The Essential Role of Trusted Third Parties in Electronic Commerce

© 1996 A. MICHAEL FROOMKIN . Version 1.02 Oct. 14, 1996.

Published at 75 Oregon L. Rev. 49 (1996). Permission granted to view on-line, and to make one paper copy for personal non-profit or archival use.

Links to author's official homepage and unofficial homepage. This page has been accessed times since April 22, 1996. FastCounter by LinkExchange

Table of Contents

Click here to load notes into main frame for printing.

I.The Essential Role of Trusted Third Parties in Electronic Commerce

By now it is well known that the Internet is a global, but insecure, network.{1} It is also increasingly well understood that cryptography{2} can contribute greatly to the transactional security that Internet commerce so obviously lacks.{3} What is less well understood is that cryptography is only part of the security story. Many cryptographic protocols for secure electronic transactions require at least one trusted third party to the transaction, such as a bank or a certification authority (CA). These partly cryptographic, partly social, protocols require new entities, or new relationships with existing entities, but the duties and liabilities of those entities are uncertain. Until these uncertainties are resolved, they risk inhibiting the spread of the most interesting forms of electronic commerce and causing unnecessary litigation.

This Article aims to describe what CAs do, explain why they are important to electronic commerce, and suggest that they are likely to provoke some interesting legal problems. It does not attempt to describe a complete legal regime for the regulation of CAs in electronic commerce.{4} The coming wave of faceless electronic commerce presents a number of challenges; opportunities for fraud and error and for the prevention of fraud and error are interwoven with the solutions to these difficulties. Although accounts of fraud in commercial electronic transactions (as opposed to simple theft of data or services by a stranger) on the Internet remain very rare, this may reflect the low level of Internet commerce today more than any virtues of the medium.{5}

Utah was the first state to attempt to provide a regulatory framework for CAs. The Utah Digital Signature Act provides for a safe harbor against most liability for those who qualify.{6} No one has qualified to date,{7} and the Act does not define the duties and liabilities of those who do not qualify for the safe harbor.{8} Clarification of the duties and liabilities of CAs in the absence of legislation should thus serve the interests of all parties to an electronic transaction in which a certificate plays a role. Other states, and perhaps some day the United States Congress, will eventually have to decide whether to enact digital signature laws of their own, and they may find it helpful to have a better understanding of the legal background against which a comprehensive legislative program may be drawn.

Before embarking on a discussion of the role of trusted third parties in electronic commerce, it is useful to review basic cryptographic techniques such as public-key cryptography and digital signatures. Cryptographically sophisticated readers should skip to Part I.D., which begins a description of certification authorities and discusses the various types of digital certificates they may issue, or to Part II, where the discussion of the application of these techniques to Internet commerce begins. In order to show just how hard it can be to determine what legal rules apply to this new world of electronic commerce, Part III offers an introductory discussion of the liability of a CA that issues an erroneous certificate.

I. Cryptographic Keys, Digital Signatures, Digital Certificates, and the People Who Issue Them

A.Public-Key Cryptography

A public-key cryptosystem is one in which messages encrypted with one key can only be decrypted with a second key, and vice- versa. A strong public-key system is one in which possession of both the algorithm and one key gives no useful information about the other key and thus no clues as to how to decrypt the message.{9} The system gets its name from the idea that the user will publish one key, but keep the other one secret. The world can use the public key to send messages that only the private key owner can read; the private key can be used to send messages that could only have been sent by the key owner.

With the aid of public-key cryptography it is possible to establish a secure line of communication with anyone who is using a compatible decryption program or other device. Sender and receiver no longer need a secure way to agree on a shared key. If Alice wishes to communicate with Bob, a stranger with whom she has never communicated before, Alice and Bob can exchange the plain text of their public keys. Then, Alice and Bob can each encrypt their outgoing messages with the other's public key and decrypt their received messages with their own secret, private key. The security of the system evaporates if either party's private key is compromised, that is, transmitted to anyone else.

Thus, if Alice wants to send a secure e-mail message to Bob, and they both use compatible public-key cryptographic software, Alice and Bob can exchange public keys on an insecure line. If Alice has Bob's public key and knows that it is really Bob's then Alice can use it to ensure that only Bob, and no one pretending to be Bob, can decode the message.

The problem facing Alice in this scenario, however, is that there is no more reason to trust an e-mail message purporting to be from Bob that says here is my public key than there is to trust any other e-mail message purporting to be from Bob. Lacking independent confirmation, Alice has no way of knowing whether the message is really from Bob or from an imposter. (Bob has the same problem regarding Alice.) One bit looks exactly like another, making it possible for Mallet to forge messages purporting to come from either Alice, Bob, or both.{10} And, if Mallet is able to masquerade as Bob in an e-mail message, Mallet can just as easily send Alice his own public key, claiming that it belongs to Bob. Without help from a source external to the Internet communication, either a trusted third party or some out-of-band (non-Internet) communication that is reliable, Alice has no way of assuring herself of the authenticity of any e-mailed communication from a stranger, regardless of what it says. Alice needs some assurance to feel confident that she is not sending the details of a tender or her financial details to a malicious stranger who might seek to profit from it at her expense. Of course, if the message is from someone Alice already knows, the message itself may provide internal clues of its authenticity for example, the clich‚d scenario in war movies in which soldiers radio from behind enemy lines and identify themselves by telling their buddies about a well-remembered poker hand.

A third-party registry of public keys does not really solve Alice's and Bob's problem unless the registry also certifies the accuracy of the information it contains. Suppose that Carol runs an Internet directory service that contains names, e-mail addresses, and public keys. Being a generous person, Carol invites anyone to sign up for free, and makes no effort to check the data submitted to her. Alice has no way of knowing whether the entry for Bob was sent in by Bob, or whether it was sent in by Mallet claiming to be Bob. If Mallet sent it in, he will have an entry with Bob's name, Mallet's e-mail address, and Mallet's public key. A directory service alone is thus of little value in providing the assurance as to Bob's identity that Alice wants.{11}

The World Wide Web (Web) introduces some complications into this picture but does not alter the basic substance. Although at this writing it is very difficult for Alice to completely mask the identity of the account accessing a Web page, prototype anonymous Web browsers are currently being developed.{12} Even if Alice does not have access to an anonymous browser, there is no way for Bob to know whether Alice is using an account that can be traced to her, or an account procured under a pseudonym, or a hacked account belonging to someone else entirely. Similarly, in the ordinary course, Bob's Web address identifies his Web page as residing on a particular machine whose physical location can be deduced from information readily available on the Internet,{13} although the address itself is less informative than a telephone number.{14} However, some services sell anonymous Web pages{15} and Web addresses can be hacked; furthermore, messages to and from a Web server also are at least theoretically subject to a man in the middle attack by which message packets are intercepted and replaced with the attacker's messages.{16}

B.Digital Signatures

Public-key systems also allow users to append a digital signature to an unencrypted message. A digital signature encrypted with a private key uniquely identifies the sender and connects the sender to the exact message. When combined with a digital time stamp{17} the message can also be proved to have been sent at a certain time. Anyone who has the user's public key can then verify{18} the integrity of the signature. Because the signature uses the original text as an input to the encryption algorithm, if the message is altered in even the slightest way, the signature will not decrypt properly, showing that the message was altered in transit or that the signature was forged by copying it from a different message.{19} A digital signature copied from one message has an infinitesimal chance of successfully authenticating any other message.{20}

Again, however, the utility of a digital signature as an authenticating tool is limited by the ability of the recipient to ensure the authenticity of the key used to verify the signature. If Alice uses her private key to sign an otherwise unencrypted message, Bob can verify that Alice really sent it only if Bob knows Alice's public key.{21} In order to rely on the authenticity of that public key, however, Bob needs to get it from some source other than the Alice sending the message, because if Mallet is forging a message from Alice he will send his own public key as well, claiming that it actually belongs to Alice. Since Mallet has the private key corresponding to the public key he sends Bob, Bob's attempt to verify the signature of the forged message will result in a confirmation of the message's authenticity even though it is not really from Alice at all. In contrast, if Bob has access to Alice's real public key from some outside source, and uses it to verify the message signed with Mallet's private key, the verification will fail, revealing the forgery.

In short, if Alice and Bob are strangers with no alternate means of communication then no digital signatures, indeed no amount of cryptography standing alone, will reliably authenticate or identify them to each other without the assistance of some outside source to provide a link between their identities and their public keys. Any outside source that reasonably inspires trust will suffice: for example, the telephone company might include its public key in the monthly phone bill, or corporations might publish their public keys in the newspaper. Or, the outside source could be a trusted third party such as a mutual friend, a government agency, or a business that offers on-line verification services.

C.Certification Authorities

A Certification Authority (CA) is a body, either public or private, that seeks to fill the need for trusted third party services in electronic commerce by issuing digital certificates that attest to some fact about the subject of the certificate.{22}

In order for either Bob or Alice to be willing to accept certificates issued by Carol, a CA, Bob and Alice must have confidence that Carol's public key is really Carol's and not another manifestation of the wily Mallet. One way to achieve this confidence is to have an identifying certificate from Trent, another CA, certifying Carol's key. CAs that certify other CAs are said to participate in a certificate chain, with a root certificate at the bottom of the tree.{23} Unfortunately, this just shifts the problem to the validity of Trent's CA's public key.

One solution to this problem contemplates a governmental role in certifying the keys of CAs. The root key would belong to a state or federal agency, and the few CAs that met state licensing requirements would be rewarded with government certification of their root key.{24} These CAs would then certify the root keys of organizations that wished to manage their own certificates. A CA might certify the root key of ABC Corp, which would in turn be used to certify the keys of, for example, the key manager in each corporate division, which in turn would certify the keys of salespeople, purchasing agents and press secretaries.

