Section of Science and Technology
Information Security Committee

• I. Roster of Those Physically Present
• II. Roster of Those Virtually Present
• III. Legislative Updates and Reports by the States and U.S. Federal Government
  • Minnesota
  • Florida
  • New Mexico
  • Rhode Island
  • Washington
  • California
  • Utah
  • Illinois
  • Virginia
  • Georgia
  • Massachusetts
  • U.S. Federal Government
• IV. General Comments

• Dan Greenwood, Boston, Massachusetts, Chairman
• Steve McJohn Suffolk Law School, Boston
• Richard Field, New Jersey - interest in New York
• Bruce Gaylord, Chase Manhattan, New York
• Julie Ruben, Chase Manhattan, New York
• John Tomishevsky, Private Practitioner, Boston
• Mike Hale, Secy of State's Office of Georgi
• Dale Juffeernbruch, Household Bank - Virginia
• Mark Silvern, Verisign, Cambridge Mass
• Lee Gesmer, Lucash, Gesmer and Updegrove of Boston
• Andrea Cohen, Lucash Northeastern 3rd year intern, Boston
• Tom Smedinghoff, Chicago, Illinois
• Chas Merrill, Newark, New Jersey - interest in New Jersey
• Perry Tancredi, Verisign, Cambridge Mass
• Mike Wims, Utah, Chairman of Drafting Committee Utah Dig Sig Law
• Ruven Schwartz, Westlaw, Minneapolis, Minn
• Steve Jensen, 2d year law at Suffolk, Mass worked on DSG
• Mike DeYoung, Legal Consultant, Information Tech Division Comm of Mass

II. Virtually Present by Conference Telephone Call:

• California - Kay Caldwell, Software Industry Coalition
• Minn - Michael Norton and Katie Engler, Beverly Schuft
• New Mexico - John Muchmore
• Florida - Jerry York and Don Bell
• Rhode Island - Rep Brian Kennedy
• Washington Linda McIntosh, Jeff Even
• U.S. Federal, Bart Cleland, Staff of Senator Ashcroft (Missouri)

III. Notes of 10/18/96 Meeting/Telephone Conference Dialogue, Moderated by Dan Greenwood:

Minnesota

(Beverly Schuft on telephone) Minnesota has enacted only "electronic signature" legislation, 16B.42. No current digital signature legislation but isunder consideration, perhaps to be introduced in January 1997. Looking to introducing language in January - For us the current biggest issue is lack of common standards among the 50+ potential jurisdictions. Second biggest issue is the need for education of policy making bodies and legislatures as to the importance of digital signatures.

Florida

(Don Bell). Proposed amendments are being prepared, with Dec 1, 1996 scheduled for a progress report to legislature. In our state, one problem is the thin apparent demand for commercial applications as yet. Another is inter-jurisdictional harmony, which has led to a legislative provision allowing the Florida Secretary of State to enter into reciprocity agreements with other states, pending adoption of uniform standards.

New Mexico

(John Muchmore) New Mexico has three of four important elements in place: (1) Legislation regarding authentication for electronic signatures; (2) Authority for standards to be approved by a Commission on Public Records; (3) Secretary of State as Officer of Electronic Documentation, is authorized to establish procedures for registering public keys. Still to come is the necessary appropriation legislation. The copy of the legislation faxed to Dan Greenwood is up to date. New Mexico has ducked the thorny issue of liability for the moment.

Rhode Island

(Representative Brian Kennedy) I introduced a proposal for electronic signatures during last session, but there is no legislation yet on the books. Our biggest hurdle is legislative understanding of the vocabulary and concepts. Like Florida, we do not yet have a high level of commercial use, and most have never heard of digital signatures. The legislation, which uses California rather than Utah as its model, will be reintroduced in the Jan 1997 session, with an amendment expanding the role of the Rhode Island Secretary of State's office. Rep Kennedy likes Florida reciprocity provision idea.

