Cyberlaw@SA - Chapter 5


Bertus Pretorius BSc (Hons) (Pret) Inala Technology Investment

1. Introduction

The Internet in its simplest form can be described as a cross between the postal services and a massive farm telephone system (plaastelefoon) which scrambles all voices to such an extent that nobody can be recognised and everybody can listen in and add and remove data in transit at will.

The word “security” in this chapter’s title is misleading, but fortunately this is the word under which the average reader will look for what is discussed in this chapter. Yes, you will get the things you are looking for, but from a business and legal perspective. I left the technical stuff to authors much more competent. The intention of this chapter is to enlighten the reader to the hidden actions and risks that make the real world work or not. Then I show how we can achieve a similar state of affairs in the electronic world.

I would like to put the reader in the right frame of mind with this dictum: Computers would not have existed if humankind had no need for them. To put it clearer, computers should adapt to people and not people to computers. However, to say that the legal profession has no need for IT (Information Technology) is a fallacy. The law is a formalisation of common processes and ethics in a given society. These processes and ethics bind a society into some form of obedience, responsibility and liability.

Information sharing or exchange has become the backbone of the modern ethics and processes of society, be it the decision to buy a certain brand of food or choosing a business partner. We determine the risks of life based on information and experience before we act, many a time without even thinking about it. To this end information has become more and more available, with the result that society is becoming more dependent on authentic information. IT is mostly responsible for the information age by providing almost immediate access to information anywhere in the world. This created a need for new fields of litigation and understanding of human ethics, behaviour and processes with regard to IT. Since engineers and mostly, the creators of IT, are measured by working systems, little design and implementation effort is directed at the issues of non-performance and misuse. The legal profession must therefore not only understand IT but also use it to its fullest extent. The legal profession can almost be seen to be the insurance against things going wrong, or to act when they do go wrong. With that we must understand that engineers would like to make things work, and to leave things alone as soon as they do work. The legal profession must look at things when they stop working. We need therefore to take a look at IT when it stops working (in the application of IT). We need to take cognisance of the behaviour of all systems and humans in these systems to really understand the application of IT. The legal profession must participate in IT to understand IT.

115

This chapter, in summary, looks mostly at the behaviour of the real world and IT in relation to information and the use of information. I can summarise it as follows:

Real world: risks and processes are tangible processes
Cyber world: risks and processes are remote and intangible

I use many examples to illustrate the human aspects of civil behaviour. All these examples are fictitious, with no reference to people or enterprises.

2. IT security

Before we can even start to discuss IT security we need to understand the behaviour of the digital age, or let me just call it cyberspace. What is cyberspace? It is similar to human space and in fact behaves like human space, because humans make it work by using it. Cyberspace is the digital infrastructure where digital information exists. It consists of computers that create and process information at the instruction of humans. These computers are interconnected with wires that are the communication paths where information flows. To print the health content on a food packet many layers of real world services are involved. To get a web page or electronic mail many layers of digital services are enacted to get the desired result. To illustrate the behaviour I will provide real world parallels to each of the layers or digital components. In fact you will find a digital parallel to all the real world processes for transacting and information sharing.

116

2.1 Internet/IT containers and processors

2.1.1 Computers People

This is where the creation and manipulation of information take place. Up to now intellectual property is vested in people. This intellectual property is represented in information

, which is communicated; otherwise it means nothing. Computers act on behalf of humans. Humans direct the job to be performed by activating a specific application with specific data.

2.1.2 Disks

Paper

The storage media.

2.1.3 Files

Documents

The grouping of information.

2.1.4 Application

Job

The tool/process of data/information manipulation and creation.

2.2 Internet/IT layers

2.2.1 Network wires

Roads

The paths on which documents will travel.

2.2.2 Network protocols

Delivery vehicles

The way information is transported. Different services will use different protocols.

2.2.3 The Internet

The postal services

The parallel between the Internet and the postal services is almost complete. (The Internet is in fact the name for an occurrence of internets, all linked together.) The basic transport container in the postal services is a letter or a message. A message is delivered at a specific address and responded to when necessary (this message must not be confused with an e-mail message, which consists of many of these messages). It takes time to deliver a message and messages will follow different routes to the same destination. Both these services will lose, scramble and misdirect the messages. Your messages can even be stolen. The digital one, though, is very fast and can duplicate as well. The sender and addressee of such a message have no control over what happens to the message once it is in the letterbox till the other side receives it. The addressee does not even know that a message is directed at him/her. This is the most basic delivery service of the Internet. All other Internet services use this service for delivery. The technical name for it is the IP (Internet Protocol) layer. This communication is connectionless.

117

2.2.4 Reliable connection services

Telephone service
This is the primary service delivery mechanism of the Internet. For example, when you connect to your bank to transact, the behaviour during connection to the bank’s web page is the same as when you phone the bank:

You need the number to call.
The phone needs to be answered.
The initial identification takes place. In the real world it is between the bank official and the client. In cyberspace it is between the bank server and the client’s computer.
The conversation to transact can only be concluded if the connection lasts till the end and is formally terminated. In the real world there is doubt over the conclusion of the transaction if the call was terminated prematurely. The same applies in the digital world. We call such a conversation a session and unless such a session was formally terminated, on both sides, the content of the session is seen as null and void.

The important difference between the digital service and the real world service is that voices are recognisable while in the digital service everything sounds the same. This service is called the TCP communications layer.

2.2.5 Information services

Service counters

The digital mechanism to provide information services is called “Client/Server” applications. This mechanism is interactive and usually requires an exchange of information to enact a transaction. The exchange of information is always started by the client. Examples of such systems are Web servers, which use a Web browser as the client, and file servers, which use local operation system file managers as clients. The real world parallel for a file server can be a library or your back office paper filing room. The filing and retrieval of books and files require a specific procedure or else you will never find them again. The digital process is similar; a file server agent – the librarian – performs the filing function on request of the local operating system file manager.

118

In every case the client initiates the transaction, for example when you go to the bank/shop counter you request a service which is activated by the assistant. Many invisible actions will take place behind the counter to complete the service you requested. It is important to understand that all these actions take place in the digital world as well, most often in different locations but almost immediately, leading you to believe they happened locally. The bank’s Web interface for online banking represents many computers inside the bank performing your service.

This service is typically performed using HTTP or HTTPS, the secured version of HTTP. The information is represented in HTML, XML, etc. which relate to the language being spoken (English, Spanish, legal talk, financial talk).