The more levels there are in a certification tree, the more certificates Alice needs to check to ensure that Bob's certificate remains valid. Suppose that Bob's digital signature is supported by a certificate issued by CA1, which has a public key certified by CA2, in turn certified by CA3, which in turn is certified by a state government. If the state government issues a notice of revocation for the certificate of CA3 because, for example, someone has broken its private key, all certificates descending from CA3 are now suspect. If CA3 could say with certainty that its key remained safe until a particular date, then certificates bearing a secure timestamp showing that they were issued before that time would still be reliable.{25} Alice can work all this out, but it takes some computing time, and it may require accessing as many different databases as there are CAs which also could be costly or time- consuming.{26}

The few CAs currently in operation have dealt with the absence of an agreed root certification authority by simply signing their own keys and posting the self-certified key on their Web sites.{27} The self-certified key is then mirrored on other computers.{28} This self- certification, in which the CA relies on its reputation gleaned from other business dealings, fits a model of relatively flat certification hierarchies, in which users turn to CAs, be they suppliers or the United States Postal Service, that they already know in other contexts. One expert predicts that the wave of the future will be relatively flat hierarchies, in which organizations have a root certificate for internal purposes that is certified by at most one other CA.{29} It is simply too early to know which certification model will predominate, but it is interesting to consider that today the major indicator of the authenticity of most accountant's and lawyer's opinions provided to third parties is the letterhead (easily forged) and the representation of authenticity by the party proffering the opinion.


A certificate is a digitally signed statement by a CA that provides independent confirmation of an attribute claimed by a person proffering a digital signature. More formally, a certificate is a computer-based record which: (1) identifies the CA issuing it, (2) names, identifies, or describes an attribute of the subscriber, (3) contains the subscriber's public key, and (4) is digitally signed by the CA issuing it.{30}

As a formal matter, a certificate binding a fact to a public key does not need to have a description of the level of inquiry used to confirm the fact. Bob would be foolish, however, to trust a certificate that made no representation, if only through incorporation by reference, as to the nature of the inquiry used. While a zero-inquiry certificate issued by Certificates-R-Us is, in some sense, a real certificate, its attestational value is low.

In practice, CAs will probably offer a range of certificates, graded according to the level of inquiry used to confirm the identity of the subject of the certificate. For example, VeriSign, a company that has recently begun advertising its willingness to provide identifying certificates{31} under the unfortunate name of Internet driver licenses for the information Superhighway,{32} proposes four different classes of certificates which will be compatible with Netscape version 2.0 World Wide Web browsers. Class 1 certificates, designed for casual Web browsing and secure e-mail use, certify only the uniqueness of a name or e-mail address. {33} VeriSign will issue Class 1 certificates in response to an e-mailed request by the subject.{34} In contrast, VeriSign will only issue a Class 2 certificate, which is more expensive, after receiving third party proofing of name, address and other personal information provided in the on- line registration process. {35} To obtain a Class 3 certificate, the subject must pay still more money and appear in person or present registered credentials. {36} VeriSign also contemplates a bespoke certificate, Class 4, that would issue after the subject is thoroughly investigated. {37}

CAs are likely to issue several types of certificates, notably identifying certificates, authorizing certificates, transactional certificates, and time stamps.

1. Identifying Certificates

An identifying certificate, such as the ones being offered by VeriSign,{38} connects (the technical term is `binds' ) a name to a public key. The act of the CA in checking that the name corresponds to something in the nondigital world binds the name to an identity. Careful and accurate identification is not a trivial task: the cost of verifying the identities of all holders of U.S. Social Security cards and reissuing the cards would exceed $1.5 billion.{39} Of course, for digital communications, the name need not necessarily be either a unique name or even a real name. The name could be Darth Vader X or John Smith or John Smith, 1000 Main Street, Eugene, Oregon, Social Security Number 123-45- 6789. In addition to being stored on computers connected to the Internet, certificates could be stored on smart cards, and could be used for issuing driver's licenses and public benefits, or conducting banking and other transactions.

In order to issue a certificate stating that a particular public key belongs to Alice, the CA generates an electronic message containing Alice's name, a statement as to the type of inquiry used to ascertain that the person purporting to be Alice is really Alice, and her public key. The CA signs this message with its private key. What happens next depends on the type of service the CA offers. The CA might publish the resulting certificate on a World Wide Web site available to anyone with Internet access, or give the certificate to Alice, or contract with Alice to honor e- mailed requests for the certificate from all comers. In some cases, these choices might affect the legal regime that applies to the CA.{40}

Armed with an identifying certificate from a reputable CA, Alice is in a much better position to persuade Bob that the digital signature she proffers really belongs to her and not to Mallet. If the CA is a reputable entity, and if its digital signature on the certificate can be verified,{41} Bob no longer has to trust Alice's electronic word because he now has confirmation from an independent source. Bob's attempt to verify the CA's digital signature requires that he have access to some independent means of ensuring that what purports to be the CA's public key is authentic, and not yet another scam by the cunning Mallet. Since the CA is in the business of providing such assurances, perhaps for a small fee, it may make economic sense for the CA to provide customers such as Alice and Bob with the means to confirm the authenticity of its public key, such as routine publication in a newspaper. The CA might also establish the accuracy of its public key by reference to a special root certificate established either by trade usage or by a government agency.

Even a certificate that can be verified is not ironclad proof of an identity. For example, Bob might foolishly have shared the passphrase to his private key with a family member, who then takes advantage of this disclosure to make transactions under Bob's name. Bob's passphrase might have been carelessly chosen and cracked by Mallet. Bob might even be Mallet if the CA were negligent, or if Mallet is so good at fooling CAs that even the CA's reasonable care was insufficient to penetrate Mallet's deception.

The risks that the reality represented by the certificate is out of date can be controlled, but not eliminated, by ensuring that certificates are dated when issued, stated to have limited periods of validity or be subject to periodic reconfirmation by the CA, and by having Alice check the certificate revocation list (CRL){42} maintained by the CA to warn recipients of certificates known to be no longer reliable. The absence of either rules or usages of trade determining who has a continuing duty to monitor the accuracy of data in certificate means that Alice has to make some difficult decisions. In addition to routinely checking the right CRL, Alice might decide that she will only accept certificates that state that their date of issue was within thirty days. If Alice is extremely cautious she can decide to accept only certificates that are very recent, maybe less than a day old, or even limit herself to certificates issued within minutes or microseconds. She still bears some risk, but it is reduced.

As for the risk of receiving an erroneous certificate, Alice will have to make a judgment as to which certificates from which CAs she will accept. This decision is likely to be based on the CA's reputation and on the representations that the CA makes about the level of inquiry undertaken to issue a certificate. To return to the VeriSign example,{43} Alice might decide not to accept Class 1 certificates, but to require at least Class 2. Or she might decide that there was something about the limitations on liability asserted by VeriSign that displeases her and so choose to refuse all its certificates because she prefers a competitor's promises. Whatever the level of inquiry promised by a CA, however, it is always possible that the CA was negligent or that Mallet simply outsmarted it. For Alice, these are the risks of the trade, much as merchants bear some risk of forged signatures and counterfeit money in more mundane commerce.

2. Authorizing Certificates

Although identifying certificates are likely to be the most popular type of certificate in the short run, in the medium term CAs are likely to begin certifying attributes other than identity. An authorizing certificate might state where the subject resides, the subject's age, that the subject is a member in good standing of an organization, that the subject is a registered user of a product, or that the subject possesses a license such as bar membership. These authorizing certificates have many potential applications. For example, law professors exchanging exam questions on the Internet could require that correspondents demonstrate their membership in the Association of American Law Schools (AALS) before being allowed to have a copy of the questions.

It is illegal to export high-grade cryptography from the United States without advance permission from the federal government,{44} but there are no legal restrictions on the distribution of strong cryptography to resident aliens or United States citizens in the United States. The lack of a reliable means to identify the geographical location of a person from an Internet address creates a risk of prosecution for anyone making cryptographic software available over the Internet.{45} For example, if Alice is making high-grade cryptography available for distribution over the Internet, she might protect herself from considerable risk by requiring that Bob produce a valid{46} certificate from a reputable CA, stating that he is a United States citizen or green card holder residing in the United States, before allowing him to download the cryptographic software.

Alice substantially reduces her risk under the ITAR by requiring Bob to produce an authorizing certificate demonstrating his citizenship, but even this does not eliminate her risk. Alice's major remaining risks are that: (1) the CA's statement was erroneous; (2) Bob has lost control of his digital signature and it has fallen into the hands of Mallet, who is not a United States citizen or permanent resident, or is abroad; and (3) something about Bob has changed since he procured the certificate, for example, he has moved abroad, lost his citizenship or green card, or has died and his private key is held by his executor or heir.{47}

A certificate binding the geographic location, age, or other attribute to a public key can contain the name of the subject of the certificate, but the public key suffices if it was generated in a secure manner and is sufficiently long to be unique. Nameless, anonymous certificates create the possibility for sophisticated anonymous Internet commerce. For example, persons wishing to purchase materials that can only be sold to adults might obtain over 18 certificates that bind this attribute to a public key but do not mention their name.{48} Similarly, a financial institution might issue a certificate linking a public key to a numbered deposit account.