Washington

(Linda McIntosh) A Utah-model digital signatures bill was passed in the last session. One difference between Washington and Utah is that although Washington will license Certification Authorities, Washington will not have a public repository as in Utah. There is a high level of awareness and enthusiasm for digital signatures in the State of Washington. The vote was unanimous in the house, there was only one negative vote in Senate, and the Gov signed the bill digitally. In Jan 1997 minor technical legislative amendments will be presented (no bill number yet), and the Secretary of State will be authorized to issue digital signatures on behalf of other state agencies. Washington shares Florida concern about reciprocity, which appears analogous to a "doing business" reciprocity provision implemented by the Secretary of State. Washington's biggest concern is the auditing of CAs to make sure they are using trustworthy system for repositories.

California

(Kay Caldwell) California passed a bill last year giving "electronic signatures" the full force of a signature, with broad authority in the secretary of state to regulate. Legislation is for state purposes only. Secy of State has created a task force to study further expansion to the private sector. CommerceNet and the software industry is monitoring the task force with great interest. A preliminary rough draft of the regs is expected by the end of October, which might reach the stage of public circulation to the task force in March. Under the Legislation and Secy of State will licence CAs within context of CA law, only for state agencies and employees and for individuals who will be submitting digital signatures to the State. CAs licensed by the State must publish all certificates (as opposed to using repositories) not repositories, which could be an overhead problem which impedes scaling up a digital signatures PKI. She has good website available. Language in proposed regs provides that California will accept certifications from other agencies and other States, trying to leave it open for further expansion.

Utah

(Mike Wims) - Asst Atty Gen of Utah, was chair of the committee which drafted the 1994 Utah Digital Signature Act and 1995 amendments. The Utah Digital Signature Agency has issued an RFP for an initial repository, from which Utah would issue certificates to state agencies and individuals. Received bids and selected a consortium of Novell, Zions Bank, Certco (Bankers Trust) and Exoterica, Inc. The Agency will meet next week (Wed Oct 26) for the first time with the vendor, to begin negotiation of the actual contract. The repository is expected to be up and running 6 months after signing the contract, but it might take a year. We are currently drafting our Agency regulations required by the existing statutes. I've brought the first six pages of those draft regs to this meeting, and I'm at the stage of looking for answers to some issues. One of of our thorny areas is the recognition of CAs and repositories outside of the jurisiction. What should be the standards for foreign accreditation? Fees need to be discussed, to be set by the State. Doesn't know exactly when there will be a public draft of the regs. When ready, they will be available for public comment under the Utah administrative procedure act, and will be posted in the Utah website http://www.state.ut.us. The State needs to increase the intensity of its regulation drafting effort to meet the goal of being done before repository is up and running. There will be a day, not too distant in the future, when Utah digital signatures will be in action, and the Governor will issue a digital proclamation.

Illinois

(Tom Smedinghoff) Illinois has no dig sig legislation yet. I am counsel to the Commission on Commerce and Crime working digital signature legislation to be introduced in the Spring 1997 session. The Commission has been meeting since August, and will have draft by November 1996. Electronic messages are deemed writings, and electronic signatures are deemed signatures. Digital signatures ae treated as one form of electronic signatures. Other hot issues are the best approach to regulation of Cas, i.e. by licensing or accreditation. Quality control is a concern, in light of interstate nature of digital commerce.

Virginia

(Dale Juffernbruch) Earlier this year Virginia passed legislation for a joint committee to study the digital signature issue to determine whether legislation is in the interest of Va. Diane Horvath is contact. First public meeting is Nov 6 1pm at Alexandria City Hall. Va has reviewed both the Utah and California legislation and has not yet decided upon an approach.

Georgia

(Mike Hale) Introduced legislation in Spring modeled on Utah. Tabled, and commission created to study. It looks like electronic signatures will be given full weight as signatures immediately, and Georgia will observe other states before going further toward digital legislation. Next year the task force proceedings will be more formal. Our main issues: standardization, uniformity, liabilities of CA in PKI.