2.2.6 E-mail

Correspondence (letters and faxes)
As in the real world, many a time it is too difficult to obtain a service directly. In these cases we typically use letters and faxes. This data exchange is called “store and forward” and processed in batches. Most bank transactions are processed like this. Work done in a legal office is processed like this. The three basic reasons for this are:

the person to provide the service is not available direct
the service provider – the attorney – makes use of helpers to be more effective, by making decisions while leaving the administrative work to the legal assistants
paper provides evidence of services and information requested and provided at a specific place and time

The electronic efficiency of this method of work has made it one of the most important ways to transact and exchange information, for example newsgroups v talk groups and e-mail v Web. It must be noted that all the services combined are more usable than each on its own. The e-mail protocols are known as SMTP (delivery), POP3 and IMAP. The messages are presented (style and languages of the letter) in MIME or S/MIME (secure MIME) as an example.

119

2.3 IT security layers

IT security can also be viewed as layers which again behave very much like the real world. A parallel can be drawn between a digital company and a real company.

2.3.1 Network level firewalling

Door

Network level firewalling provides a choke point where access can be controlled. This compares to the gate guard and the reception desk. They have no notion of the reason for your visit and only provide filtering and policing during access. The behaviour of visitors and workers can be controlled to a predictable manner by configuring it properly. For example, banks these days control access at the door by choking access to one by one using a dual door. The service area of a bank branch is called a DMZ (demilitarised zone – a bad name) in the digital world, meaning that the public can enter it and be served. A DMZ is the property of the bank, which therefore has the right to enforce certain rules of behaviour or limit access. The public is not allowed behind the counters, to which access is again controlled by a door. Often the public is allowed into the back office, but under guidance or surveillance. This is equivalent to being accompanied by an employee.

120

2.3.2 Content level firewalling (proxies)

Service counter

Here the public is served over the counter. The information for the client is passed on, by means of proxy, to the service point. The real service expert is thus protected by the public interface from the dangers of the wild world. This type of firewalling is better known as proxy firewalling.

2.4 IT security methods

I only discuss the three basic methods on which all IT security applications rely. There are different implementations of each, and many blend these methods. I split them in this way to show that the digital world is no different from the real world in terms of the method. Only the medium changes, and yes, the procedures become more rigid in the digital world.

2.4.1 Encryption

Sealing

The purpose of encryption is to keep information confidential. In the real world we will lock it away and transmit it in a sealed envelope. A broken seal will indicate that the confidentiality is compromised. The paper will show any tampering with the document. Digital signatures prevent digital tampering. Three basic classes of encryption exist: hashing, symmetric and asymmetric encryption.

The reader must first understand that all digital objects (files, documents and executables) are all numbers. Encryption is a function, like adding or dividing, to calculate new numbers from old numbers. All encryption functions are scrutinised to determine their value and integrity for the intended use. Secret algorithms are frowned upon and are typically not used. DES, for instance, is widely used and respected because so much effort is still going into trying to break it. However, all encryption can be broken; it is just a matter of time and money and finding the right message (see 5.4.3 below).

2.4.1.1 Hashing

Hashing is commonly used to show tampering. Examples of hashing algorithms are MD5 and SHA.

Hashing shrinks a digital object, which is a large number (and growing), to a small number that we can process easily. A specific message is an example of such a large number. If we hash a message we will get a small number that completely represents the message.

121

or hash (message)*n digit number called a digest

Now we can say that if we change the message, then the digest will change. We cannot generate the message from the digest since that digest will represent many messages, but statistically none will make sense in the original context of the message. For instance, when I create an order for 10 items and someone changes it to 100 items then the digest will change. The mathematically correct expression is:

Statistically the chance that the digest of a message will be equal to the digest of the same tampered message is so small that it can be ignored (or will not happen).

2.4.1.2 Symmetric encryption

Symmetric encryption is commonly used for scrambling data. Examples of
symmetric encryption are DES and IDEA.

Encryption requires a key. In symmetric encryption the key is shared between the parties who need to share the encrypted message.

The more people sharing the message, the larger the chance of compromise of the key and therefore the secret, and the more difficult it is to find the leak. Germany lost World War II partly because all their strategic messages were encrypted with a symmetric key and the English broke that key.

2.4.1.3 Asymmetric encryption

Asymmetric encryption is commonly used for positive identity and confidentiality. It can provide non-repudiation and confidentiality if the proper human responsibilities are satisfied. Examples of asymmetric encryption are RSA and Elliptic Curve.

As with symmetric encryption keys are used, but in this case the same key cannot decrypt what it encrypted. There are however two keys, not related to each other except that what the one encrypts, the other will decrypt and vice versa.

We will use the following keys (see accompanying box): -- and --

122

This, the heart of the public key infrastructure, is also known as public key encryption. The keys are called and used as follows:

is called the private key and must remain the secret of the holder, never to be shown to anybody

is called the public key and is given, in trust (by its source), to the public

Now consider the following: Abe and Bill each has a key pair generated by each of them in complete confidentiality.

Case 1 – Non-repudiation: Abe uses his private key to encrypt a message. Anyone with his public key can decrypt his message. Therefore:

if Abe has kept his private key secret, and
if anyone knows beyond doubt that the key that decrypted the message is Abe’s public key, then
anyone knows beyond doubt that only Abe could have encrypted that message.

Although anybody can read the message (the public key is not a secret) Abe cannot deny that he encrypted it.

Case 2 – Confidentiality: Someone with Bill’s public key, who positively knows it is Bill’s public key, encrypts a message. Only Bill can decrypt that message if Bill has kept his private key secret and can therefore claim confidentiality. Bill however does not know who encrypted the message.

Case 3 – Privacy: This is the combination of confidentiality and non-repudiation. The document is shared solely between Abe and Bill if and only if Abe and Bill are duly diligent in keeping their private keys secret, and both can positively tie the public key to the right person. This process positively identifies both Abe and Bill. Symmetric keys are shared in this way to increase the speed of encryption since asymmetric key encryption is slow (see 4.4 below).

123

The combined use of hashing and public key encryption constitutes a digital signature (see 4.1 below).

2.4.2 Access control

Entry ticket
Here access is granted to a human or an application acting on behalf of a human. The reference of the human identity is however authenticated. The
process of establishing positive identity always follows the following steps:

Claim identity by providing a reference to that identity (name).
Provide proof of that identity (password, ID book).
Authenticate the proof and thus the identity.

These steps are sometimes hidden. Three basic classes of authentication methods exist:

2.4.2.1 Shared secret

Passwords and biometrics fall into this class. The authenticator and authenticated share a secret, or authentic credentials biometrics. This secret is shared not in the process of authentication, or else the authentication can be compromised. We call this sharing out-of-band. The shared secret must also be confidential in transit to prevent its being snooped. Passwords are a weaker form of secret than biometrics because they can be passed on or overheard, having no direct tie to the holder. Biometrics, like passwords, can be recorded since they do not change and therefore cannot be trustworthy for remote authentication. Biometrics used as a local enabler to a challenge response device (encrypting smart card) are however the strongest form of remote authentication and with the proper practices in place can provide binding non-repudiation.

