RE: [legalxml-enotary] FWD: Re: some thoughts on the improper certificatevalidationimplementation

["Gilliam, Charles" <Charles.Gilliam@CONTENTGUARD.COM>]

Title: RE: [legalxml-enotary] FWD: Re: some thoughts on the improper certificatevalidationimplementation

I do not see relevance to the scope of the TC. What do you see?

--Charles

-----Original Message-----
From: John Messing [mailto:jmessing@law-on-line.com]
Sent: Wednesday, September 04, 2002 14:10 PM
To: legalxml-enotary@lists.oasis-open.org
Subject: [legalxml-enotary] FWD: Re: some thoughts on the improper
certificatevalidationimplementation

This is a continuation of the same thread which was posted yesterday, also for inclusion in a discussion the scope of the TC.

---------- Original Message ----------------------------------
From:         Gib Sorebo <gib@CAIS.COM>
Reply-To:     Gib Sorebo <gib@CAIS.COM>
Date:         Wed, 4 Sep 2002 13:35:35 -0400

The irony is that Members of Congress are pushing legislation that would
>shift the burden to those accused of possessing child pornography to
>prove that the images were not of actual children because of the
>difficulty in deciphering electronic evidence.  The Members argue that
>prosecutors are saying that it is becoming very difficult to prosecute
>those suspected of possessing child pornography because the defendants
>can argue that the child isn't real and force law enforcement to find
>the actual child.  If that weren't enough, legislators also needed to
>assuage the mainstream film industry that it wouldn't be getting a visit
>from the porn police for movies like Traffic and plays like Romeo and
>Juliet that use adults to simulate the sexual exploitation of children.
>To address those concerns and those of the Supreme Court, which had just
>struck down provisions of a similar law, the proposed legislation limits
>its application to "computer image[s] and computer-generated image[s]."
>That means that an artist who is particularly skilled at creating
>life-like images of imaginary children in sexually explicit situations
>on canvas cannot be prosecuted, but if he scans that image onto his
>computer, he can be.  Of course, being the the fair legislators that
>they are, the legislation provides an affirmative defense for these
>would-be child porn offenders if they can prove that the computer images
>were not actual children.  (See H.R. 4623
>-http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bill
>s&docid=f:h4623rh.txt.pdf)
>
>So it seems that prosecutors are talking out of both sides of their
>mouthes.  By their way of thinking, if the computer generated evidence
>is used to support the government's case, then the evidence should be
>admitted without question.  On the other hand, the defendant must
>produce extrinsic evidence to support its contentions.  I would argue
>that electronic evidence created by the same party that is proferring it
>is not sufficiently reliable "to speak for itself."  Prosecutors'
>arguments that we can't tell the difference between imagination and
>reality only help to defeat the reliability of the other electronic
>evidence they seek to present.  There's a reason the public record
>exception doesn't apply to government investigations.  It shouldn't
>apply to computer generated evidence either.
>
>Gib
>
>-----Original Message-----
>From: Steven W. Teppler [mailto:steppler@TIMECERTAIN.COM]
>Sent: Wednesday, September 04, 2002 12:21 PM
>To: ST-ISC@MAIL.ABANET.ORG
>Subject: Re: some thoughts on the improper certificate
>validationimplementation
>
>
>Bob, et al.:
>
>If MS has run afoul of custom and usage in the industry, or proffers
>sloppily written security software, I agree that a couple of well
>pleaded complaints will be of enormous influence.  To me, these are
>"market forces" because they can have sever economic impact on a
>tortfeasor.
>
>My point was not to unearth a bug in MS security architecture, but to
>underscore the point that law enforcement personnel do not include
>people such as yourself or Hoyt.  To them the GIGO law is something not
>taught in Law School.  They believe what a computer spits out, simply
>because it did.  Prosecutors in the abuse case mentioned are close to
>declaring that digital images impliedly adopt a variant of the "res ipsa
>loquitor" theory, in which the evidence "speaks for itself" and thereby
>needs no corroboration, and in abuse cases, not even a complainant.
>Untrusted Digital evidence emphatically does not speak for itself. To