Massachusetts

(Dan Greenwood) Mass will be setting up next week a useful state legislation database on website at

http://www.state.ma.us/itd/legal

I'm speaking on behalf of myself, Deputy General Counsel of the Information Technology Division, and Ray Campbell, General Counsel. Our proposed statute is in draft on the above website, which will be up and running in the next several days. Massachusetts has selected a minimalist approach for now. It's not clear that State governments are in an adequate position to predict the future or consequest statutory and regulatory needs of the future, until we have more experience. We want to avoid yet another conflicting set of standards among the states. This reflects the Massachusetts enthusiasm for downsizing and sunsetting regulation in general. In the Bay State, less is more when it comes to regulation. Apportioning liability in the marketplace and creating presumptions to us seems premature. We want merely to clear legal obstacles to electronic signatures in general. For the time being we are technologically neutral. Later we may deal with specific cases such as digital signatures per the Utah model or the ABA Digital Signature Guidelines, but for now, our legislation equates all electronic signatures (including digital signatures) with traditional ink and pen technology for purposes of evidence admissibility and weight. In essence, the State government is authorized to implement a Public Key Infrastructure (PKI) for filings with the State and among state agencies but not for the private sector. Major issues: (1) standardization, (2) uniformity, (3)a desire to enable rather than regulate.

U.S. Federal Government

(Bart Cleland US Senator Ashcroft, Mo) In Washington there is currently lots of distraction with encryption and key escrow, and the election. Electronic commerce is encountering a huge problem with lack of education and misunderstanding and not wanting to understand. The Senate is very traditional and mostly does not want to be on the cutting edge. The Senate Commerce Committee is hesitant to jump in until there is some strong experience. Issues: (1) standardization - should states develop as 50 independent labs? Uniform state legislation? Federal presence needed? He agrees with Massachusets, that the Senate doesn't want to be the first to the table. Industry is perceived to be largely ethereal. Does not want to squelch development before it can roll out. Military has lots of rules. It might be easier to get fed govt to change direction than it is to get 50 states to change direction. Members of Senate want to observe and learn from the state experience.

IV. General Comments

Richard Field: Private practitioner in New Jersey. Bart Cleland, does you believe Senators are educated in the distinction between encryption and digital signature issues? Answer by Cleland: absolutely not. Outside of the Commerce Committee, all computer issues are considered the same stuff. Difficult to parse out different levels of issues. Senators Ashcroft and Leahy are on top of these issues because their staff has moved the ball on their own and brought it to the attention of the Senators. Need to get staffers up to speed and the members will follow when they see an issue of importance.

Richard Field to all: On the liability issue, is there any thinking about the liability of parties other than CAs? Jeff Even, State of Washington: Wash law has requirement that Cas be bonded, and that a reliance limit be on the certificate. Question is what causes the liability.

Merrill, private practitioner in New Jersey: How about enforcing reliance limits? Jeff Even of Washington: More important to get acceptance by users, not reliance limit. Caldwell of California: reliance limit needs to be grater than $3000.

Bell of Florida: I've read a Biddle article "Misplaced Priorities", which argues that most state electronic signature and digtal signature legislation does not protect consumers adequately, according to Biddle. Should there be equivalent of access device under Reg E. Field in response: Our sense is that Reg E (or Reg Z for credit cards) does supersede state regulation but only to the extent of the subject matter but only for ocnsumer transactions. There are issues as to whether it covers stored value.

Greenwood for Mass: Do we need to limit liability? In Mass, we concluded that apportionment of liability not appropriate for single state action - particularly with infant emerging market. First priority is to create a market by accepting certificates in the government. A legitimate role for secretary of state - not to get into business in competition with private sector, but needs our own CA for our own transactions, but will allow secy of state to issue certifi for any business registered with secy of state to do business. This will be done by electronic certificates, and this will seed the market. We are also going to accept electronic and digitally signed documents which will also seed the market. That is a rational way to encourage the market by incentives - but avoids the unforseen probably negative consequences of direct regulation.

Don Bell of Florida: Agrees with Greenwood. Commerce can use electronic signatures other than pair-key digital signatures under their legislation. Can accept for any filing of an electronic signatures - broad definition - any mark with intention to make a signature. Don't need paired-key encryption to accomplish that. ATT Worldnet agrees to guarantee any transactions (small) without any digital signatures. Closed signature model. Currently doesn't have many people asking for legal obstacles to be cleared.

