to effectively operate a ‘revocation list’ service (by which means digitally signed lists of prematurely expired certificates are supposed to be published in a suitably timely fashion), or fraudulent behaviour by the certificate holder. The bulk of the legislative effort appears to have been expended on creating mechanisms – strict but limited liability, and regulatory regimes – which attempt to give relying parties enough reason to treat CA-issued certificates as more important than mere line noise, but not to impose such strong liability on CAs as to make their business too risky to contemplate. Meanwhile, actual practice continues to emphasise ‘closed’ systems, in which not only certificate holders but also relying parties are more or less tightly and contractually bound to ‘club rules’, which describe much more precisely the purposes for which certificates or other electronic authenticating information may be used, the duties of care for all parties, dispute resolution procedures, and so on. Since these ‘clubs’ are specific to one particular type of transaction or

21

relationship, costs, duties, and liabilities can be apportioned much more appropriately to those particular circumstances than when a legislature is trying to create a general-purpose framework to underpin the strange (non-)relationship between a general-purpose CA and those who might rely on signatures made by the customers to whom it once issued a certificate. In the well-chosen words of one commentator (Gutmann), open systems ‘cannot internalise the costs of the inevitable fraud which will occur’. In the world of commercial CA activity, one framework which appears to have stood the test of over 40 years of ‘Internet Time’ – that is, established before 2000 and still actively pursuing the same business model – is Identrus. Firmly aimed at business-to-business transactions, this network uses established banking relationships to allow customers of participating banks to authenticate business-to-business transactions among each other, using membership of the ‘club’ of participating institutions to clearly allocate risk and responsibility. In the world of business-to-consumer activity, an enormous amount of authentication of the ‘business’ end is done every day by consumers using web browsers. Certificates for ‘secure’ websites are received and interpreted by the ‘secure channel’ component (SSL/TLS) of desktop browsers, the result of which is visible to the consumer merely in the appearance of a ‘padlock’ icon as part of the ‘meaningless’ decoration around the display of the website’s information content. Occasionally, the authentication process ‘fails’, for such reasons as the expiry date of the certificate being in the past, the website operator moving their ‘secure’ trading site from shopping.mycorp.com to checkout.mycorp.com, or the certificate being bought from a CA whose own certificate is not part of the browser’s initial list of ‘known good’ CA certificates. In this case, the browser pops up a message whose content is of interest only to the infosec practitioner, and which is interpreted by all ordinary decent folk as ‘click here to carry on buying Mum’s Christmas present’ rather than ‘click here to further chip away at the fragile relationship between what this computer actually does and what you hope it does’. Despite the launch in the late 1990s of ‘Driving licences for the Information Superhighway’ by the leading CA of the time, the number of consumers with active ‘personal’ certificates for their private personae is trivial, and lower now than in the late 1990s. In the world of individual-to-individual relationships, ‘digital signatures’ are used in the personal setting mainly by those few with an unhealthy interest in information security matters (among whom the readership, and authorship, of this publication are clearly over-represented). However, a great deal of person-to-person authentication is in fact done in such large ‘closed’ groups as the users of eBay. eBay in particular provides a framework in which buyers and sellers establish identities, and encourages those participants to maintain their links with those identities through the ‘reputation’ system, by which participation in the trading environment which is consistent with its social norms is ‘rewarded’ by an increased willingness on the part of other participants to do business with individuals who have accumulated a ‘good’ reputation. Authentication of each participant to the eBay system itself uses a variety of lightweight mechanisms

22

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

appropriate to particular business risks – these include a demonstrated ability to use the supplied email address (supplemented in the case of what eBay considers to be ‘excessively anonymous’ addresses from public providers by provision of valid payment card details) in the case of ‘buying only’ participants, through to demonstrating presumed-authorised access to a bank or credit card account (by sending back to eBay the particular amounts of two small transactions to that account). It is noteworthy that none of these mechanisms rely on a private individual’s ability to produce a ‘digital signature’.

3.