3. Transactional Certificates

A third type of certificate, the transactional certificate,{49} attests to some fact about a transaction.{50} Unlike an identifying certificate or an authorizing certificate, a transactional certificate is not designed to be reused or to bind a fact to key. Instead, the certificate attests that some fact or formality was witnessed by the observer. For example, if Alice is a lawyer officiating at a digital closing, and Bob is her client, Bob can digitally sign a document. Alice then issues a certificate attesting that Bob digitally signed it in her presence. The certificate might contain the text of the document,{51} Bob's digital signature of the document, and Bob's public key, all of which would be signed with Alice's private key. The resulting certificate would be evidence that Bob affixed his signature in Alice's presence.{52} A transactional certificate of this type might suffice to transmit a deed to a public official for recordation.{53}

The differences between Alice's transactional certificate and Alice's digitally signed confirmation that she received Bob's document are primarily legal rather than technical. Indeed, from a cryptographic perspective, a transactional certificate is little more than an ordinary electronic document digitally signed with the CA's private key.

The potential legal differences are many and varied. First, the act of affixing the signature likely will carry with it the type of formality associated with a closing, or perhaps even with a notarial act in a civil law country. Indeed, the American Bar Association and the United States arm of the International Chamber of Commerce are exploring the creation of an American legal specialization to be known as a CyberNotary .{54} A CyberNotary would be a lawyer able to demonstrate that she has the ability to issue certificates from a trusted computing environment. The hope is that civil law jurisdictions will come to accept a CyberNotary's certification as legally sufficient authentication and recordation of legal acts executed in the United States. If so, a power of attorney or the transfer of corporate shares certified by a CyberNotary in the United States would be recognized and enforced in those jurisdictions, even when an ordinary United States lawyer's or United States notary's certification would not suffice.{55}

Second, a certificate will typically contain representations by the CA as to the level of inquiry conducted by the CA, or will at least incorporate a general policy statement by reference. In contrast, an ordinary digital signature adds no content to the message being signed.

Third, the CA may add link information to the document being signed, such as a secure timestamp from a trusted timestamping service.{56}

Fourth, by issuing a transactional certificate, a CA subjects herself to a completely different, and arguably far more benign, liability regime than does a CA who issues an identifying certificate. A transactional certificate is by nature a single- purpose certificate. While an unlimited and unknowable number of third parties may rely on it, the nature of their reasonable reliance is largely, perhaps completely, within the control of the CA. A lawyer who officiates at a closing, for example, might certify that she examined corporate documents and that the corporate officers were duly authorized to enter into the transaction; this is no different from what lawyers engaging in due diligence do today. It is, however, different from issuing an identity or creditworthiness credential to a person who might then use it to run up an unlimited amount of debt or other obligations.

4. Digital Time-Stamping Services

A time stamp is a cryptographically unforgeable digital attestation that a document was in existence at a particular time. It is not difficult to show that a document existed after another event: one need only include a reference to something that happened earlier, which could not have been predicted before it happened.{57} For example, before it became easy to doctor images, kidnappers could demonstrate that their victim was still alive by photographing him holding the front page of a newspaper. Sometimes, it is enough to prove that a document was signed or an event occurred after a given date, as in statute of limitations questions. Often, however, it is equally (if not more) important to show exactly when it happened, or to prove that it happened before another date. If Alice quotes the headlines in last Tuesday's newspaper, it proves that she wrote the document no earlier than last Tuesday, but it gives Bob no way of telling whether she wrote it on any of the days since then. The creation date or modification date appended to documents by many word processing systems is also of little or no evidentiary value since it is a trivial matter to alter these dates, or to change the time on a computer's internal clock.{58} Alice's digital signature on the document tends to show that Alice wrote it and that no one else has altered it, but the signature adds nothing to the credibility of Alice's claim as to when she wrote it.

The only way to prove beyond doubt that a document was created before a certain time is to cause an event based on the document, which can be observed by others. {59} If Alice publishes the text of her document in the newspaper, she can prove that it had to exist at the time it was published. This is expensive, uses a lot of newsprint, and destroys Alice's privacy. A better method is for Alice to publish a hash value of her document. A hash value is a large number produced by a hash function that takes the entire document as its input. The hash functions used in this manner have three properties that allow them to serve as a kind of fingerprint for a document. First, hash functions are public anyone can repeat the calculation if he or she has the original document. Second, the hash function is a one-way function: if Alice sends Bob a file purporting to be the document that produced a hash value she published in the newspaper five years ago, Bob can easily confirm that the document's hash is the same, but possession of the hash value alone does not allow anyone to recreate the document. Third, although it is not impossible for two different documents to produce the same hash value, the odds against it are so high as to make this probability infinitesimal.{60} Therefore, even a slight alteration to a document will change its hash value, making it essentially impossible for Alice to create a document with the same hash value as the one whose hash value she published in the past. Even if Alice were to put supercomputers to work to find another set of bits that produced the same hash value as the original digital document, there is no chance at all that this document would have letters and numbers in an order that produced intelligible text.

Of course, for most transactions it is impractical to rely on publication in a newspaper for authentication. This creates a business opportunity for CAs. Carol, a CA, can provide a simple time-stamping service by providing an attesting certificate that Alice sent Carol a hash value of a document at a certain time.{61} Carol might automate the process by having an Internet service that returned a dated and digitally-signed certificate every time a subscriber set her a hash value. Alice does not have to trust Carol with her data, because all Carol ever sees is the hash value. Now Bob no longer has to take Alice's word for when she wrote the document; he only need believe that Carol is telling the truth about Alice. If Carol is a reputable CA, her certificate may inspire this trust. If Bob is very mistrustful, however, he may be concerned that the system would fall apart if Alice can persuade Carol to backdate a time stamp.

A more secure method of time stamping documents exists. In this system, Bob does not have to trust Carol because there is no way for her to backdate a time stamp. Rather than simply signing the hash value of Alice's document, Carol sends Alice a digitally signed document reciting the hash values of Alice's document, the hash values of the last few documents submitted for time stamping and the e-mail addresses of their owners. Now, the only way to forge a time stamp is to suborn both Carol and many other users of the system. A weekly summary hash of the tree of the many documents submitted is published in the Sunday New York Times and is therefore unchangeable.{62} It is currently being marketed by its inventors as the Digital NotaryTM. {63}

II. Internet Commerce: Fraud's Playground?

Judging by the low amount of civil fraud (as opposed to crime) to date, the Internet's reputation as fraud's playground is undeserved. Yet, this may be the rare case in which expectations accurately predict a possible future. While there may be a great deal of Internet advertising and information exchange, there are still relatively few transactions for value over the Internet. As the amount of Internet commerce grows, the opportunities for fraud may grow unless security and authentication measures also grow.

The CA's role in identification and authentication is particularly important for transactions that have effects which extend over time. In basic consumer transactions, where something is exchanged for money, there may be no need for certificates a credit card suffices, with the issuer fulfilling the role of the third party. If the goods are not forthcoming or if they are other than they were represented to be, the customer can simply stop payment. If the goods are satisfactory, ordinarily the customer does not care whether the seller was who she claimed to be.

The picture changes dramatically, however, as soon as the transaction has lasting effects. If the communications are part of an ongoing relationship such as instructions to a broker, or if the terms of sale allow payments to be delayed, or if there is any question of a warranty or service contract, the parties have a much greater interest in identifying and authenticating each other.

A.Simple Sales

Although estimates vary, it is widely agreed that electronic commerce over distributed networks, such as the Internet, is set for explosive growth. One guesstimate suggests that approximately sixteen percent of consumer purchases may be electronic transactions by the turn of the century,{64} a date now about five years in the future. Definitions of electronic commerce differ; this Article concentrates on commercial activities such as sales and negotiations carried out over insecure distributed networks such as the Internet.

Internet commerce presents challenges that are not present, or are present in nearly harmless form, in traditional transactions carried out face-to-face. These problems include:

Basic Transactional Issues

Merchant's Desires

Buyer's Desires Cryptographers would have us believe that most of the problems on this list that arise from Internet commerce and are not present in physical commerce can be solved, and the good news is that this is largely correct. The bad news, unless you happen to be a lawyer, is that the cryptographic solutions currently available are not simply mathematical. They frequently rely on the intervention of a trusted third party who is a certificate-issuing CA. Issuing certificates entails the creation of new entities, new businesses, and new relationships for which the duties and liabilities are currently uncertain.

The law of sales is complex, as the many sections of the Uniform Commercial Code (UCC) testify. Shifting any sale to an electronic medium can add further complexity. To better understand the nature of the new problems posed by electronic commerce, and the ways in which they are reduced by the introduction of a trusted third party, it helps to begin by considering this list of issues in the context of an extremely simple sale, one which includes no documents of title, and in which both goods and payment (or a promise to pay that functions as a close substitute, for example, a check or credit card transaction) are exchanged by face-to-face parties contemporaneously with the moment of contract formation.

1. Face-to-Face Sales

When Alice, a buyer, purchases food at the local grocery store from Bob, the merchant, in a face-to-face sale, there is no problem with moving value: Alice tenders paper money and coin,{66} food stamps or, if Bob permits it, Alice may choose to write a check, pay with an ATM card, a debit card, a credit card, or even in some cases buy on account. Ordinarily, there is no particular need to ensure that the transaction is secure from Mallet, an eavesdropper, since there is little that Mallet could do with the information and even less that Mallet could do to hurt either Alice or Bob.{67} However, on the occasions when Alice and/or Bob would desire privacy or anonymity, they might find these difficult to obtain.

