Section of Science and Technology
Information Security Committee
Update on Information Security Committee Activities
For the second consecutive year the ISC held its Winter meeting in San Francisco at the
Fairmont immediately before the annual RSA Data Security Conference. The ISC is committeed
to continue the advancement of public key infrastructure legal and control issues, and therefore
works on CA accreditation, commercial key recovery guidelines, PKI evidentiary issues,
certificate policy, and user liability, among other matters.
In San Francisco, as is true at all ISC quarterly meetings, working groups in breakout sessions
were the main order of business. Over 70 lawyers and technologists, representing firms and
smaller practices, mutinational coporations and startups, information security vendors, law
schools, state governments and federal agencies participated. The numbers of participants in the
ISC continues to grow, and the expected work-product also expands.
A new working group was created in San Francisco. The Certification Services Agreements wg
is charged with writing "Certification Services Agreements," which is an outgrowth of the ISC's
accreditation and certificate policies activity. The purpose of Certificate Sevrice Agreements is
to assist the authors of a certificate policy definition, certification practice statement, subscriber
agreement, relying party agreement, or other agreement relating to certification services by
providing model forms and a menu of alternative legal wording for use in particular clauses of
such documents.
Other work-product envisioned and worked on included that of Global Trade wg, which is
developing an overall framework to structure and analyze secure trade issues, and is preparing an
issues statement concerning cooperation between legal, business and technological professionals
to reduce secure electronic international trade barriers; the Digital Signatures Laws &
Regulations wg initiated a study for the need of model regulations to support the electronic and
digital signature legislative laws enacted in several states to date; and, the Key Recovery wg,
after responding to several immediate issues at the federal level with letters and
recommendations, developed its framework and operation of a key recovery center.
The main focus for the entire ISC remains posting for comment a draft version of "Guidelines for
Certificate Policies and Accreditation Critera," a/k/a the "Accreditation Guidelines," within the
year.
Digital Signature Guidelines
The result of nearly four years of meetings with the participation of business, legal and
technical experts from more than eight countries, the Information Security Committee of
the ABA Science and Technology Section has published the Digital Signature Guidelines
("Guidelines") -- an abstract statement of principles, intended to serve as a long-term
unifying foundation for digital signature law across varied legal settings either for
adjudicatory use or legislative enactment. The Guidelines include definitions, general
principles, and define the rights and responsibilities of certification authorities,
subscribers (that is, persons to whom certificates have been issued ) and relying parties
(that is, persons who may use these certificates to authenticate messages.) They also
articulate legal expectations concerning reliance on digital signatures generally.
The Guidelines are significant in that they are the first (and pre-eminent) statement of legal
principles for certificate-based use of digital signatures. They are particularly important in the
absence of specific law on the subject.
The Guidelines were initially posted on the Web during its comment period (which closed on
January 15, 1996) during which time approximately 3,400 copies were downloaded. This
incredible volume of downloads, coupled with the diverse, and increasing, number of legislative
proposals that reference the Guidelines as authority, and the use (or influence) of the Guidelines
within all observable certification authority implementations, strongly suggests that we may be
witnessing the development of a usage of trade influenced by the Guidelines. This is both
exciting and, in some respects, unprecedented.
The Digital Signature Guidelines were published and released at the ABA Annual Meeting in
August 1996. Anyone interested in obtaining a copy should visit the Section's Publications
home page, or contact the Section of Science and Technology.
Other activities within the Information Security Committee include:
Key Recovery Guidelines -- This project is focused on developing a legal structure for the
commercial escrowing of keys, whether internally (such as within a company, on behalf of its
employees) or externally (such as by a commercial escrow provider). Key escrow is defined as
one party's holding a secret or private cryptographic key for another.
Model Electronic Commerce Trading Partner Agreement Addendum -- A model electronic
commerce trading partner agreement addendum is in development for use as a supplement to
trading partner agreements. The addendum will facilitate the use of secure cryptographic
technologies, including digital signatures and certificates, with or without the use of certification
authorities.
Evidentiary Issues -- The evidentiary work group will consider the special implications of a
public key infrastructure on the rules of evidence and deal with issues raised by the self-authentication of digitally signed messages.
Meetings -- Interested persons can contact the Science and Technology Section Manager, Ann
Kowalsky, for more information, at sciencetech@abanet.org.
Michael S. Baum, J.D., M.B.A. serves as Chair of the Information Security Committee. He can
be reached at michael@verisign.com.
10/16/97
Return to the Information Security Committee Home Page
|
|