Other business reality issues

There are other ways in which digital signature legislation, or guidelines intended to help legislatures frame it, assume away the grubby reality of commerce. One notable example comes from the American Bar Association’s influential Guidelines (1996). These suggest, ‘When a certification authority stops or curtails operations without adequate provision for an orderly transfer of its business to a reliable successor, all of the certification authority’s outstanding certificates, other than transactional certificates, will generally be revoked.’ Failures of ‘orderly transfer’ are, unfortunately, all too common in the business world, as anyone who walks past recentlydeserted office or retail premises has seen. In such circumstances, who is expected to act to ‘revoke’ all the still-valid certificates of the failed CA’s customers? For the revocation list to be published in the ‘normal’ manner, digitally signed by the now-defunct CA, the revoker requires access to the CA’s private signature key. Allowing such access expeditiously may conflict with other responsibilities of the body responsible for winding up the CA’s affairs – the company personnel with access to that key may be unavailable or under suspicion of wrong-doing, and the cryptographic hardware which holds the signing key may be one of the few disposable assets of the defunct operation.

4. The technically unreachable ‘gold standard’? Explicit in the EU Directive, and therefore in most national legislation which transposes it, and also in much other ‘high-end’ legislation, are requirements for computational environments which allow signature-making and signatureverification to take place reliably. The requirements for signature-making are, appropriately if we are seeking to make citizens presumptively ‘responsible for’ or ‘bound to’ what purport to be ‘their’ digital utterances, onerous – and arguably beyond the state of the art as available to the ordinary citizen. Consider again the requirements for an ‘advanced’ electronic signature: in particular, that it be created by ‘means that the signatory can maintain under his sole control’. Surely, given the known ubiquity of malicious software, including spyware which deliberately targets authorisation information for personal banking software and similar security-critical functions, it is implausible to argue that software running on an ordinary consumer PC under typical desktop operating systems can

provide an effective assurance of such ‘sole control’. While smartcards may be able to protect a 1024-bit asymmetric RSA key, their lack of an independent user interface means that the surrounding equipment must be trusted to act in the signatory’s interests at all times. This may be possible to assure to an appropriate level for payment card terminals in shops and at cash dispensers, but is again infeasible for smartcard readers attached to ‘normal’ PCs. ‘Trusted computing’ hardware may be in a position to offer some greater assurance – but whether a single, general-purpose configuration on even such a ‘trusted’ platform can be considered adequate to meet the Directive’s requirements will continue to be debatable for many Internet years yet. This is not the only requirement which represents a ‘stretch goal’: an Advanced Electronic Signature has the further characteristic that it is ‘linked to the data to which it relates in such a manner that any subsequent change of the data is detectable’. To the information security professional, this is at first glance a readily achievable requirement: all we do is take a secure hash (SHA-1, say, or MD5) of a suitably unambiguous version of the document (a PDF, say), and apply our favourite patent-free digital signature algorithm (DSA, why not) to that. Hey presto, linkage. Well. until recent work on the collision resistance of the MD5 family, of which SHA-1 is at least a close cousin. As far back as 1996, Dobbertin (1996) had published without further comment a collision in the MD5 compression function; Wang and Yu (2005) demonstrated a full MD5 collision and published details of their analytical construction in 2004, while Lenstra et al. (2005) demonstrated the construction of two X.509 certificates with the same MD5 hash (and thus the same CA signature on both) while having two distinct public keys (and with known private keys). Such demonstrations significantly undermine the presumptions of ‘practical infalliblity’ on which the technology-specific legislation (and the ‘high-end’ parts of most ‘hybrid’ legislation) is based, both among information security professionals, and in front of any judge or jury expected to uphold the ‘binding’ between an individual and some computer-based calculation. As for the ‘unambiguous version of the document’ being signed. at the time of these legislative proposals, while a simple text-based ASCII version of a document would be one obvious possibility, application designers typically prefer the extra ‘sizzle’ of multiple sizes of font, to act as headings, signposts for the reader, definitions of important terms, and so on; and might reasonably reach for PDF as one such representation which is ‘clearly just data’ and will ‘obviously look the same on all platforms’. While even early versions of PDF allowed more or less arbitrary Postscript code to be embedded, and execute conditionally on its environment, the latest versions make PDF programmable in a dialect of Javascript. So much, then, for ‘unambiguous’ rendering: how can a judge or jury be expected to weigh the claims of a defendant saying ‘That document didn’t look anything like that on my screen, and there certainly wasn’t anything about a lifetime obligation to supply camels and virgins in it!’ when the defendant’s legal representative can commission a ‘Web Designer’ to create just such a disappearing-termsand-conditions documents in a few hours’ work?