The documentation of the transaction differs slightly depending on whether it is a cash sale, or if there is a third party involved such as a bank or credit card company.{68} If there are just two parties, Alice and Bob typically keep copies of a receipt. If there is a third party, additional documents are generated, such as a check, an electronic ledger entry and a paper receipt in the case of an ATM card, or a credit card slip.{69} These pieces of paper also serve as proof of order in the unlikely event that it is questioned. Similarly, each of these payment mechanisms has well- developed ways of ensuring that consumers are protected from unauthorized payments.{70} On the other hand, buyer repudiation and nonpayment are issues in face-to-face commerce. A cash payment cannot easily be repudiated, but it may be counterfeit. A check can be dishonored by the bank, and under United States law, embodied in Regulation E, Alice has the right to contest a credit card payment up to two months later.{71}

Because physical goods are exchanged in a physical place, Alice has a number of indicators that suggest, although they do not prove, that she will have recourse in the event that the purchase is not satisfactory. First, Alice knows where the store is: its physical presence suggests that Bob may have assets that can be attached, even if only a lease and the contents of the shop.{72} The accessibility of the store's physical location also makes it easier for an irate customer to create bad publicity, either in the store itself or in the store's community, further creating an incentive for Bob to resolve any difficulty.{73} Furthermore, knowing the location of the store gives Alice an indication of the legal system that is likely to have jurisdiction over any conflict.

The physicality of the transaction also protects Bob. If authorization is required, Bob can demand that appropriate documents be displayed (for example, proof of age, unless Alice's appearance seems sufficient proof) and he can examine the credentials for authenticity. Bob also has some protection in the event that the transaction goes badly. Seeing Alice offers some chance of providing a description (or a store camera video) in the event of nonpayment or fraud. The face-to-face aspect of the relationship means that in many cases,{74} Alice will have to return the goods to claim reimbursement. Thus, typically Alice will be unable to continue to enjoy the products after claiming a refund.

2. Telephone Sales

Telephone sales lack the face-to-face aspect of a sale in a store. As a result, the parties are likely to have less knowledge about each other. In addition, telephone sales, like catalog sales, introduce a time lag between the order and its fulfillment, during which many things can go wrong: the goods may be discovered to be different from what the buyer had imagined they would be, the goods may spoil or be damaged in transit, either party may change its mind or become insolvent, and so on.{75}

The party who placed the call obviously knows the number she dialed, although if Alice calls Bob via an 800 number, that telephone number alone reveals little or nothing about Bob's location.{76} The recipient of the call may also know the calling party's number if caller ID is available. Indeed, calls to an 800 number automatically disclose the number of the calling party.{77} If Bob uses a database indexing telephone numbers to addresses, credit histories, or buying patterns, he may have considerable information about Alice regardless of who places the call. On the other hand, if Alice is an ordinary consumer, her information about Bob will depend largely on sources extrinsic to the call (for example, catalogs, advertising, prior dealings) and the firm's reputation, if any. In addition, returning goods or getting redress may be more difficult with a faraway party. Not only may the relevant legal system be inaccessible or expensive to access, but Alice's inability to bring her complaint to the attention of other shoppers reduces her bargaining power with Bob.

Although impersonation is certainly possible at the grocery store,{78} it is easier over the telephone. Lacking the ability to verify signatures or identify the physical characteristics of the buyer, Bob runs an increased risk of making sales to persons using stolen credit card numbers (although this risk is attenuated by using on- line clearing). Similarly, because it is difficult to verify identity over the telephone, Alice runs an increased risk that the person claiming to be Bob is actually Mallet.

Although value cannot be exchanged by cash or check at the time of sale, mailed payment can be a prerequisite to shipment. As a practical matter, consumer telephone sales tend to be made by debit or credit card because this medium of payment gives the merchant considerable assurance of Alice's ability to pay, but not necessarily a guarantee that payment will actually be made. The credit card company's inability to ensure nonrepudiation{79} becomes a positive advantage, because Alice can transact knowing that payment can be suspended if Bob, or the person claiming to be Bob, fails to perform in some material way. Similarly, the ability to repudiate transactions means that while the call may be subject to eavesdropping or diversion, these acts are of limited value to a third party so long as Alice checks her credit card bill carefully for unauthorized purchases.{80}

3. Internet Sales

Internet sales are likely to take two general forms: ordinary commerce in tangible things and information commerce.

Ordinary commerce in tangible things will greatly resemble common transactions today: purchases that are currently carried out by telephone, ordinary mail (for example, catalog sales) and even in person. Ordinary rules of commercial law presumably will continue to apply to these transactions, subject to one vital difference: without taking some special measures to identify each other, the parties will be saddled with a risk that their counterpart will not be who she professes to be. Transactions that use a telephone require that someone dial a telephone number. The use of that telephone number implicates a record that ultimately could identify the party called. In some cases, the number alone will provide the identification; in other cases, it may be necessary to invoke the aid of the legal process, or of the telephone company. Nevertheless, the telephone number provides some kind of link to a physical presence, for at least one of the two parties to the communication.{81} An Internet e-mail address, by contrast, gives the recipient no reliable information about the person sending the message.

Information commerce is more of a departure from traditional sales. It has the immediacy of a face-to-face transaction, but little mutual identifying information need necessarily be exchanged. In information commerce, unlike ordinary commerce in tangible things, there may be no package to help identify the sender after the goods are delivered. Instead, both parties will conduct the exchange electronically: the buyer will send digital cash and the seller will send information.{82} Some of these transactions may be sizable, such as the sale of access to proprietary databases or the purchase of computer software, but others are likely to be very small. For example, providers of information on the World Wide Web might choose to charge a fraction of a penny to each person accessing their pages.{83} Browsers may be configured to pay these charges, up to a predefined limit, without ever troubling the user. Existing credit card systems are too expensive for such microcharges.{84} Microcommerce in information will require a digital payment system that does not rely on the (expensive) participation of a third party such as a credit bureau or credit card issuer.{85} If such a payment system could be widely deployed, the potential for growth of Internet information commerce is enormous.

Identifying or authenticating certificates can provide all the information that a party might reasonably want for both information commerce and ordinary commerce in tangible things. Whether it makes sense to require a certificate at all depends on the amount of the transaction, the mode of payment, and the cost and delay associated with use of a certificate. Of course, even when it makes sense to use a certificate to verify identifying information about a transactional counterpart, this serves only to restore the parties to an informational position akin to what is commonplace in other more familiar transactions. It does not in any way reduce the need for the existing, and complex, rules about consideration, delivery, breach, title, security interests, fraud, or any of the myriad other things addressed by the UCC and other commercial and criminal law.

a. Transactional Issues: Moving Value and Authentication
If Alice has no hardware available to her other than her computer,{86} she can choose to move value to Bob across the Internet with a debit card, a credit card, or electronic cash.{87}
(i) Debit Cards and Credit Cards
Today, the simplest way for Alice to pay Bob across the Internet is to use a debit card or credit card. This payment mechanism has the great virtue of familiarity. It uses established mechanisms to apportion risk of nonpayment and repudiation. Although it is vulnerable to eavesdropping, the risk may be smaller than commonly believed.

If Alice sends out unencrypted credit card information on the Internet she takes a chance that a third party will intercept the information. To date, however, there are no reported cases of credit card information acquired by eavesdropping on an Internet transaction being used to make a purchase.{88} When one considers that the same credit card information is easily available to every employee of every merchant who accepts credit and debit cards, and can be acquired by examining paper credit card slips retained by any restaurant or dumped in the trash at any mall, it is easy to see why few people go to the considerably greater trouble of attempting to obtain credit card numbers by monitoring large volumes of Internet traffic.

If Alice wants greater security, she can encrypt her credit card data before sending it. Similarly, Bob may want assurances that Alice is who she purports to be. Bob may want Alice to send her order encrypted with her private key, thus uniquely identifying the order as emanating from her. For a greater level of security, Alice and Bob may require that identifying certificates from a reputable CA accompany the exchange of public keys.{89} On the other hand, since the debit/credit card issuer/administrator fulfills some of the functions of a trusted third party already, and charges the same commission regardless of whether Alice and Bob exchange certificates, they may decide to take the risk.{90}

Although debit and credit cards are the easiest means of transferring value over the Internet, and require little if any legal innovation, they have some disadvantages as well. Neither debit nor credit cards are suited to small transactions because verification and clearing impose significant fixed costs on every transaction.{91} Because one of the most likely applications of Internet sales is microcharges pennies or fractions of a penny for the right to view information such as a World Wide Web page, this inability to handle tiny transactions strongly suggests the need for an alternate payments mechanism. Furthermore, the utility of credit and debit cards is critically dependent on the continuing applicability of the consumer's liability being capped at fifty dollars in the event that a credit card number is copied in transit or misused by the recipient. Without the fifty dollar limit, Alice would face an enormous danger of her credit card information going awry, either because Mallet managed to penetrate Bob's security and copy all messages as they were sent to Bob's store, or because Mallet fooled Alice into sending him the credit card information by pretending to be Bob, or because Bob was careless and Mallet hacked his database. Any change in this regulatory regime would cause Alice, and indeed all consumers contemplating electronic transactions, to need both encryption and authentication.{92}

(ii) Electronic Cash
Electronic cash implementations vary.{93} While generalizations are hazardous, most true digital cash systems that are entirely software-based (for example, do not rely on a smart card or other physical token to provide authentication or to store value) use some variation of the digital coin. A digital coin is a sequence of bits, perhaps signed with an issuing financial institution's private key, that represents a claim of value.{94}

Software-based digital coins are potentially suitable for small transactions, such as charging a penny or less to view a web page, where credit cards would be prohibitively expensive.{95} Unfortunately, since bits are easy to copy, digital coin schemes require fairly elaborate mechanisms to prevent a coin from being spent more than once. One method of preventing double spending is to require that coins be cleared in real time. If Alice offers a coin to Bob, Bob immediately accesses the issuing bank to make sure that the coin is valid and has not previously been spent.{96} A necessary consequence of this protocol is that if Alice uses a digital coin to pay Bob, Bob cannot spend it directly. Instead, Bob must either deposit the coin in an account at the issuer or turn it in for another digital coin or conventional money.{97} An on-line clearing system can be configured to ensure that the bank does not know who gave Bob the coin (payor anonymity), but the bank will know that Bob received the coin (no payee anonymity).