2.4.2.2 Challenge response

We use challenge response in everyday life more than we think. When a person calls you on the phone you have your little greeting, giving your subconscious a chance to identify the voice. A playback of the voice will immediately be caught out. I often have this experience of talking to a voice mail greeting only to discover it does not answer. The process of challenge response is that both parties share a knowledge of each other and the authenticated party has a process that is unique to that party, for example a voice or a secret calculation. The steps are then as follows:

124

Authenticated claims identity with reference.
Authenticator challenges authenticated:

• “What is the weather like?”

• “Use this number in your authenticator calculator: 387892.”
Authenticated computes:

• “Cold with a bit of rain.”

The voice is the unique component – no recording playback is possible.

You enter your PIN and the supplied number into the
calculator, which provides a result: 897342.

Only if you lose your PIN and the calculator can you be
impersonated because the calculator is unique to you.
The authenticator verifies the claimed reference against the
challenge and the response.

2.4.2.3 Trusted third party

Here we allow a third party to vouch for the identity of the authenticated. The authenticator must trust the third party to allow it to vouch for the identity of the authenticated. As with passwords we need to protect the communication channels and the initial identities must be created out-of-band. This method is the norm for identification in the real world; you are identified by ID book reference or by someone introducing you. We use this method more than we think; for example, when you introduce your new wife to a friend you act as the trusted third party for the identity of your new wife. Your friend will not ask her to present her ID book, for he trusts you absolutely. If the lady is just a mistress, your friend will not know the difference if he trusts you, but then in this example it does not matter unless your friend happens to be the private eye of your wife!

2.4.3 Property rights

Usage rules
The use of services or data is controlled after access has been allowed. For example, you might have access to a file system but specific files can only be read or executed and not changed. This is similar to the real world, for example the road system – everyone can use the roads, but that use is controlled by the type of licence, be it a light vehicle or bus, etc.

125

This mechanism allows for the protection of specific sets of information. Unfortunately we need to trust the controller of the property rights, the operating system and the file system before we can say the information is protected. Since people are starting to use more and more services, trusted third parties are becoming more important in the use of digital services (the parallel of the ID book). The latest digital trend is towards so-called “single sign-on servers”. These servers are trusted third parties, which manage property rights on behalf of servers/services based on positive identification of the server/service and the client requesting a service. Servers and services thus retain local right to veto use, but stand under centralised management for efficient control and operations.

3. The physical world v cyberspace and the issue of trust

Trust: a mental state of confidence in the integrity of beings, services and goods
In the physical world trust is established by using our senses and experience. When we touch something we can feel it is solid. When we look at a brand name on a billboard we know it is authentic. When we walk into a bank branch we get the feeling of banking. When we walk into a shop we know whether it is good or not and from experience we trust the shop to provide quality services and goods.

We interact, deal with and use the people, goods and services around us, based on that very trust. A trust, mainly, that the expectancy will be fulfilled and the risk of harm is minimal. This trust is unconsciously met by satisfying the following requirements most of the time:

authentication
authorisation
privacy
integrity
non-repudiation

These requirements are met by being physically there, being able to see, touch, smell and comprehend. We can influence these requirements through our physical presence. We can relax certain requirements to suit a specific moment, environment and action.

126

The cyber world poses interesting problems in meeting the trust requirements:

No-one is physically present – a screen with a very similar look and feel presents all things in the cyber world. The priest and the gangster could be the same entity; who will know the difference?
Everybody is everywhere – the cyber world is such that you can be at many places simultaneously. There is no such thing as a good or bad neighbourhood; all are just the same. The fact that someone is cyber present here does not mean that that very same person is not causing some mischief elsewhere, or is in the middle of some private data exchange.
No tampering is evident – digital documents can be changed, copied and created at will without any trace of the action.
Automation – all tasks can be executed faster and more reliably than a human could do. Computer brute force can nullify any obscurity measures taken.

In the real world you buy a brand name mixer from an appliance store, because you value the integrity of the store to supply the real thing and provide proper service. You could also buy the same thing from a street corner, and you know the risk you take the real thing, no service, stolen goods. You decide on the degree of trust by being present, the store or the merchant also being present. This is not possible in the cyber world. There is no presence or omnipresence without identity.

The technology to provide presence in the cyber world is maturing at a rapid rate. Public key technology is the paramount mechanism for digital identities, which in turn are proven or certified to be trustworthy by a trusted third party, a certification authority. Thus if all trust such an authority or hierarchy of authorities then cyber presence can be established.

Utopia would be when all cyber citizens can be identified by a digital identity, thus rendering effective exclusion of aliens and enabling interaction based on a mutual identity, presence and the trust born from this. You would then be able to identify the merchant. It can identify you. You can rely on its reputation and you can be verified to be a legitimate customer. Both parties can evaluate the risk in interacting or dealing, so you are in control of the risks just like in the real world.

127

The most important question for mere mortals to ask is then, “Whom will I entrust with my cyber citizenship?” The authority on a web page or an authority that you can visit, that has continuity and understands liability? In essence you make a decision between a certificate that is a commodity and a certificate that proves your real digital identity. Deciding on which Certification Authority to be used is not merely the action of visiting a web page.

The certification process, as used today by Certification Authorities (CAs), is based on the public key infrastructure and X.509 standards. This in essence specifies the following:

A private and public key pair will represent entities in cyberspace. The private key is to be secret, known only to the specific entity, while the public key is to be published using an X.509 certificate. The private key is used to encrypt information coming only from the entity holding the private key, to be read by anyone holding the entity’s public key. When information is encrypted with an entity’s public key, only that entity can read the information.
Digital objects are signed to provide trust in the object, similar to signing a document in the real world. Such a signature then allows for tamper detection of the content, time and date stamp, and the authority or identity of witness to the content. The content can bind the signer to rights and liabilities and in such a case can impose intent on the part of the signer.

John Lowry (jlowry@bbn.com) writes:

“The signature on the document establishes intent.
Identity is asserted by the certificate.

Saying that my key is my name is equivalent to saying that my pen is my name. This is nonsense.

My key is what I use to – among other things – establish intent and provide integrity. My pen is used for the same purpose.

My X.509 certificate is what I present to assert an identity.

My birth certificate (and other credentials) does the same in other
contexts.”

128

He puts in a nutshell the complete mechanism and trust in a signature on which the PKI (Public Key Infrastructure) trust model is based. Let’s take an example and work through it carefully:

Joe receives an e-mail signed by Mary. Joe needs to establish trust in the e-mail received. This trust can be broken down into smaller components:

Did Mary really send this mail?
She signed it and supplied her certificate to prove her identity.