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

Even without such specifically crafted existence proofs of here-today gone-tomorrow document content,6 an unfortunate side-effect of the generally beneficial trend towards timely installation of software patches is that the software state when a disputed document was displayed and signed, and a little later received, displayed, and verified, may be effectively unknowable should the information content of the document be under dispute some years (that is, several Internet Decades) later. While such fine matters of evidential weight might be robustly treated under laws which in any case expect to weigh the circumstances of a purported signature, they may be more critical in legal regimes where statutes apply seriously high barriers to ‘deniability’ of ‘appropriately formed’ digital signatures – even if those statutes were written under the influence of vendor hype and dot-com fever.

5.

One size fails all

A foreseeable consequence of uniform, technology-specific legislation is that the standards codified by such statute will tend to favour the higher-end requirements: it is a natural tendency of technical advisory groups to take their responsibilities in advising on legislation seriously, to build for the long haul, and to make legislators aware of the possible problems with ‘cheap and cheerful’ approaches. Similarly, legislators will incur less political pressure in the short term if they back an approach which will not be subject to early stories of failure after rapid, wide deployment. Both groups, however, will tend to keep at least half an eye on practicality, and will reject very ‘high-end’ requirements as being ‘out of scope’ or ‘a matter on which we should proceed cautiously’ – for example, the US E-SIGN act explicitly excludes wills and similar testamentary documents from its provisions. Prescriptive solutions therefore typically end up codifying requirements which are unnecessarily onerous for the bulk of ‘simple’ interactions, while being insufficiently robust for high-end situations. It does not seem unjustifiably cynical to label such outcomes as ‘one size fails all’ – it may well fail even those ‘high-middle’ situations for which it is technically appropriate by making the market unattractive to providers who would otherwise occupy that niche, due to aspects of regulation which have been imposed with the mass market in mind. And if one size fails all, two sizes from the extremes of the scale, as created by ‘hybrid’ or ‘compromise’ approaches, may serve public policy goals little better. From a strictly information security viewpoint, single solutions which give particular endorsement to one technology and perhaps to a small number of implementations, and which mandate particular centralised management approaches, represent an a priori fixing of design choices which may be far from appropriate for a given application. 6

A practical demonstration of two Postscript documents which have the same hash but radically different content, and a method for constructing such pairs, was presented at a rump session of Eurocrypt 2005 (Daum and Lucks, 2005).

23

6. Misleading metaphors and treacherous terminology The role of language in helping and hindering dialogue between such different communities as information security technologists, legislators, and the Prophets Of The Digital Millennium is clearly pivotal. In the current case, it is at least worth wondering whether linguistic confusion is responsible for some of the mismatch between legislative response and actual practice.

6.1.

Digital ‘signatures’

The first such questionable metaphor (Winn, 2001) is in the very word ‘signature’. As a description of intent for what is to be achieved by the use of asymmetric cryptography between a point of origin and a point of destination, ‘digital signature’ was an excellent teaching metaphor, and was more useful in motivating students and fellow cryptographers in ploughing through the details of finding primitive roots of order q than calling it ‘data origin and integrity authentication’: it is also easier to raise venture capital using the purposerelated shorthand. Once in wider circulation, however, the danger is that it will be interpreted as ‘ a digital kind of the thing you already know all about called a signature’, rather than ‘a digital kind of thing – a calculation which no-one could possibly do in their head, as it happens – whose purpose overlaps significantly with that of the thing you already know all about called a signature.’ The specific danger is that the metaphor drives the thinking and goals of the legislative activity: that it becomes accepted that the mathematical operation creates something which is a signature, or at least can be circumscribed so that it does, and that such fundamental aspects as production and verification of digital signatures being necessarily mediated by a complex designed artefact, known to be unreliable and subvertable, are wished into irrelevance.