While Bob might clear large payments from a single source on line by making a real-time connection to the bank to ensure that the coins have not previously been spent, this may be impractical and uneconomic for transactions measured in pennies or less. Instead, Bob will accumulate a hoard of small digital coins and send them to the bank to clear in batch lots. This off-line clearing opens a window of opportunity for unscrupulous parties to engage in multiple spending. In order to forestall this, a bank issuing coins that will be redeemed off-line is likely to require that Alice encode some identifying information about herself onto the coin. The system can be set up so that no one, not even the bank, can read this information so long as Alice spends the coin only once. A second attempt to spend the coin will disclose Alice's identity and allow the issuer to sue her for fraud and perhaps report her to the authorities for criminal charges of fraud or theft.{98} Barring a complex money-laundering protocol,{99} Bob cannot respend this type of coin either, and must turn it into the bank just as if it had been cleared on-line.{100}

This feature reduces the need for Alice and Bob to exchange certificates; in essence, the digital coin carries its own certification. If Bob is particularly concerned about the possibility of double spending, or if the percentage of respent coins being tendered to Bob reaches unacceptable levels, Bob may choose to restrict even his microsales to parties that can provide an identifying certificate. Bob's decision will turn in part on the cost and delay associated with a certificate as opposed to the cost and delay of having the bank help him trace double spenders.

b. Confirmation Issues: Proof of Order, Nonrepudiation, Receipt, and Recourse
All that Alice needs in order to prove that Bob made a promise to buy or to pay is a message including the promise signed with Bob's digital signature.{101} The issue of proving the promise is separate from whether a digital signature is a signature for legal rules that require that a writing bear a signature.{102} Alice will find it less cumbersome to prove Bob's promise if she has access to a certificate, valid at the time of Bob's promise, that links Bob to the signature appearing on the message. However, a certificate may not be strictly necessary depending on the payment mechanism and the nature of the transaction.

Debit and credit cards leave an information trail that can assist Alice in finding Bob, and vice versa. Because a payor might have an anonymous or pseudonymous debit/credit card,{103} or because a payee might have disappeared in the time since the transaction was recorded, the trail is not perfect. However, the trail of information is significant, and not much different from what would likely be in a certificate, so it is likely to make the certificate somewhat redundant.

Digital cash can be designed to protect the anonymity of the payor who does not double spend. A prudent payee who is tendered digital cash with this anonymizing feature may seek an identifying certificate from the payor if the transaction makes it important to know her. As most digital cash schemes do not protect the anonymity of the payee, the payor will request an identifying certificate only if the cost of the certificate is less than the expected value of the cost of persuading the bank to release the payee's identity on an occasion where this might be needed, adjusted for the danger that the payee will get away before being identified. The cheaper and quicker it is to use a certificate, the more likely it will be used.

The introduction of a coin laundry service that offered payees an opportunity to exchange coins anonymously would greatly increase the payor's need for a certificate from the payee. A coin laundry would break the guaranteed link between the identity of the payee and the coin, whether or not Bob actually avails himself of the service. If Alice knows that Carol's coin exchange is in business, Alice will have to be more wary about sending coins to Bob, a stranger. Now, if Bob takes the coin and defaults on the transaction, it is no longer obvious that the bank will be able to identify Bob when Alice asks it to reveal who redeemed her coin. If the bank tells her that the coin was redeemed by Carol's money changing service, and Carol's service is located in a foreign jurisdiction, perhaps one with strong bank secrecy laws,{104} Alice may find it very difficult to find out who Bob really is and where he lives. In these circumstances, Alice may find that she wants an identifying certificate from Bob after all.{105}

Consumers will have an increasing need for anonymous commerce as merchants become more adept at assembling computerized databases on their customers, and as these databases themselves become valuable commodities.{106} Anonymous certificates are likely to play an essential role in anonymous commerce since they will help induce parties to trade with one another when they are unable to identify each other.

B.Ongoing Transactions

As we have seen, there is a somewhat reduced need for a CA's services when payment and goods are exchanged simultaneously, although the need for a trusted third party is not eliminated. In part this is because the payment schemes already incorporate a trusted third party the credit card company or the digital cash issuer who is likely to be capable, if pushed, of providing some identification of the defaulting party in the event the transaction goes badly.

In contrast, any communication in which the exchange of funds and goods is not immediate, or which looks either backwards or forwards in time, creates a strong and continuing need for authentication and/or identification. For example, if Alice has an account with a broker, Bob, both Bob and Alice have a strong interest in ensuring that any buy or sell order regarding Alice's account be from Alice and no one else, and that this fact be easily provable should it ever be called into question. Similarly, parties negotiating on the Internet will want to ensure that they know who they are communicating with in order to keep secrets from their rivals. No supplier will wish to accept orders for goods that are sold on terms that allow payment at a future date, even from a regular customer, without assurances that the key used to sign the order is one belonging to a person authorized to place the order.

It is important to recall that, much like in the nonelectronic world, the authentication/identification problem in these circumstances has two parts. Bob wants a certificate showing that Alice is who she says she is and/or that Alice is authorized to do what she wants to do. In addition, Bob needs an assurance that the certificate issued to Alice remains valid. Alice could have left her job as purchasing agent or she could have discovered that someone has learned her passwords. In the nonelectronic world, customers frequently take these things on faith; in the electronic world, such faith is less reasonable and thus likely to be less frequent.

In order, therefore, to be willing to rely on a certificate issued to Alice for transactions of any value, Bob needs easy access to a CRL{107} that will allow him to establish that Alice's certificate has not been revoked or suspended. When Alice shows Bob her certificate (or when Bob contacts Carol to get a copy of Alice's certificate) Bob or Bob's software will check to see whether the certificate has been revoked,{108} much like credit cards are checked against lists of suspended cards today. Bob thus needs an easy way to identify and get access to the CRL that would list Alice's certificate if there were something wrong with it. And every CA needs an efficient and reliable means of communicating its CRL to potential users of certificates.

Fortunately, the means for achieving these ends are now at hand. The recognized standard for certificates is the X.509 standard maintained by the International Telecommunications Union (ITU).{109} Previous editions of this standard defined a relatively rigid and inflexible form for a certificate, one that was not well-suited to the legal requirements of digital commerce. In particular, neither the original X.509 standard, nor the revision known as X.509 (ver 2) made provisions for a certificate to carry information about the CRL. Instead, the original X.509 standard provided information about how to contact the CA, and the user was expected to be able to use this information either to identify the CRL or to contact the CA for more information.{110} A recent change in the X.509 standard, now known as X.509 (ver 3), solves these problems. The new standard defines a data location where a CA can put information that will allow Bob to find the CRL quickly, such as the Internet address (URL) of the applicable CRL.{111} The new standard, which is being mirrored in standards developed by ANSI X9 (which adopts standards for banks) and ISO/IEC, also includes a data field in which a CA can insert information about how to find the policies that apply to the certificate, such as the level of inquiry undertaken before issuance.{112}

III. The Difficulty of Identifying the Rights and Duties of Private Certification Authorities

As electronic commerce grows, it will become increasingly important to define the rights and duties of CAs. This will not be an easy task, particularly once electronic commerce becomes more international. International transactions intensify the problems caused by the divergences between legal systems and tend to raise the stakes in choice of law.{113} "The consumer cannot and indeed will not participate effectively in the . . . market where economic and legal conditions are obscure." {114} Although international issues are beyond the scope of this Article,{115} identifying and applying the relevant substantive law can be a moderately complex problem even when the focus is restricted to one state in the United States.{116}

The duties and potential liabilities imposed on private{117} CAs by United States law are unclear, as might be expected from the dearth of applicable legislation,{118} the complete absence of case law, and the very small number of currently functioning CAs. Legislation attempts to provide clarity: the Utah Digital Signature Act provides for a safe harbor against most liability for those CAs who qualify. No CAs have qualified to date, and the Act in any event does not define the duties and liabilities of CAs who do not qualify for the safe harbor.{119} Clarification of the duties and liabilities of these CAs in the absence of legislation should thus serve the interests of all parties to an electronic transaction in which a certificate plays a role. As other legislatures debate whether to enact digital signature laws of their own, they may find it helpful to have a better understanding of the legal background against which they are working. This Part seeks to begin a discussion of that background by addressing a sample problem: who, under existing law, is liable for an erroneous certificate.

The importance of clarifying a CA's liabilities will grow further if one aspect of the recently passed Utah Digital Signature Act becomes a national model. If Alice wants to persuade a jury that the pen-and-ink ( holographic ) signature on a contract or note is in fact Bob's, but Bob claims that it is a forgery, Alice must bear the burden of proving that Bob's signature is genuine. Digital signatures are nearly impossible to forge, and the Utah Digital Signature Act thus reverses the presumption of authenticity for digital signatures. Under the Utah Act, a digital signature that can be verified by a valid certificate is presumed to belong to the subscriber listed in the certificate.{120}

Utah's presumption means that Alice can have greatly increased confidence in the enforceability of Bob's digital signature so long as Alice can verify Bob's digital signature with a valid certificate issued by a registered CA. This increased confidence could be of great value in everything from automated microtransactions to large international transactions where the parties are strangers.

On the other hand, the presumption creates a danger for a consumer who loses control of his digital signature. Although implementational details will vary, most digital signatures are likely to be protected with at least a passphrase, a more complex version of the PIN number that protects most bank cards today. Some digital signatures may require both a passphrase and a hardware token (for example, a smart card), or even the passphrase, the hardware token, and a biometric authentication (for example, a thumbprint scan). In the absence of the most heroic biometric security measures, however, the consumer is at risk that someone will acquire the hardware token and either guess the passphrase or obtain it by eavesdropping or some other means. If this happens, the Utah legislation creates a spectre of unlimited liability that can only be capped once the consumer reports that the digital signature has been compromised. Since there is likely to be a lag between loss of control of the signature and discovery of that fact, a reasonable consumer might well choose to avoid this risk by not creating a digital signature at all.{121} Utah's presumption seems considerably less unreasonable when applied to large sophisticated organizations using the signatures for substantial transactions.