Did she really write the content?
We trust the software Mary used to have applied the signing correctly and that Mary has protected her private key.

Did she really write it at that time?
We trust the operating system and the software to apply the correct time.

Was there intent on Mary’s part as regards content of the e-mail?
She typed it, didn’t she?

Can we trust her certificate?
It was signed by a well-known CA with a trusted reputation of which the CA certificate is published in more than one place to be scrutinised and checked by the software.

Can we trust the software doing the certificate verification?
We use it daily for many different applications. Tampered verification should be detectable, except for designer Trojan horse verification tampering.

The components to trust, in summary, are then:

The CA key pair. The private key must never be seen outside the signing black box. This is the only system-wide secret in a PKI trust hierarchy. The CA signer certificate must be capable of being verified in more than one place. The level of trust and risk is fully under the control of the specific CA. Protection of the CA secret key while publishing the public key in the CA signer certificate is a hard issue and can be measured.
The process of notary and issuance of certificates must be open to be scrutinised. This in essence dictates the level of trust to be applied to the certificate and thus to the identity of an entity. The level of trust and risk is under the control of the CA but should be scrutinised to ensure best practices. A fraud opportunity does, however, exist in the presentation and verification of information regarding the identity of an entity.
The verification. Trust in the software and its use is an entirely human issue. Trust is gained through use of the software. A high awareness of the trust mechanism should be instilled in subscribers to certification.

129

The only outstanding mechanisms to complete the PKI trust components are the safekeeping of each entity’s secret key and the encryption processes. These mechanisms are under constant scrutiny to ensure their integrity and correct use. Overall it is important to understand that as there is no perfect trust or risk, so there is no perfect security or positive identity, but just best effort.

4. Public key infrastructure – digital certification

We need to achieve positive identity and tangibility of artefacts for the cyber world to work like the real world. The only realistic way is to provide identification in the cyber world by trusted references in a specific domain for a specific role, which will allow risk to be determined on the basis of trust and identity.

The tools of PKI are hashing and asymmetric encryption. The components of PKI are:

the Certification Practice Statement, which dictates the due diligence and best practices for the trusted use PKI, for example the VeriSign CPS (www.verisign.com/repository)
a public key pair, which is the tool of identity and witness to that identity
a digital signature, which binds a digital identity to a digital object
a certificate, which provides the witnessed reference to a specific digital identity
the Certification Authority, which acts as the trusted third party who issues certificates to digital identities

130

4.1 Digital signatures

We need to take cognisance of the properties of a physical signature to discuss a digital signature. A physical signature is made by the hand of a human, using ink and paper – a tangible experience.

The Sacher report entitled “Paper document and hand-written signature” points out that a paper document consists of four components:

“the carrier (the sheet of paper),
text and pictures (the physical representation of the information),
information about the originator/issuer and
some measures to verify the authenticity (usually a written signature).

Carrier, information content, lay-out and signature are physically connected, so that we can say that the paper is the document.”¹

There is only one original, intended also as a unique physical object, which can be reproduced in innumerable copies.

A paper document is stored and read exactly in the same form, and this means that in the long term large amounts of paper are accumulated.

131

Nowadays, it is important to realise that the traditional paper support has serious weaknesses. Paper document forgery and signature forgery are so common that it is necessary to consult handwriting experts to solve suspected cases of forgery. The same problems also concerns the hand-written signature, actually the most common and diffuse system of subscription.

According to dictionaries, to sign means “to write one’s name as a signature to a document in attestation, confirmation, ratification”. Each person has his/her own signature, supposedly different from all others and therefore unique, difficult to reproduce, not changeable and not reusable.

From this, we can deduce that the signature simultaneously has three main functions:

identification
declaration
proof

“The identifying function of signature attributes the statement unequivocally to the signatory.”² Everybody who reads a writing can relate it to its issuer and signer, and determine without any reasonable doubt the origin of the text. In brief, the signature is used to identify a person and to associate that person with the content of that document.

The signature can always be related to a physical person, even if the juridical subject, to whom the act should be related, is a legal person. For the juridical person, one or more physical persons who have been authorised will sign. In this case, the physical person signs “in his capacity” as representative of the legal person. The recipient of a signed document will know that the message arrives not from that natural person but from a legal one represented by the signer.

At the same time the signature is the manifestation of the will to sign, the “animus signandi”, i.e. the expression of the will of being identified as the author, in order to provide certainty as to the personal involvement of that person in the act of signing. It is part of the general legal awareness that the expression of will is a consequence of writing one’s own name at the bottom of a paper, and this is traditionally defined as the warning function of hand signature.

But the will to sign is not sufficient by itself: there must be a physical manifestation for third parties and, in a court, for a judge, i.e. the signed document is the proof of the event it represents. This material aspect is undeniable for juridical security.

132

The evidence function is closely connected to the characteristic of opposability of the document: if a document (a writing) is characterised by the identification of its authors, by a certain content, by a certain date, and its signature is the seal of all legal implications of the document, opposability means that the burden of proof of forgery of any characteristic of the document, of its invalidity or nullity, lies with the signer/issuer who claims the forgery, invalidity or nullity. Every legal system has given a juridical value to signature and has provided for the cases in which it can be repudiated. In almost all jurisdictions, the strength of the document is greater if the signature has been affixed in the presence of a public official.

Legal references on the juridical value can be found either in civil or in procedural law.

“In addition, a signature could perform a variety of functions, depending on the nature of the document which was signed. For example, a signature might: attest to the intent of a party to be bound by the content of a signed contract, the intent of a person to endorse authorship of a text, the intent of a person to associate itself with the content of a document written by someone else, the fact that and the time when, a person had been at a given place.”³

To recall other functions and characteristics of signature, we can mention that by the act of signing the document at the end, the author closes it, so that every word or phrase after it indicates manipulation.

A hand-written signature is easy to affix and read: these are two of the most important qualities of subscription and the first objection to the introduction of a digital signature system.

A common aspect in all legal systems is the absence of a prescription of an exclusive modality of signing. Everybody can use their full name, their initials, a nickname, a seal or even a cross if they intend those characters to be a token of their will and responsibility. What is important is not the nature of the symbol anybody uses to identify themselves, but the intent behind the symbol.

This means that there are almost no authoritative rules for the way of signing and that, from a legal point of view, nothing is against the introduction of new types or techniques of signature.

Every legal system recognises contractors’ right to rule their own contractual relations, defining also the way each one can sign the agreement.

133

In this framework, natural persons can decide to conclude their contracts using only computers, either in the negotiation or in the conclusion phase. Contractors can mutually accept the digital signature instead of the hand-written one, simply inserting a clause that gives to digital signature the same powers and functions as hand-written signature.

In the following sections, we will give more details about the freedom to contract and the different clauses that can be agreed upon to use digital signature at the bottom of agreements.