>murder an already hackneyed phrase, it's impossible to know what digital
>evidence content is, because we haven't defined what "is" is.
>
>Steven
>
>
>----- Original Message -----
>From: Robert Jueneman <mailto:bob@jueneman.com>
>To: ST-ISC@ABANET.ORG ; Steven  <mailto:steppler@TIMECERTAIN.COM> W.
>Teppler
>Sent: Wednesday, September 04, 2002 11:56 AM
>Subject: Re: some thoughts on the improper certificate
>validationimplementation
>
>
>Stephen, I don't agree.  To the extent that the MS implementation fails
>to conform to the relevant technical standards in this area, it is not
>only a bug, but an egregious architectural/design failure that violates
>the entire intent and purpose of digital signatures. In my eyes, at
>least, this certainly ought to fall under the "fitness for purpose"
>exclusion with respect to the software industry's general "claim
>everything, admit nothing" approach to licensing and liability.
>
>To use your analogy, the situation is akin to an automobile manufacturer
>providing a brake pedal, but limiting its travel so the brakes can only
>be applied with moderate force, not enough to prevent injury or death in
>the event of a panic stop.
>
>But I don't think it will take a legislative or judicial mandate to
>solve this problem -- winning a couple of juicy tort suits, and the
>defense bar being able to demonstrate "reasonable doubt" in a couple of
>high profile criminal cases will have a very salutary effect on the
>general state of knowledge within law enforcement and prosecution.  The
>same is true for unsigned digital photos, etc.  If someone can't
>demonstrate a complete chain of custody (via the Internet??), then the
>evidence properly ought to be excluded under the hearsay rule. Even
>then, the defense ought to be able to grill each of the evidence
>custodians in order to be able to give some credence that each one of
>them might have been in a position to tamper with the evidence without
>detection.
>
>Bob
>
>
>Jueneman Consulting , LLC -- "Security Solutions for an Insecure World"
>Robert R. Jueneman, President
>1154 E. Dover Dr.
>Provo, UT 84604
>1-801-765-4829 (Office)
>1-866-430-4685 (Toll Free)
>1-801-765-4378 (Fax)
>1-801-372-5501 (Cellular)
>consulting@jueneman.com
>www.jueneman.com
>
>This message and any attached documents may contain Jueneman Consulting,
>LLC confidential or proprietary information and may be subject to
>privilege or exempt from disclosure under applicable law.  These
>materials are intended only for the use of the intended recipient.  If
>you are not the intended recipient of this electronic message, you are
>hereby notified that any use of this message is strictly prohibited.
>Delivery of this message to any person other than the intended recipient
>shall not constitute any waiver of any privilege.  If you have received
>this message in error, please delete this message from your system and
>notify the sender immediately.    Thank you.
>
>>>> Steven W. Teppler<steppler@TIMECERTAIN.COM> 09/04/02 09:09AM >>>
>
>
>Hoyt's post is germane and supports the contention in my prior post.  It
>is proper policy implementation that will prevent such man-in-the-middle
>attacks.  Reading through the rather inflammatory article to the source
>materials used by the Register as set forth in the links in my post, it
>is clear that this was not an MS "bug."  Ignoring proper "Basic
>Constraints" settings resembles more a situation in which having brakes
>but not using them while driving constitutes an alleged defect in an
>automobile.  I sincerely doubt, however, that without some legislative
>or judicial mandate, law enforcement persons will investigate, wonder or
>even care whether the "digital evidence" that "can't be easily altered"
>is the result of such a scenario, whether generated from inside or
>outside the "custodial" framework.  For those who are well versed in
>this arena, such as Hoyt, the issue is perhaps mundane.  For those not
>PKI-centric, I doubt that the definitions as well as the implications of
>improper certificate validation implementation is understood.  My
>position is that this can and will have dire effects in law enforcement.
>
>
>Steven
>
>----- Original Message -----
>From: Hoyt L. Kesterson II <mailto:hoytkesterson@EARTHLINK.NET>
>To: ST-ISC@MAIL.ABANET.ORG
>Sent: Wednesday, September 04, 2002 3:54 AM
>Subject: some thoughts on the improper certificate validation
>implementation
>
>
>
><snip>
>
>
>

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>