A.Liability for Erroneous Certificates

Inevitably, certificates will issue with false statements, and third parties will rely on them to their detriment. In the absence of much state{122} or federal regulation, it will fall to the courts to determine who should bear the liability when this happens. They will have a difficult task.

1. Is a CA Selling a Good or a Service?

The difficulties in determining a CA's duties and liabilities begin with how one characterizes the CA's provision of a certificate: is the CA providing an investigative service of which the certificate is an embodiment or memorial much like a lawyer's opinion letter or a valuer's opinion or is the certificate that the CA is selling a good, or is the transaction a mixture of a good and a service? The characterization determines whether Article 2 of the Uniform Commercial Code (UCC) applies to the CA's provision of a certificate.

If the CA is selling a good, then Article 2 of the UCC applies.{123} If Article 2 applies, it brings with it a menu of default rules, as well as provisions for statutes of limitation and express and implied warranties including, in particular, the implied warranty of merchantability{124} and the warranty of fitness for a particular purpose.{125} Article 2 of the UCC also imposes limits on the disclaimers of those warranties.{126} Article 2 of the UCC is not, however, uniform in ways that would matter greatly to CAs, their customers, and relying third parties. For example, section 2-318 of the UCC offers states a choice of three different rules governing the seller's warranty liability to third parties. One version of section 2-318 limits the run of the CA's warranties to persons in the family or household of the buyer,{127} but leaves the common law unchanged as to the effect of the warranty on other persons in the distributive chain. {128} A CA in such a state will have whatever liability to third parties the common law of the state imposes: for example, the liability for negligent misrepresentation discussed below. The UCC's second version of section 2-318 extends the run of the CA's warranties to all natural persons who may reasonably be expected to use . . . or be affected by the goods. {129} CAs subject to this provision will find that they are subject to warranty claims for defective (that is, erroneous) certificates to all natural third parties, since the reliance of such third parties could reasonably be expected. The UCC's third version of section 2-318 includes artificial as well as natural persons among the third parties who can make warranty claims.{130} CAs in such states will provide the certificates that should, all other things being equal, command the most trust; they also will face the largest potential liability. The problem from the point of view of a person trying to decide whether a certificate is reliable is that they will not necessarily know which of these provisions happen to apply unless the certificate tells them. In addition to the three official versions of section 2-318, a number of states use formulations of their own, further complicating matters.{131} If the UCC applies to the sale of a certificate, this lack of uniformity could impose a large burden on Bob when Alice asks him to accept Carol's certificate. Unless Bob and Alice happen to live in the same state as Carol, they will need to know which state's law applies, and whether that state's law allows Bob to take comfort from Carol's express and implied warranties about the reliability of her certificate.

If, on the other hand, the CA is selling a service, then the UCC Article 2 is by its own terms inapplicable.{132} It is not obvious that Article 2 should apply to the provision of a certificate. UCC section 2-105(1) defines goods as all things . . . which are moveable at the time of identification to the contract for sale other than the money in which the price is to be paid, investment securities . . . and things in action. {133} Since a certificate is highly movable, it might seem to be a good under this definition. This temptation should be resisted: a certificate is only a little closer to the classic definition of a movable good than is a surveyor's or valuer's report. A certificate resembles a professional's opinion in that a certificate ordinarily is the tangible memorial of a process of analysis in which the subject's credentials were checked in some manner. On the other hand, a certificate differs from a professional's opinion in some ways that may be relevant. Any trustworthy CA will be managed by a professional -- someone who knows how to run a trustworthy computer system -- but it is not inevitable that the actual checking of credentials in all cases will be the sort of activity traditionally undertaken by professionals. If Carol's certificates are founded on checking the subject's passport, it may well be that the person who actually examines Alice's passport and issues her certificate is a clerk who has been trained in passport authentication, not an expert like a surveyor or valuer. There is no policy reason, however, why the classification of a certificate as a good or service should turn on whether the person making the report happens to be a professional. Furthermore, the certificate is not the only thing that the CA sells. In addition to the certificate and the investigatory services that it embodies, the CA also maintains (or contributes to) a CRL, without which a certificate is untrustworthy and thus of little or no value.{134}

Courts may, however, with some justice, view the CA's role as combining elements of provision of a service and the sale of a good. In such mixed cases, courts consider the applicability of Article 2 of the UCC to be a question of fact concerning the nature of the transaction. If the seller is providing a hybrid of a good and a service, the majority of states use a predominant factor test to determine whether Article 2 of the UCC should apply.{135} Under this test, the court attempts to determine the parties' intentions as to what was important. If the transaction is predominantly for the sale of goods, Article 2 of the UCC applies; otherwise it does not.{136} Other states either use a final product test which looks at what is left when a contract is completed,{137} or attempt to determine which classification best serves public policy.{138} As the courts have failed to achieve anything approaching uniformity in how they characterize the facts about mundane transactions,{139} it is entirely possible that courts in different jurisdictions will disagree about how best to characterize a CA's provision of certificates in the absence of legislation. Furthermore, some courts divide hybrid sales into the provision of a good and a service and then apply Article 2 of the UCC to the goods portion of the transaction.{140} CAs may be able to manipulate this characterization in some jurisdictions. For example, a CA that gives a client a certificate may be more likely considered to be selling a good than a CA that enters into a service contract by which the CA agrees to make the certificate available on a Web page to all who wish to see it.

The view that a CA is providing a service (or a hybrid in which the service element predominates) appears more convincing than the alternative under either the predominant factor test or the final product test.{141} Although it is true that a CA provides a movable thing to the client, that thing is digitized information{142} which is essentially useless without other supporting information provided by the CA on a continuing basis. To issue a certificate worthy of trust, the CA must: (1) have a valid and verifiable certificate of its own; (2) conduct the inquiry on which the certificate will be based; (3) accurately state facts in the certificate, including both the facts about the subject and the facts about the CA's investigation; and (4) maintain a CRL.{143} The CA's continuing duty to maintain the CRL in a form that can be rapidly and efficiently used by persons wishing to rely on a certificate is in itself significant evidence that the service element predominates in what the CA is selling. On the other hand, a CA which does no investigation at all and/or a CA that does not maintain a CRL may not be providing a service. In that case, there is a real question whether the good being offered is fit and proper for its purpose.

Article 2 is being revised to extend its reach to intangibles such as computer software and data.{144} Thus, even if a certificate is outside the scope of Article 2 today, it does not necessarily follow that it will be outside the scope of Article 2 as ultimately revised. Nevertheless, so long as the revisions do not extend Article 2 to services, the argument that the service aspect of maintaining the CRL predominates over the sale of data as a good should remain valid.

A decision that a CA provides a service does not resolve all the ambiguities about a CA's liabilities in the absence of legislation, but it does provide a framework in which questions can be asked and answered. The next section briefly examines one of the ways in which a CA might face liability in the absence of a statute or other norms defining the rights and duties of a CA in order to demonstrate the legal complexities created by the introduction of a CA into a transaction. Of course, some scenarios are easy: if a CA is willfully or grossly negligent, or a CA conspires with the subject of the certificate, the CA should obviously be liable for its acts and omissions. Other scenarios, beyond the scope of this preliminary exploration, are not as straightforward. These include:

2. Misrepresentation, Whether Wilful or Negligent, of CA's Client, Not Detected by CA

Assume that Alice makes a negligent or wilful misrepresentation when procuring a certificate from Carol, a CA. The misrepresentation might be about Alice's identity, or her credit rating, or her employment. Carol fails to detect the misrepresentation. Alice then uses the certificate to transact with Bob, but either fails to pay or defrauds Bob in some manner. Assume further, for simplicity, that Bob can show that his reliance was reasonable,{150} that he would not have transacted with Alice but for her presentation of a verifiable certificate, and that the misrepresentation was material to the transaction.

If Carol made representations in the certificate as to the level of the inquiry used to verify Alice's claims about herself, the first issue is whether Carol should have detected Alice's misrepresentation given the promised level of inquiry. If Carol's practice statement proudly advertises that certificates are handed out to all comers, without any checking whatsoever, it is difficult to see how Carol could justly be accused of any form of negligence, assuming she accurately parroted Alice's claims, as long as it remains unreasonable to assume that all CAs conduct a minimum level of verification of their customers' assertions.{151} At this early stage in the development of certificate-backed electronic commerce, there are no usages of trade that might help define the standard of care that one might expect of a CA. There are, at present, no licensing or professional bodies whose standards could serve as the basis for a legal norm.{152} Perhaps some day CAs, like doctors and lawyers, will not be allowed to disclaim a minimum degree of investigation, or will only be allowed to disclaim after getting the client to acknowledge informed consent based on reading harrowing disclosures of the risks, but in the short term the representations contained in the certificate itself are likely to be the starting and ending point for defining the CA's duty to investigate.{153}