Nowadays in legal literature, it is a common statement that hand-written signature and paper document are superseded by technology. With modern instruments, such as a scanner and plotter, it is possible to reproduce every signature perfectly and to copy it innumerable times.

A digital signature system, with some technical warnings, has a higher degree of security and will be the future of subscription.

We first need to discuss digital signatures before we can understand the purpose of digital certificates. Compare the process of making a signature (or the mark of your identity – the legal requirement) to the digital signature: in the real world we use our hand to make the mark (with ink on paper) – a tangible experience. The digital mark is made by encrypting the digest (result of the hash) with the private key of the signer. The paper and the digest are thus the integrity part of the process. The signing process is witnessed by an independent party who also signs the document. It is important to note that authority of the signature is vested in the level of trust and integrity of the witness. A weak witness without substantiating proof might yield the signing of a contract useless.

134

The steps to digitally sign a document are as follows:

Hash the document

digest

Add time to the digest and encrypt it with the private key digital signature. Note that time is not added in the S/MIME standard because time can be changed on personal computers.
Put the document, digital signature and certificate in a digital envelope signed document.

This then reflects a signed paper (digest) document that contains the content (digital document), signature (encrypted digest) and witness (digital certificate).

135

The following signature properties are thus established:

identity – by using the private key, which is kept secret by its holder
authenticity – by using the public key, which is held and witnessed by the certificate
tamper detection – by hashing the content
time stamp – at the time of the operation if the signature is notarised by a digital trusted third party (note that the signer computer’s time can be change to fit the event and therefore does not yield a binding result)
consent, compos mentis – subjective by clicking the button
liability and accountability

4.2 Digital certificate

A digital certificate is like an ID book. It is a digital file of a specific format (X.509) that contains the common name of the holder, the issuer and conditions of issue digitally signed by the CA. It is a trusted reference and witness to the positive identity of an individual or entity. The digital certificate binds together a public key and the reference to the holder of the associated private key. The CA signature and the issuance practices provide the reference to the integrity and level of trust that can be associated when relying on the certificate. The digital certificate is normally a public electronic document for scrutiny. It is sent as witness with digitally signed documents. The certificate cannot provide any IT security on its own. Used in conjunction with the associated secret private key the following can be achieved:

non-repudiation
privacy
confidentiality
access control

4.3 Public key infrastructure

The accompanying box depicts the life cycle of a public key infrastructure.
Each numbered step in the figure is discussed below.

We will discuss the three distinct processes. The detailed legal and integrity practices of these processes are specified in a Certification Practice Statement (CPS), for example VeriSign’s comprehensive CPS on its public certification programme (www.verisign.com/repository).

136

4.3.1 Issuing authority

The issuing authority (IA) consists of the Certification Authority (CA) and the local registration authority (LRA). For a PKI to work we first need to establish the identity, integrity and trust of the IA. It is like creating a trusted government (CA) and establishing a department of internal affairs (LRA) which will be responsible for registering citizens to be issued with an ID book (certificate). The steps involved are:

I. The CA creates a key pair.
II. The private key is kept secret while the public key is published in a certificate signed by the private key. This process is called self-signing. The witness is therefore scrutiny through use.

4.3.2 Certification

The subscriber creates a key pair (typically using a browser).
The private key is kept secret (using a password or smart card) while the public key with specific authentication information, of the subscriber, is send to the IA (LRA part).
This information is verified according to an authentication model by the LRA. The relevant information and common name of the subscriber are bound with the public key in the certificate by the CA’s digital signature.
The certificate is then published in public space as well as returned to the subscriber to be verified for correctness, after which it is used.

137

4.3.3 Use of certificate

Bill is to send a signed document to a lady, who will rely on the certificate to determine her risk, based on the content, in relying on Bill’s digital signature.

a. Bill creates the document and signs it by encrypting the digest (hash of the document) with his private key. Note that Bill cannot encrypt the document for privacy because the lady does not have a key pair (see 2.4.1.3 above).

b. The signed document (see 4.1 above) is sent to the woman.

c. The woman opens the document using an application and reads the content. She determines the associated risk and decides to what level to rely on the certificate.

d. The application uses Bill’s certificate to extract the public key and verifies the integrity (not tampered) and identity of Bill.

e. The CA certificate (normally distributed with the application) is used to check the integrity of Bill’s certificate.

Looking at the process we can see three PKI pillars of trust:

CA keys and public witness (certificate) – the only system-wide secret and trust.
Notary and issuing – the level of trust is determined by the integrity of the process of issuing and the notary performing the task. For example, VeriSign is such an notary which provides three classes of public personal certificates:
Class 1 for e-mail
Class 2 for identification
Class 3 for existence
Verification – the subscriber must verify the correctness of the certificate on receipt and digitally present it in good faith. The relying party must verify the certificate when it needs to rely on it to determine the associated content risk. The relying party must also verify the above two ingredients of the certificate’s trust/integrity.

138

It is important to realise that a PKI cannot stand on its own and technically delivers on the promise. The human side is still the crux! We can however say:

A PKI binds an identity to cyberspace, within a specific domain, with a real-world trust if and only if:

the certification authority,
the registration authority,
the subscriber and
the relying party

act in due diligence – which is possible with the right measurement.

A PKI thus creates a trusted witness to cyber identity, allowing risks to be
determined based on trust in a given domain enabling:

confidentiality
non-repudiation
access control
security

139

4.4 PKI in use: secure Web server

Consider the process depicted in the accompanying box.

140

It is important to note the underlying principles of PKI:

The private keys remain secret and are never transmitted anywhere.
Both parties claim identity by presenting their credentials in a certificate.
Both parties verify the stature of the witness of identity by the signature on the certificate which lays claim to the identity of the certificate issuer (certification authority and registration authority) and the underwriting practices.
Positive identity is established through challenge and response.
Risk to the transaction is determined by the practice of issuance and the potential content – level of non-repudiation.
The session (introduction, body, conclusion) of the transaction is embodied in the communication process and the unique session key.

This process is called SSL and is enacted by using the URL prefix “https” (https://www.banking.co.za). The process described is called mutual authentication, whereby both parties are positively identified using PKI certificates. The trust and integrity of this method, however, lie in the CA used to issue the certificates and the due diligence of each party to keep its respective secret key secret (see PKI Trust Pillars). A transaction using this process can be binding by mutual agreement, but risks are made tangible through the use of positive identities established by a trusted third party. This process imposes a responsibility on both parties to the agreement to perform to best effort in the human aspects of the technology and as such create a level of liability scoped to the extent of the content of the transaction. The mere act of certifying a server, held by a trading enterprise, relates to the establishment of a shop front by that enterprise for the purpose of trading.

