Re: [legalxml-enotary] Example - Authenticating Request For Service

[John Messing <jmessing@law-on-line.com>]

Please refer to inline comments.

> [Pieter Kasselman]  I am for the moment assuming that the
> certification event is taken as the notarization event as well.

[John Messing] I shared that assumption.

> [Pieter Kasselman] I think that not all e-noatries will be trusted to the
same extent or for the same thing.

[John Messing] How so?

> [Pieter Kasselman] The above process may be perfectly accesptable for a
certain risk profile,
> while it may be inadequate for another. It comes down to risk management,
> which is in turn governed by policy.

[John Messing] Agreed.

[Pieter Kasselman]  The "quality" of different e-notaries
> may differ as its processes and procedures differ (in the PKI world,
policy
> is seperated from the technology through the use of explicit certificate
> practice statements and certification policies). This allows for the
> seperation of the technology and the process, where the quality or level
of
> assurance is primarily determined by the process/policy. I think we should
> try to do the same in this TC (i.e. seperate policy from technology).
>
[John Messing] Except for the fact that there is a layer in eNotarization
that is missing in PKI. A CP or CPS lays down certain rules about the ideal,
normal, and acceptable uses of a certificate as determined by the vendor,
perhaps in consultation with the users of the certificates. The policy layer
is devoid of content. One can fill it in with anything that legitimate
businesses will support.

With eNotarization, there is an additional layer of normative conduct. How
should one govern the relationships set forth, for example, in varied and
equally well-drafted CP's and CPS' from different vendors? The question has
more than an academic flavor, as interoperability between classes and brands
of certificates becomes the rule rather than the exception.

What you have described for a PKI is what I would term the technical
underpinnings. On top of that a legal analysis needs to be constructed for
the benefit of lawyers and judges in determining the level of assuredness
that should be accorded as evidentiary treatment to different types of
electronic processes. I emphasize the word "should", which denotes a moral
or normative standard. That in my view requires determining the
eNotarization needs of a process and explaining how the analysis was made.
Once an eNotarization need is clarified, then a process can claim to be
eNotarization compliant when it satisfies the eNotarization need, regardless
of how this is arrived at technically. It should be up to this committee to
identify the techniques for identifying eNotarization needs of computerized
processes, and providing a standardized way for appropriate entities: either
private (such as a Good Housekeeping determination, or public, like a
Federal Trade Commission decision) to decidewhich processes meet the
appropriate eNotarization needs.

[John Messing]

> > Therefore, it could be said that the process performs an eNotary
function
> > for a defined category of online transactions where the per transaction
> > value does not exceed, for sake of argument $100, where eNotary is a
short
> > hand expression for what should be adjudged by the courts to be
> > self-authenticating evidence under the Federal Rules of Evidence, E.R.
901
> > et seq. and equivalent state law in the United States. That section of
the
> > federal evidence code has been referred to consistently in the cases
> > previously provided to the TC dealing with authentication and
> > admissibility
> > of electronic evidence in federal courtroom trials.
> >
> > I propose that we take on the task of creating a formula for bringing
> > forward the application of such a dollar standard (of any hypothetical
> > value) during predictable economic flunctuations so that equivalent
> > relative
> > values between the value of the transaction in relation to the other
> > values
> > of the society could be maintained indefinitely into the future. That
> > requires identifying the policies and business rules being served,
> > articulating how they translate to a dollar amount, and where they
should
> > be
> > placed in a hierarchy that balances ranges of services against risks of
> > liability across an entire field of information services.
> >
> [Pieter Kasselman]  I think as a TC we can provide the syntax and
> technical means to to express such information (e.g. as part of a
> notirasation policy), but I am not convinced that we should attempt to
> specify an economic model as described above, it may open us to all sorts
of
> liabilities. I would rather provide the mechanism for expressing such a
> model inside a policy and leave the model to the operator of the e-Notary
> service.
>
[John Messing] The example was not intended as an economic model but as an
exercise in determining how to keep a standard flexible for extended time
periods. $100 US today will not be worth the same in terms of goods and
services in 20 years as it is today. Perhaps a simple adjustment to the
Consumer Price Index will be sufficient to put that issue to rest. I don't
see any liability whatever in this approach.

[John Messing] .
> >
> > Please be alert to the absence in the discussion so far of data
integrity
> > determinations, which bring their own eNotary considerations. I think
most
> > of us can agree that the standard public key exchange principles for the
> > generation and transmission of a shared symmetric session key used by
SSL
> > probably meet any conceivable eNotary standard, but I think we should
> > articulate in concrete policy language why we feel that way.
> >
> [Pieter Kasselman] I agree that certain public key technologies has
> many properties that will benefit an e-Notary (especially public key
schemes
> that are used to generate digital signatures).However I am not sure what
key
> establishment in the SSL sense would contribute, for instance DH key
> establishement may not be that usefull to an e-Notary.

[John Messing]  Perhaps this point you make about DH emphasizes the fact
that only certain types processes are suitable for particular eNotarization
needs.