If, however, Carol claims that her certificates only go to people she has thoroughly investigated, {154} it may be reasonable to find that she was negligent in issuing the certificate containing the false information submitted by Alice. By asserting that she conducted an independent investigation, Carol negates any defense she may have as a mere republisher of Alice's statement.{155} And if Bob has reasonably relied on Carol's certificate to his detriment, Carol may be liable to Bob under either contract or tort principles.{156}

a. Liability in Contract for Negligent Misstatements
Carol's potential contractual liability depends in part on with whom she has a contract. Carol's contract may be with Alice, the subject of the certificate, or it may be with another party, such as Alice's employer. But Carol does not have a contract with Bob, Alice's victim, who is the person most likely to sue. Nor does she have a contract with David, who was impersonated by Alice.
(i) Liability to Alice
If Alice benefited from Carol's error, she is unlikely to sue. If the error hurt Alice in some way, Alice's claim turns on Carol's failure to detect Alice's own error. In such cases, Alice's recovery is likely to be limited by her breach of contract in misinforming Carol. Even if Alice were able to persuade a court to grant her compensation, the measure of damages is likely to be restitution (that is, whatever Alice paid for the certificate) since she appears to have neither a reliance interest nor an expectation interest.{157}
(ii) Liability to Alice's Employer
Carol may have issued Alice's certificate at the request of Alice's employer, TED Corp. By failing to detect the falsity of Alice's claim that she was TED's Vice President in charge of purchasing when in fact she was a file clerk, Carol may have breached her contract with TED Corp. If Alice used the certificate in a way that harmed TED Corp, perhaps by buying tickets to Rio, TED Corp has a contract claim against Carol, although Carol again may have a partial defense of contributory negligence on the part of TED Corp's apparent agent, Alice, and possibly against anyone else at the company who may have corroborated her claims. Again, the measure of damages is likely to be restitution, since there is neither a reliance interest nor an expectation interest, although this time the amount of the contract may be somewhat larger.
(iii)Liability to Bob, Whom Alice Defrauded
Bob's hope of recovering under the contract between Carol and Alice (or Alice's employer) turns on his ability to characterize that contract as a third-party beneficiary contract of which he was an intended beneficiary.{158} Bob's ability to so characterize himself may also affect his right to recover in tort in states that adhere to a strong privity rule.{159}

Traditionally, Bob's hopes would have been slim. The first Restatement of Contracts divided third-party beneficiaries into three classes: donee beneficiaries, creditor beneficiaries and incidental beneficiaries. {160} Incidental beneficiaries have no contractual right against either party to the contract.{161} Bob is not a creditor beneficiary because the purpose of the contract between Alice and Carol is not to confer a gift on him. According to the first Restatement, Bob is a donee beneficiary when it appears from the terms of the promise in view of the accompanying circumstances that the purpose of [Alice] in obtaining the promise . . . is . . . to confer upon [Bob] a right against [Carol] that Bob would not otherwise have.{162} While it is certainly correct that Alice procured the certificate from Carol in order to show it to people like Bob and that this type of use was foreseeable, ordinarily there would be little reason to believe that Carol knew or should have known that Alice intended to show the certificate to Bob. In the era when privity reigned, Bob would not have been able to claim to be an intended beneficiary of the agreement without being specified as such when Alice procured the certificate.{163}

Today, the picture is murkier.{164} The Restatement First test, the intent-to-benefit test and its variations, and the Restatement Second tests are all inadequate and indeed largely meaningless. {165} Courts have relaxed the privity requirement in contract, as in tort,{166} replacing it with tests such as

the balancing of various factors, among which are extent to which the transaction was intended to affect the [beneficiary], the foreseeability of harm to him, the degree of certainty that the [beneficiary] suffered injury, the closeness of the connection between the defendant's conduct and the injury, and the policy of preventing future harm.{167}
Nevertheless, courts remain reluctant to allow everyone be a potential third-party plaintiff in contract actions.{168}

Bob's position is not much clarified by the Restatement (Second) of Contracts, which provides that a third party may enforce a contract if he is an intended beneficiary, that is, if recognition of a right to performance in the beneficiary [Bob] is appropriate to effectuate the intention of the parties and . . . the circumstances indicate that the promisee [Alice] intends to give the beneficiary the benefit of the promised performance. {169} Whether the contract between Alice and Carol was for Bob's benefit or for Alice's depends entirely on how one chooses to look at it. Alice procures the certificate in order to induce Bob to transact with her. Alice wants Bob to rely on the certificate; perhaps Carol does also since this enhances the market for her product.{170} But Alice wants Bob to rely because it benefits her, not because it benefits him. The glass is either too empty or too full. Either the holder of the certificate, Alice, is the intended beneficiary because the certificate gives her something to show to Bob, or Bob is the intended beneficiary because without the benefit he will not transact with Alice.{171} Either no third party is intended or they all are.

(iv)Liability to David, Whom Alice Impersonated
Suppose that Alice persuades Carol to issue a certificate stating that Alice is David, an innocent third party. Alice then uses this certificate to defraud Bob, or just runs up a large number of debts she fails to pay. David may be justly aggrieved when a parade of unhappy Bobs comes to his door demanding payment. At the very least he will waste time straightening out the mess; his credit rating may be damaged; he may have to pay a lawyer. Like Bob, however, David's remedies, if any, are in tort. Indeed, David's contractual case is nonexistent since there is not even an argument that David was an intended beneficiary of the agreement.
b. Liability in Tort for Negligent Misrepresentation
Recovery in tort is generally premised either on the breach of a duty of care, or on strict liability.{172} Unlike their contract claims, the various parties' tort claims will in no way be undermined by any breach of contract Alice may have committed in misrepresenting facts to Carol, except of course for Alice, who may suffer from estoppel, unclean hands, or comparative fault. If Carol has a tort duty to issue accurate statements it exists outside the contract. Nevertheless, the contours of Carol's duty of care will, to a great extent, be defined by the representations she makes about the level of inquiry she promises to make before issuing a certificate. In a sense, therefore, the contract does define the tort;{173} anyone who relies on the certificate can reasonably be expected to take the trouble to read the terms incorporated into the certificate. For example, if Carol says in her certification practice statement, incorporated by reference in the certificate, that she requires applicants to show their passports, but in fact failed to ask Alice to show hers, she is guilty of negligence. Or, if Carol says that she checks passports, and did so, but failed to notice that Alice presented a crude forgery that could have been detected with ordinary care,{174} she is guilty of negligence. Conversely, if Carol did everything she said she would do, but Alice proffered a superbly faked passport, then Carol is not guilty of negligence. Bob and David may still be able to recover in this last case, however, if Carol is strictly liable for the accuracy of her certificates.{175} Even if Carol is not strictly liable, David may be such an attractive plaintiff that he stands to recover if his lawyer can find a way to get him to the jury.{176}

If Carol, the CA, breaches her duty of care in checking the facts about Alice recited in the certificate, she potentially is liable for making a negligent misrepresentation.{177} This liability may run to Bob (Alice's victim), to David (if Alice impersonated him), to Alice's employer (if the certificate was pursuant to a contract with the employer) and perhaps even to Alice, subject to her contributory or comparative negligence or unclean hands if she committed a fraud.{178}

A threshold issue, however, is to whom the negligent misrepresentation in the certificate is addressed. If Bob got his copy of the certificate from Carol's Web site where she publishes certificates, Bob has a tort claim for a negligent misrepresentation that Carol made directly to him, although contract privity is absent.{179} David cannot make this claim -- he is a third party and his ability to recover depends on how the applicable state's law treats third parties claiming injury from negligent misrepresentation to another. On the other hand, if Carol gives the certificate to Alice and Alice sends a copy of it to Bob, the negligent misrepresentation was made to Alice, and Bob is reduced to a third party.

States differ greatly on when a third party can obtain redress for negligent misrepresentations.{180} Some require only that the third party's reliance be foreseeable; most follow the Restatement (Second) of Torts rule which is an uneasy, and sometimes unclear, compromise between the two views; a few require contract privity.

(i) Foreseeability States
A small, but perhaps growing,{181} number of states determine who may bring a third party negligent misrepresentation claim by applying traditional tort analysis focusing on foreseeability. Carol clearly would be liable to Bob in these states, regardless of how he obtained the certificate, since it is completely foreseeable that persons such as Bob would rely on the certificate. Carol should be liable to David as well, since it is foreseeable that a person whose good name is misappropriated in a certificate will be harmed. Both the equities and an economic analysis favor David since he is completely innocent, had no notice, and there is nothing he could have done to protect himself from Alice.
(ii) Restatement States
Most states follow the rule set out in section 552 of the Restatement (Second) of Torts{182} and allow a third party to sue if he is within the group of actually foreseen (not all foreseeable) users, the limited group of persons for whose benefit and guidance to whom the author knows the recipient intends to supply the statement.{183} Unfortunately, the Restatement rule is difficult to apply to a CA. The potential class of persons who will be shown a certificate and asked to rely on it is large, much like an appraiser's or accountant's report. Indeed, the potential class is as large or larger than those who might rely on a report regarding a publicly traded security; the possible transactions are more diverse and the reliance by the third party is more likely to be a but for element of the transaction. Furthermore, any CA must be aware of these facts. Because the whole point of having a certificate is to enable the holder to show it to someone who will rely on it, there is no question that the recipient of a valid and verifiable certificate should be within the zone of foreseeable users, that is, among those entitled to justifiable reliance. {184}

The problem with this line of reasoning, however, is that it seems to prove too much. While section 552 of the Restatement (Second) is not a model of clarity, it is a compromise that was not intended to expand the class of potential third-party plaintiffs to the entire world.{185} The class of potential users of a certificate is all users of electronic commerce, indeed all users of e-mail or the World Wide Web, which may equal a good fraction of the world someday; allowing a right of action to this entire group threatens to collapse into the foreseeability test, and thus to exceed the boundaries that section 552 was designed to create. There has been a trend toward allowing third parties to assert negligent misrepresentation claims against professionals, but this trend has not been uniform across states, nor even across professions within individual states.{186} Some have argued that professional opinions such as audits are intended primarily for the benefit of third parties and that accountants should therefore be liable to these essentially foreseeable parties,{187} but many others strongly oppose this idea.{188} Part of this debate concerns the extent to which accountants can foresee the uses to which their clients will put their work product, but commentators have also argued that unfettered liability is disproportionate to the wrong, might discourage socially useful behavior (such as audits of litigation-prone industries), might be expensive to administer, or might otherwise impose greater social costs than benefits.{189}

The CAs' circumstances are materially different from the accountants' in one important respect. If Bob acquires a certificate from Alice, that certificate has almost no value to Bob except as a means of facilitating transactions with other parties.{190} Every recipient of a certificate who suffers because of the CA's negligence thus falls squarely within the Restatement (Second) section 552 class of persons who suffer loss through reliance upon [the negligent misrepresentation] in a transaction that [the CA] intends the information to influence or knows that the recipient so intends or in a substantially similar transaction. {191} It may be that the CA's resulting liability is unfairly large or socially detrimental, but it is hardly incidental or unexpected.