The server-only authentication version (ignore the grey text) is commonly used by service providers and banks to create a confidential transport medium between the client and the server/service (it uses the commonly known Server Certificates as issued by VeriSign/SACA among others).

5. Examples and discussion

The examples and discussion below are included as teasers. The authors, editors and publishers are not taking sides but merely trying to illustrate the power of Internet discussion groups by looking at IT from a human behaviour perspective. In these discussion groups, participants are without race, gender or background. Because there is no physical behaviour, no-one can be overpowered and everyone has a fair chance for an opinion and an answer. With everything being recorded, the result is true debate of the mind through written reasoning.

141

The examples are fictions but based on potential or real cases. The discussions were held in public in Internet discussion groups. Participants have the right to their respective biased opinions and do not represent any institution whatsoever.

5.1 About positive identity and civil obedience

Soccer and Africa, a very interesting example! Let us take a closer look. Africa has a civil disobedient society whereas the First World has a civil obedient society. Why? The answer lies mostly in positive identity and traceability of an individual (ownership also plays a major role). Recourse can be taken against an individual and this specifically is a whip to civil obedience. For example, it is said that you disappear in a crowd – soccer hooliganism is rampant in crowds under the influence of alcohol. Crowds and alcohol make you disappear and give you the feeling of no liability because you believe you cannot be identified. At the world cup soccer in France ID photos and numbers were taken with the sale of tickets. The stands were policed using video cameras, with the result that an awareness of traceability was created and thus the hooliganism was reduced to a few events outside the stands. Africa is just the opposite, individuals are difficult to identify and to trace and have nothing to lose.

If we look closely and put our digital blinkers on, then we can see the similarity to the Internet as it is today: lack of positive identity and tangible artefact. Liability and accountability, in cyberspace, are remote values since only humans gain and feel by recourse. The most effective and most frequently used argument for non- or malperformance is: “The computer did it!” or “I accidentally pressed the wrong button.” Life, in cyberspace, has become an arcade game of war where pain and feelings have no meaning and fairness has no measurement.

It is interesting to watch the Internet society evolve from barbarism to civil societies through the process of establishing positive identity, tangible artefact and thus ownership. The ethical values are starting to take shape. Law is about to play its role in the formalisation of digital social rules and the yardstick of common digital wellbeing. Cyberspace is at the stage of the Wild West with the promise of a mighty empire.

142

5.2 About tangibility of artefact

Computers tend to be fallible because of their complexity and human incomprehension. They are created to be easy to use, to be transparent, and to that extent have complex customisation features. We need to configure them to get them to work properly. This configurability also becomes a strong ally to the evil-minded opportunist.

Artefact, as I call objects of information or intellectual property, only has meaning once it creates (potential) value to the creator of that artefact. For example, in the real world, a bed: it needs ownership at a given time to become valuable as a place of rest or pleasure. This bed can then be used by the owner or commercially exploited. It can be stolen or be broken. Digital artefact does not have the tangibility of the physical world. You cannot steal it nor break it, you can however change it without any scars. It is like thoughts, vapourware unless made tangible and brought into the physical world. A patent, instruction, manuscript, deed or article is an example of a process fixing an artefact. This process captures the artefact, at a given time, and lays claim to being the creator of it (in non-legal terms). This has been the hallmark of legal work. Important (enough) artefact has been captured, in the manner of a trusted third party, by the legal profession to benefit its clients. We have seen this very same method in commerce, the cheque, order, invoice, design, specifications, etc.

The electronic age has driven us to move away from patient paper as medium (mostly because we have become impatient operators of artefact) to digital media, such as faxes, e-mail and electronic documents. This has resulted in the following interesting problems:

time of creation
fixing of creation – that it cannot be changed later
ownership of creation

In the physical world we take a snapshot or photo at a given time and we bind it to a person or entity for reference – proof of being on top of Mount Everest. It is said that an e-mail has time to it: you can reference the creation date of a file. But you can also change your computer’s clock!

A trusted third party and digital signatures provide a method to make digital artefact tangible. A snapshot is taken of an electronic document, containing artefact, by digitally signing it. If this signature is signed by a trusted third party binding time and authorship or ownership to the content, then we can say that we have made digital artefact tangible. It is important to note the role of an independent trusted third party as witness to the creation of the snapshot at a given time for a given entity and purpose.

143

5.3 About passwords

Passwords are commonly used to identify humans by reference. Passwords are however mental objects and can be passed around or snooped without tangible loss. Human behaviour regarding the confidentiality of passwords therefore plays an important role in the strength and trustworthiness of a password. One can compare a password to a physical key. In real life the key needs to be duplicated and held by the user to open a lock – a tangible experience with tangible evidence that results in a tangible liability and responsibility. That specific tangibility is lost when we deal with passwords. How many of us have given our spouse our ATM PIN to withdraw or bank money? Have you given your mailbox password to someone to read an important e-mail for you when you had no physical access to it?

Password management is an important aspect of IT, and here another debate rages: “single password for all services” v “one password per service” and “forced periodic change of password” v “change password as needed”. The answer lies in the risk, which is determined by the humans who use the passwords:

Having many passwords means that each is infrequently used; therefore they get written down, which defeats the confidentiality.
Long-term use of the same password increases the risk of losing its confidentiality.
Using the same password at many services potentially shares the password with many people (you and the administrators), thus reducing confidentiality.

As can be seen, all these factors work against each other. Determining the right balance for the specific environment is therefore important. Basically there are three levels of risk, associated with three domains of passwords use.

5.3.1 Local password
This is the strongest form of password. It is a shared secret between the human and a machine and only that machine, for example a smart card PIN or your PC boot password. Using biometrics (fingerprint, retina scan, etc.) can provide a high level of non-repudiation and positive identity when used in conjunction with PKI and trusted third parties.

144

5.3.2 Closed domain password

Here a shared computer using a secured transport medium, which is controlled by an administrator whom you know, authenticates your password. Your ATM PIN falls in this domain because you trust your bank or else you would not be using its services. The transport medium is secured, even with online banking over the Internet. In essence if something goes wrong with your password, for example if it has changed without your request, then you know whom to hold responsible. The administrator could have changed your password (because of being unable to read it) and accessed your data or impersonated you without your knowledge – always be suspicious when your password has changed or when you are required to give a new password.

5.3.3 Public password

This case is the same as in the closed domain but you do not know the administrator or the transport medium. In fact this password can be deemed to be in public space. The “cricinfo” (www.cricket.org) registration password falls in this class; the web site even carries a warning not to use your local password to register (see 6 below).