6.2.

What is being ‘signed’ anyway?

The ‘signature’ metaphor has another, more profoundly inappropriate effect. The kind of things we ‘sign’ are documents of greater or lesser value. Even at the lesser end, they are formal, binding commitments: promises to pay (bank or credit card bills), a visitor’s book acknowledging we are subject to our hosts’ procedures, and the like; at the high end, they are documents of lifelong significance – marriage or other partnership agreements, contracts of high value, house purchase documentation, and so on. It is hard to think of examples, at least in adult life, of signatures on effectively ephemeral items. This contrasts greatly with the usage of ‘digital signature’ algorithms – RSA, DSA, and the like – over data in the ICT world. Here, only a small fraction of such executions are over ‘documents’ which would be recognised as such – even of that fraction, the bulk are emails signed automatically by employees whose email systems have been configured to automatically sign outgoing messages; few indeed are formal contracts, binding promises made in person or on behalf of an organisation. The overwhelming majority of ‘signatures’ are during the execution of cryptographic protocols, to authenticate

24

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

endpoints in a cryptographic exchange, such as in ‘secure web sessions’ mediated by the SSL/TLS protocol, ‘secure login’ facilities provided by the SSH protocol, or VPNs (Virtual Private Networks) secured by IPSEC or other ‘secure remote access’ protocols most commonly used by employees working from home or from public-access wireless facilities. There is also a significant usage of cryptographic ‘signature’ validation when software updates (patches, updated virus signatures, and so on) are downloaded by software, whether at a user’s explicit request or by software’s automatic update functionality. In none of these overwhelmingly common cases is there a ‘controlling natural person’ who is consciously reviewing the data-to-be-signed and its significance, or a counterpart natural person who is explicitly ‘validating’ the ‘signed’ data. The finely-trained legal mind may well be happy to ignore all of these uses of ‘digital signature algorithms’ as being entirely irrelevant to the scope of ‘digital signature legislation’, however, the technologists advising them, and even more so the technologists implementing the software routines which execute these ‘digital signature algorithms’, are necessarily aware of these usage patterns, and may fail to provide adequate protection of the user’s interests in those rare but important cases where what it being ‘signed’ does in fact have serious significance to the user. Additionally, if the legislation causes ‘signature keys’ to be a scarce, paid-for resource – by establishing a highly regulated Public Key Infrastructure – users may come to use one (scarce, expensive) signaturemaking key for both ephemeral security protocol applications and significant document signing, but configuring the access control for such keys to prioritise convenience in the common case over safety in the rare, but significant, one: a perverse outcome, but not fanciful.

6.3.

‘Public’ key infrastructures

While the metaphor gap for ‘digital signature’ has been noted by other commentators (Winn, 2001), there is another potential linguistic confusion in the area of ‘public key infrastructures’ (PKIs) – the system by which CAs make key certificates available, publish revocation lists, make their own ‘root’ keys available, and so on. In the information security world, the ‘public’ of ‘public key’ means that this half of a keypair can be freely disclosed without damage to the security properties of the system under design. In the legislative world, ‘public’ has a quite different meaning – ‘concerning the citizenry at large’. Is it possible that on hearing about ‘public key infrastructures’, legislators and their public (there is that word again) policy advisors call to mind ‘a kind of infrastructure concerned with providing keys to the public’, rather than ‘a kind of infrastructure which makes available keys whose disclosure does not harm the system’s security goals’? And if so, would this predispose them to being filled with a warm but misplaced glow of public (there is that word again) service provision as they protect the public interest in legislating against misbehaviour on the part of operators of public key infrastructures?

6.4.

So where are we now?