Linda McIntosh for Washington says that as soon as law is fully effective, Boeing will be using digital signatures in its business. Communication with suppliers, RFP, suppliers, nationally and internationally. She'll get more information for website.

Baum to Kay Caldwell California: What's going on in California re CommerceNet. A lot going on in California. Nationwide efforts by companies located in California are legion. Electronic checks will be particularly significant but there may be reg E problems.

Minnesota (Michael) - Members of the Bar are trying to deal with their clients and are concerned about confidential information in the absence of encrypted security. This is an early source of demand for statutory help.

Caldwell (California) state agencies are being asked to get on with this so they can handle their internal paperwork. Employee expense reports.

Jeff Even from Washington: Hearing same thing about internal state government issues. Interest from the Courts.

Wims: Utah will use electronic filing in courts as its first major use of digital signatures. Authentication of time cards will be early use.

Baum on liability issue raised by Merrill. Michael Norton of Minnesota response: what about 2B attribution. Kay Caldwell of California, has been participating in 2B, and says that discussion not yet done, and that discussion is being delayed because a new Article 2 drafting committee taking over the issue of attribution now in Article 2B. Wims (Utah): Where no privity of contract with relying party, how about product liability model? Field: How does the CA price for its risk? Mastercard and Visa move it internally in terms of limiting liability. Field worries where multiple use of CA? Merrill: single use of CA.

Caldwell: Can we have a $100 million reliance limit on a certificate? Merrill, let the market decide. Wims: [described the Utah formula for relating amount of suitable guarantee and the reliance limit under certificates.] Caldwell is doubtful.

Jeff Even Washington: reliance limit different from suitable guarantee.

Don Bell Florida: liability of IA is the issue, only on the failure of the signature.

Merrill: We can allow the market to determine what reliance limit applies. Suitable guarantee is different issue. Wims. Utah does relate the suitable guarantee to the reliance limit, but there is not universal agreement as to that issue.

Smedinghoff for Illinois: We have $5000 bond regardless of reliance limit.

Dan Greenwood wrapped up the call.

Mike Baum summarizes: We've just pierced the mere beginning of it. I'm watching everyone get great value from this conversation. We should do this again on the web where everyone is virtual, between meetings. Thanks all.

After phone call, continuing on regulatory matters:

Wims: CA need not be a Utah entity, and the repository need not be in Utah. How do we solve the problem of ensuring that a Utah-licensed CA can get at the data. Hypo discovery order served on Utah licesned CA, and can't provide the records becasue the repository is out of Utah . We're talking about the paper backup which is not online. Utah approach is to require the CA to designate the repository a custodian under Utah law.

Wims: Fee Structure models to make agency self-sustaining:

1. Charge all CA's a flat yearly dollar fee. Wash does this.

2. Percentage of income they generate from issuing certificates, like a tax.

3. Per Certificate

4. Combo of these. Graduated scale,

Who pays audit? CA. State runs the repository in Utah.

Merrill: Since Utah recognizes foreign Cas, how does Utah avoid all Cas registering in states where there are no state fees? Wims: Can't avoid that, except for filings by Utah State agencies. Utah recognizes foreign Cas without fees.

Greenwood: Mass does not intend to license and charge license fees every entity that is engaged in the certification authority business in Massachusetts.

Greenwood: Summarizing issues for breakout groups

1. Robust Website. All agree. FTP. Between meetings.

2. Access database for all 50 states. Standard fields for legislative issues. Miscellaneous legislation affecting signatures. See Dan's Information Sheet.

Dale agrees to be our consumer representative.

John Tomaszewski agrees to help tabulate the state regs.

Reciprocity. What does that mean? Penop is an evidence issue, not a full faith and credit. Not just a means to duck the issues, but needs to be considered in the state scheme. Not considered very useful.

Wims: we need a national association for standards.

·.Respectfully submitted, Chas Merrill