5.3.4 Guidelines for password use

Choose passwords created from two words, preferably non-English, which you can easily remember. Many derivatives can now be created from a word pair by separating them with a digit or the use of capitals in the words.

stap+klim (the things I like in life) makes Stap2Klim (hike to climb)

skyn+son makes Skyn7Son, skyN9soN

Choose a word pair for each of the risk domains you use:

Local: boot password, digital signature password, etc.

Closed domain: Microsoft domain password, file server
password, etc.

145

Public: Internet access password, Web registration password, Internet e-mail password, etc.

Create a derivative of the base word pair for each instance needed in each risk domain. You will find that you most likely will only need two passwords in general.
When password changes are required, then create a new derivative or if you suspect a compromise create a new word pair.

This way you will remember your passwords and be able to satisfy most password policies that can be forced upon you. Remember not to share your word pairs between risk domains by measuring each password required against who will share this password with you and how it will be transported. If in doubt choose the higher risk domain.

5.4 About fraud and risk

5.4.1 Credit cards

The risk of using a credit card over the Internet is the same for the cardholder as in the real world. You use your card over the counter and your number travels in the clear already. The card companies have checks and balances already in place to show up the abuse of cards. But there are differences between fraud in the real world and in cyberspace: crime has to pay, so as a criminal in the real world you need to sting for a couple of million rands and disappear. In the digital world you are not there, so there is no need to run. You can carry on with your misdeeds. The digital world also offers you economies of scale. You can defraud millions of people by small amounts – random values between R5 and R10. Few cardholders will notice it and the loss is too small to do anything about. The big losers are the merchants and to a lesser extent the banks, but in the end the consumer also suffers.

5.4.2 Electronic commerce
Consider two Internet merchants: one sells travel packages upwards of R5 000 while the other sells electronic images of R500 and below. Who runs the biggest risk? The image merchant, because a human will make use of the travel package and therefore needs to claim the goods in person. Direct accountability is thus conferred on the user of the travel package whereas the receiver of the images could be anywhere and is for all purposes invisible, so there is no liability and no recourse. The risk of fraud is therefore very high when selling the images. Note that this example excludes many other issues for the sake of clarity.

146

5.4.3 Risk of breach of confidentiality
Encrypting a message creates confidentiality in the digital world. Encryption strength is measured in the time and money it takes to break the key that was used to encrypt the message and thus breach the confidentiality. We say then that at a specific time it will take $1 million to break a 40-bit key in four days or $100 million to break it in two days. These ratios are all exponential. Keys are broken in a brute-force attack in which each key is tried independently. To illustrate this, consider your standard house keys:

A 2-lever key has 24 combinations. To unlock a 2-lever lock we need to have 24 keys (money) and 30 seconds per try 12 minutes.
A 4-lever lock has 140 combinations (exponential). To unlock a 4-lever lock you will need 140 keys and 70 minutes to break it.

The levers correlate to the bits in a digital key. A key with more bits is exponentially stronger but unfortunately the process is also exponentially slower. There is thus a play-off between key strength and processing time. The strong enough number of bits is currently 40 but is rising to +100 bits as computing power makes processing time a lesser problem.

147

Risk again plays a major role in deciding what is good enough. For instance if the government is to declare war on a neighbour in three days’ time, we only need to send the notice to the chief of the army using weak (taking at least three days to break) encryption. I would use strong encryption for a message to enact or request an illegal action (like dating the boss’s wife). Such a message can be held as evidence against me and I would not like it to be broken in my lifetime (for both the boss and my wife are likely to kill me). Very strong encryption is to be used for positive identity since you would like to hold a digitally identified person for a lifetime.

Another important factor in the risk of breach of confidentiality is to find the right message to decrypt at the right time. This is a daunting task, like looking for the proverbial needle in a haystack. If we combine time, money and “finding” then we can say that any proper encryption is good enough in general electronic commerce. It is when we store encrypted data (tangible artefact) or create positive identity that the risk of finding becomes higher and time becomes a lesser problem.

5.4.4 Beer example

Please note this is a constructed example and not related to real life at all. Do not try it with the beer companies – it will not work!

This example shows how fraud is not tied directly to money. We will see more of this type of fraud taking place in future.

You are a beer brewer in a local town, say Pietersburg. You are in local competition with the national brewer, say NatBeer, with your brand called No1. You are not gaining market share because NatBeer’s marketing budget blows you out of the water. Worse, the Pietersburg beer drinkers (PBD) are animals of habit and conform to the Pavlov behaviour – show sport on television and the beer must be in the hand. Unfortunately the wives buy the beer and thus NatBeer’s Grotto brand wins the day. What to do? Let us get a few facts together:

You know from local experience that once a PBD drank No1 then he will only drink No1. He will even go and buy his own No1, so you believe you can do your part for equal rights.
The rugby final is next week Saturday.
NatBeer uses just-in-time distribution from its brewing and depot sites. It has only a depot at Pietersburg, which ships to the whole of the Northern Province.
NatBeer is using the Internet to optimise its communication costs.

148

The action plan is to create a shortage of Grotto in Pietersburg. So in the week before the big game you spoof overstock notices from the NatBeer Pietersburg depot and zap the real notices. You also create a perceived shortage of beer in some other places by sending understock notices from other places to Pietersburg. The NatBeer system starts to ship beer from Pietersburg. Since a high stock of beer is needed for the weekend the depot stock does not look abnormal, but in fact – because the big beer buy only starts on Friday afternoon – by early Saturday morning Pietersburg will run out of Grotto, and the only beer to buy will be No1. Hereafter the PBDs buy their own beer – and only No1.

The issues in this example are:

money not necessarily being the focus of fraud
what evidence there can be against you if they can catch you
the need for IT security
the need for positive identities to prevent spoofing

5.4.5 Industrial competition

Two companies make the same toys. The one (company A) manages to make them cheaper than the other. Company A uses business to business Internet electronic commerce for ordering the raw material. Company B decides to snoop the orders on the Internet to find the quantities and type of raw material. This information allows Company B to become cost-competitive by changing its own raw material compositions, and gives it bargaining power when buying the raw materials.

5.4.6 The 10-second killing
The following is an extract from the E-CARM newsgroup on the underlying basis of trust (participants being Bertus Pretorius, Ed Gerck and Brendan Macmillan; printed with permission). Bertus suggests a sting operation with a very interesting argument on human behaviour and measurement. Brendan answers Bertus’s statement.

149

> ...a nice sting operation.

> Establish presence with no barter or tender nor

> commitment [Standard American style marketing]

> Feel the water for a big launch of a pyramid nature.

> Make the 10-second killing.

> Disappear to pop up somewhere else.

> What is to stop this happening?

-----------------------------------------------------------

I hope you won’t mind if I flesh out some details of your very important point. Perhaps this will provide a more concrete base for discussion:

TRANSACTION ORGANISATION

Let’s say I actually do set up this sting; and that “you” are one of the stingees:

+ I am a seller. I establish a presence.