Ten years after the first legislation, and 5 after the main wave (and the puncturing of the ‘exuberant excesses’ of the dot-com

bubble), what is the state of digital signature legislation? Has it helped or hindered electronic commerce? And has the experience of its creation made it easier or harder for ‘digital’ business to argue for legislation to specifically address their concerns? It is difficult to avoid the feeling that the mass of digital signature legislation around the world is ‘mostly harmless’. As noted above, the overwhelming use of ‘digital signature’ algorithms is in the first place over ephemeral data, rather than ‘documents’ of any significance. The next largest group of applications of ‘digital signature technologies’ is in ‘closed’, though possibly very large, user groups: satelliteTV subscribers, users of bank-based payment systems from the consumer to the large financial institutions, where rules of acceptance are a matter of contract for the most part, with existing consumer protection rules biasing the responsibility for adequate and reasonable security in favour of the consumer (who is assumed to be less well informed and have fewer resources), backed by consumer interest groups who lobby against the introduction of less favourable presumptions. The mass, public uptake of general-purpose public key certificates simply has not happened, and few commentators argue that it would have if only the digital signature legislation had been kinder still to the certificate authorities. Government-to-citizen transactions may in future make use of government-issued ‘digital signature’ keys issued to each citizen: some countries have already issued their citizenry with cards capable of making such signatures, and some of the inevitably-successful pilots have been reported on. Whether such e-Government applications are ‘closed’ or ‘open’ user groups is a less than fruitful discussion; at least legislation providing for digital signature technology in such government-to-citizen applications, if needed at all, can be more specific and tightlydrawn than legislation which also tries to stimulate what now appears to be an implausible infrastructure for electronic commerce. Electronic commerce continues to grow in volume and range, though not at the world-dominating rates threatened by prognosticators at the height of the dot-com bonanza. Operators of existing payment schemes, and the need for basic business competence among companies doing business this way, have been more effective in raising the level of information security practiced by web-store operators than legislative responsibilities addressed to them or to CAs. The picture is less rosy for consumer desktops: increasingly targeted malware and (anti-)social engineering in the form of ‘phishing’ is a continuing plague for users, who seem to respond by committing only relatively mundane transactions to the Information Superhighway. And what of future prospects for e-commerce legislation? Governments around the world have not entirely shut their doors to e-commerce and e-government legislative wishes, whilst both legislatures and supplier industry have perhaps learned to take a somewhat more measured and incremental approach to policy development. Both parties seem to have come to a polite understanding to avoid embarrassing each other by mentioning the excesses during what could, with suitable arithmetic and a careful choice of starting date, be seen as the Interwebsupercyberhypeway’s mid-life crisis.

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t 1 1 ( 2 0 0 6 ) 18 – 25

references

American Bar Association. Digital signature guidelines (Hardcopy published by the ABA under ISBN 1-57073-250-7). Available from: ; 1996. Baker S, Yeo M. Survey of international electronic and digital signature initiatives. Internet Law and Policy Forum. Available from: ; 1999. Dobbertin H. The status of MD5 after a recent attack. RSA Cryptobytes Summer 1996;2(2):1–6. Available from: . Daum M, Lucks S. ‘Attacking hash functions by poisoned messages’, presented at Eurocrypt 2005 rump session and available from: as presented at ; 2005. DIRECTIVE 1999/93/EC of the European Parliament and of the council of 13 December 1999 on a community framework for electronic signatures formally published in the Official Journal of the European Union 19/01/2000;L 013:0012–20 and available from: . Gutmann P. Digital signature legislation. Available from: and part of the author’s ‘Godzilla crypto tutorial’, available from: . See

25

also; Gutmann P. PKI: it’s not dead, just resting. IEEE Computer August 2002;35(8):41–9 with an extended version available from: . See, . Kuner C, Barcelo R, Baker S, Greenwald E. An analysis of international electronic and digital signature implementation initiatives. Internet Law and Policy Forum. Available from: ; 2000. Lenstra Arjen, Arjen, Wang Xiaoyun, de Weger. Benne2 ‘Colliding X.509 Certificates’. Available from: . UNCITRAL. ‘Draft Uniform Rules on Electronic Signatures’ (A/CN. 9/WG.IV/WP.73) and subsequent revisions. Available from: for the specific first revision cited, and with later revisions and related documents indexed at ; 1997. Wang Xiaoyun, Yu Hongbo. How to break MD5 and other hash functions. In: Eurocrypt; 2005. p. 19–35. Available from: . Winn J. The emperor’s new clothes: the shocking truth about digital signatures and Internet commerce. Idaho Law Review 2001;37:353. Available from: .