Date: Fri, 27 Jun 1997 10:03:20 -0700 From: "C. Bradford Biddle" To: ECFORUM@nist.gov Subject: Comments -- Public Forum on CAs and Digital Signatures This message contains comments submitted in response to the notice which appeared in the Federal Register on June 9, 1997 relating to the "Public Forum on Certificate Authorities and Digital Signatures: Enhancing Global Electronic Commerce" to be held by the Department of Commerce. These comments reflect my own individual views, and are not submitted on behalf of any organization or institution. In addition to the brief comments below, I have attached a draft article titled "Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace." This article will appear in largely its current form in the Summer 1997 issue of the World Wide Web Journal. This article amplifies and expands upon the comments made below. I grant permission for you to distribute copies of the article to attendees at the Public Forum, and to include the article in any published record of the Public Forum, but I retain all other rights in the article. The attached article, as well as two other articles I have written on the law and policy of public key cryptography ("Misplaced Priorities: The Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure," 33 San Diego L. Rev 1143 (1996) and "Public Key Infrastructures and 'Digital Signature' Legislation: 10 Public Policy Questions," Cyberspace Lawyer, April 1997) are also available on the Web at . My comments: 1. The conventional wisdom about how certification authorities will function is wrong. The "open PKI" model envisioned by the ABA Digital Signature Guidelines is an economically inefficient model that would not survive under marketplace discipline. Generic, all-purpose identity certificates issued by freestanding third-party CAs are simply not what the marketplace is demanding. The marketplace has developed, and continues to develop, more economically efficient, useful, and imaginative business models. 2. CAs practicing the open PKI business model envisioned by the ABA Guidelines can and should compete in the marketplace without special legislation. CAs practicing this model can overcome the "contractual privity problem" which is used to justify ABA Guidelines-style legislation. 3. Legislation which endorses the open PKI model will harm the development of the electronic commerce marketplace. Even legislation which implements an "optional" state-endorsed authentication scheme risks drawing capital and resources away from more efficient and innovative enterprises, and risks creating economic harms which are externalized on to innocent parties. 4. Licensing efforts focused on the open PKI model risk being either irrelevant or harmful. Licensing is a highly intrusive form of market intervention that should be reserved for situations where demonstrated market flaws cannot be addressed by other, less intrusive means. Mandatory licensing of CAs would be harmful; optional licensing of CAs is simply unnecessary. 5. The ABA Guidelines-inspired legislation enacted to date by certain state and national governments poses grave risks to the development of a robust global electronic commerce infrastructure. The Department of Commerce should act to send a loud, clear and convincing message to state and national legislatures that such legislation is unwise and unnecessary. Respectfully submitted, Brad Biddle Cooley Godward LLP 4365 Executive Dr. Ste 1100, San Diego CA 92121 voice: (619) 550-6301 fax: (619) 453-3555 Attachment Converted: "C:\EUDORA\Attach\LMW_V2.DOC"