+ You are the buyer, and you pay me by sending a message to your bank to transfer funds to my account.

+ I promise to deliver. You promise to pay.

+ Someone has to perform first. We decide that you go first, because you trust me to reciprocate (because of the presence I established).

+ For various reasons, legal recourse is not available (among them is that you don’t really know who I am all you know is my “presence”).

KILLING

The killing is simple fraud I take the money and run.

RECOURSE AGAINST REPUTATION

I have invested a certain amount of time and money in establishing my “presence”. This is worth something. However, cheating you is also worth something; but it will also damage my reputation. What are the costs/benefits of this betrayal?

If the damage is greater than the gain by fraud, there is little motivation for me to betray your trust but if there is more to gain by fraud, then this reputation does not act as much of a deterrent.

AUDIENCE SIZE

If the trading is just between you and me i.e. I have a market or audience of one then the gain by betrayal is just the value of one transaction, because you will only allow me to betray you once.

150

However, if my market is the whole Internet a potential audience of millions then the amount to gain by fraud is +millions of transactions.

This upsets the cost/benefit analysis.

To offset this gain by fraud would require an enormous investment in reputation. So much so, that it is merely a theoretical possibility.

One resolution is simply to limit the size of the audience but this defeats what is seen by many as the whole point of the Internet.

THE 10-SECOND KILLING

Implicit in the expression “10-second killing” is that someone will blow the whistle. But because of the (theoretical) velocity of digital transactions, 10 seconds may be enough time for millions of transactions.

Note that instructions to a bank for payment usually take time to clear thus, I couldn’t actually “take” the money. You can “stop” this “cheque”. However, other payment proposals may circumvent this.

Ed answers Brendan (and Bertus):

KILLING

The killing is simple fraud – I take the money and run. No, you would not do that in such a scenario, in general. There are four main cases here:

A. One fraud pays off your scheme this is the ONLY case that corresponds to “take the money and run”. This happens all the time and is particularly “useful” when the cost to establish a presence is small in effort, money and time. I don’t think examples are needed but the familiar case of a purported bank agent who offers to help an old lady get her money at the cash automat and asks for her card is well known the fraudster never returns to the same bank.

B. You need more than one fraud to pay off your scheme. The typical pyramid scheme. It must go to a certain level to be profitable. It is seen today in e-mail chain letters that offer a “report” that you can sell and so on.

C. You can keep at it almost forever, even quite publicly, because the victims are afraid to tell the police or to denounce it since the deal (once they get to know what it is) is fraudulent and the victim wished to get a fraudulent profit. This is for example the well-known “Nigeria operation” and is present in several “off-shore” frauds.

151

D. You can keep at it forever because you just bite like a mosquito in small amounts. This is seen in major software publishers, which sell “new versions” when they should really be giving away bug fixes which they did not fix in order to reduce costs and also to allow for a new version later on, and the scheme goes on. It is also seen in “notary schemes” where repeating or continuing validity services are sold forever; a kind of, well you had your validation attested to for that important document/web site/whatever for the last 10 years, building up lots of value in that document/web site/whatever; now if you lapse your notarisation renewal, its entire evidentiary value is lost so you must pay me and the longer you pay me the longer you must continue to pay me. This is seen also in the way that ISO-9000 certification is being organised once you go in you cannot come out unless you pay a heavy public-confidence price that was built in exactly to make you stay in the system, to someone else’s profit.

I think the above examples answer your objections all in the negative fraud, as we all know, is always possible and pays off extremely well. And certainly it is NOT a decrease in security (as by relying only on reputation and not on legal recourse) which will make frauds less likely.

As I commented before, there are a few scenarios for business without legal recourse however, the public at large will be quickly victimised by fraud if we ever say it is “kind-of-safe”, which it is NOT.

On the other hand, I totally support your studies in that regard, since they may help quantify what the problems are and into what kind of deep holes people may get if they decide to rely on faith (which is what it amounts to) and not on enforceable liability to perform.

This was, IMO, the essence of Bertus’s argument perceived goodwill (which is what reputation is) is not the same as actual goodwill as evaluated by auditing and ... has no counterpart in liability. All banks have good reputation until they fail, since failure is so fast; all stocks have good reputation until they take a plunge; Barings Bank in the UK was not an exception it is the rule. When in doubt, abstain is the age-old security maxim.

These exchanged messages illustrate the power of the Internet to argue interesting issues by individuals who do not know each other except by reputation and presence created through postings. Many news/discussion group participants are silent.

152

5.5. About IT push

Ed Gerck on the MCG talk group (www.mcg.org):

“Further, if the law recognises a digital signature as a signature, then the law must release the signer from his obligations in the same cases as the law now releases the signer – signature under the threat of unlawful force being just one example.

Perhaps a supernatural being knows whether unlawful force was used but I can only deal with evidence and the Internet evidence as well as the ATM
evidence I have are bits on the wire.

Thus we, as engineers, have the social responsibility of denying the misuse of our musings to support legal action unless such legal action is able to show beyond reasonable technical doubt whether there was indeed intent to sign and whether there was no operational fraud or fault unbeknown to the signer or recipient – as well as no use of unlawful force, for example. But, since no-one can warrant any of these facts with X.9 or AS 2805 (can you?) then I can only conclude that we should warn about their misuse in ineffective meanings derived from such protocols and relying applications. That is why it is indeed worthless (i.e. without value) to defend AS 2805 for example.”

Author biography

Bertus Pretorius is an ex-mathematician – BSc (Hons) University of Pretoria: majors in mathematics and computer science – with a special interest in human behaviour within information systems, from a formal perspective. He practises information-driven community of interest application domains at Inala Technologies and has an involvement with Lawyers Access Web (L@W). Community of interest applications represent the convergence of his interests: formal human behaviour, digital tangibility and positive identity within information-driven communities. The hobbyhorse of cyber civil obedience or disobedience and electronic evidence landed him his previous position, at SACA (the South African Certification Authority). He was responsible for special public key technology projects and network security at SACA, and also for the Certification Practice Statements that govern the issue and use of digital certificates. Before joining SACA Bertus was system architect of systems ranging from firewalling to massive parallel computing. He also consulted widely on the use of information within engineering systems.

153

Swedish Institute for Health Service Development Requirements on Electronic Signature Service, Version 2.0, Final deliverable (1995) 19
Sigrun Erber-Faller Draft Bill of the German Federal Chamber of Notaries Regarding the introduction of the Digital Signature EDI Law Review 3: 23-35 (1996)
United Nations Commission on International Trade Law, Working Group on Electronic Commerce Thirty-first session Planning of future work on electronic commerce: digital signatures, certification authorities and related legal issues, page 6, New York, 18-28 February 1997(Back)