(iii)Privity States
A few states, notably New York, still follow the older rule that if Bob is a third party he can only recover for Carol's negligent misrepresentation to Alice (that Alice then furnished to him) if he is in a relation of privity with Carol, although some of these states slightly relax the qualifications for privity.{192} The policy reason for attempting to limit the class of potential plaintiffs claiming negligent misrepresentation is in deference to what are considered to be legitimate fears of indeterminate liability to third persons. In the infamous words of Justice Cardozo in Ultramares Corporation v. Touche, If liability for negligence exists, a thoughtless slip or blunder, the failure to detect a theft or forgery beneath the cover of deceptive entries, may expose accountants to a liability in an indeterminate amount for an indeterminate time to an indeterminate class. {193}

The classic cases about negligent misrepresentation, such as Ultramares, involve a common fact pattern in which Bob receives Carol's negligent misrepresentation (regarding, for example, an accountant's report) from Alice. If Bob got the certificate from Alice, his third party negligent misrepresentation claim hews closely to the Ultramares facts, giving Bob little hope of recovery against Carol in a privity state.

Bob's position in a privity state such as New York is more complicated if he got Alice's certificate directly from Carol's Web site. It is as if the accountants in Ultramares had published the accounts to the world with their client's consent. Yet, Bob still has no contract privity with Carol. As a formal matter, staying squarely within the language of Ultramares, Bob's claim is unchanged. Nor does the direct provision of the certificate have any formal effect on Bob's status as a potential third-party beneficiary of the contract a status that would substitute for privity{194} since Carol and Alice's intentions are a necessary element of Bob's third-party beneficiary contract claim,{195} and their intentions are not affected by the mode of delivery.

Carol's claim that she did not foresee Bob's reliance rings particularly hollow if she placed Alice's certificate on the World Wide Web herself rather than giving it to Alice; Bob's claim of justifiable reliance on a certificate published by Carol in this manner seems strong. Nevertheless, since a certificate issued by Carol is used, foreseeably, by the same people in the same way for the same purposes regardless of whether it happens to pass through Alice's hands on the way to Bob, it seems overly formalistic to make a distinction between the legal consequences of the two distribution models. Indeed, with the exception of the case where Alice notifies Carol that she intends to give Bob the certificate, Bob is just as much or as little an intended third party beneficiary whether Alice publishes the certificate or Carol does. Because in practice the two distribution methods are barely distinguishable, especially when one considers that Carol continues to manage the CRL regardless of who distributes the certificate, there is a danger that Bob's tort claim would fail in a strong privity state such as New York even if he got Alice's certificate directly from Carol.{196}

Whatever this result may say about general tort principles applicable in New York, it is not a sensible result in the special context of a CA who issues a certificate at the request of a client, particularly if the CA publishes the certificate. The rule in Ultramares was crafted to protect accountants and other professionals from being subjected to unforeseen, arguably unforeseeable, liability by the actions of a client in cases where the person issuing a report could reasonably believe that the report was for the client's own, private, use.{197} A CA issuing a certificate, especially an identifying certificate, knows full well that the client's entire purpose in acquiring the certificate is to show it to third parties who will rely on it. By publishing the certificate itself, the CA removes itself from the Ultramares facts. Even if the client publishes the certificate, the CA must logically know that the client intends to do so. The CA cannot, therefore, credibly claim surprise when an unknown third party relies on the certificate in a manner consistent with the CA's representations in that certificate because the certificate exists solely to be relied upon by strangers. The common law should reflect this reality, particularly in the case where the CA itself is the publisher, even in a strong privity state.

(iv)Strict Liability for CAs?
Strict liability is most commonly applied in cases involving goods, such as defective products, and ultrahazardous activities. Furthermore, strict liability traditionally allows recovery for personal injury but not for economic loss. Traditionally, strict liability would thus seem to have had little to do with the issuance of certificates: they are not ultrahazardous in the usual sense of the term,{198} and they are probably not products. {199} However, one commentator suggests that a certificate which used a faulty algorithm to produce the CA's digital signature might be found to have a design defect.{200} Given that some jurisdictions separate hybrid good-service transactions into the part that is a good and the part that is a service,{201} it may be useful to consider briefly the economic principles that might underlie the imposition of strict liability as they apply to certificates as goods. Indeed, there is a policy argument that a regulatory approach to the law of certification authorities might want to take these factors into account in assigning liability, particularly in the absence of the consensus as to what constitutes due care for a CA needed to give teeth to the CA's duty of care.

Imposition of a strict liability regime eliminates the need to 107 find privity: liability follows the good.{202} There is no requirement that plaintiff show fault by defendant; instead, the sole issue is whether the product performed adequately. The Restatement (Second) of Torts section 402A imposes strict liability on products with an unreasonably dangerous defect.{203} Prosser defined this class of products as those which are not safe for such a use that can be expected to be made of [them], and no warning is given. {204}

The Learned Hand test, as reformulated by Dean Calabresi, suggests that courts should impose strict liability on the least- cost avoider.{205} As between Carol and anyone but Alice, Carol will in most cases be the least-cost avoider of the loss caused by an inaccurate certificate. If Alice and Bob are strangers, Bob has no means of testing the validity of the representations in the certificate: his inability to confirm Alice's claims about herself is the precise reason he wants the certificate in the first place.{206} As between Carol and Alice, however, Alice is ordinarily the least-cost avoider of Alice's errors.

The net effect of a policy that makes Alice strictly liable to everyone for her own errors in a certificate, and makes the CA strictly liable to everyone but Alice for the CA's failure to detect Alice's misstatements, would be to turn the CA into an insurer for Alice's veracity in every case where Alice disappears or lacks the assets to satisfy a judgment.{207} There is also a danger that imposing strict liability on Carol removes the incentive for Alice to take care that her statements to Carol are accurate. For Carol to agree to be a CA under these terms would require that Alice provide either extraordinarily strong assurances as to her claims, or that Carol charge prices large enough to pay for a generous insurance cover.

B.Contractual Attempts to Limit Private CA Liability

Even absent strict liability, the current uncertainty as to the state of the law gives a CA an incentive to be overcautious. A lawyer retained by a CA is likely to respond by attempting to have the CA disclaim any responsibility for anything it says. Thus, for example, the disclaimer offered by an early entrant to this market, in its standard contract with purchasers of certificates entitling them to run a Netscape-compliant secure server, states:
Leaving aside the issue of the enforceability of this language, especially as applied to third parties,{209} if Carol in fact makes no representation or warranty that the holder of one of her identifying certificates is in fact the person or organization it claims to be with respect to the information supplied to Carol, and if she also disclaims the accuracy, authenticity, integrity, or reliability of information the certificate provides, one is entitled to ask how much point there is to having one of Carol's certificates.{210} The answer depends primarily on what Alice and Bob decide they need in order to feel comfortable transacting with each other. If a certificate provides transactional confidence, at least in the absence of alternatives, then it suffices. Carol's desire to protect her service's reputation may, in any case, provide Alice and Bob with some comfort that Carol has been verifying the accuracy of Alice's assertions.

Similarly, because the law today offers a CA no obvious means of pegging its liability according to the degree of investigation that went into a certificate, a CA in operation today may seek to reduce its liability to the minimum. Again, VeriSign provides an example in its standard contract:

With this disclaimer, the CA seeks to limit its liability to its client for anything other than its own willful misconduct to the amount the subscriber paid for the certificate, which is likely to be a very small sum in most cases. The desire to limit liability in this manner is a response to the largely unpredictable and potentially capacious liability that a CA might encounter in the absence of a statute or other norms defining its rights and duties. Unfortunately, this response threatens to undermine the certificate itself. A certificate that contains a warning that it is not to be trusted seems ill-suited to fill a trust-building role in electronic commerce. A world in which such warnings are routinely given and routinely ignored suggests that at least one party's expectations will be disappointed.

C.Is CA Legislation Needed to Resolve Liability for an Erroneous Certificate?

A CA's fundamental duty, whether in contract or tort, should be to make accurate representations in a certificate. In a certificate worthy of reliance, these representations will concern not only facts about the subject of the certificate, but also facts about the CA itself. To inspire confidence, a certificate should state (or incorporate by reference) the identity of the CA, the facts upon which the identification of the subject of the certificate is based, the degree of investigation performed by the CA to confirm the facts stated by the subject of the certificate, the start and end dates of the certificate's validity and the location of the relevant CRL. CAs might choose to include additional information, such as a recommended reliance limit for transactions based on the certificate.

One can imagine that as the number of CAs grows, certificates will eventually begin to be issued that bear all the indicia of reliability through the operation of market mechanisms. This is an uncertain process, however, and it is not instantaneous. Furthermore, the existing uncertainty about the substantive law applicable to CAs increases the risk involved in running one. All other things being equal, this will raise the cost of certificates, as risk-averse parties may be unwilling to enter the market, reducing the number of competitors.

1. The Case for Legislation

The case for legislation begins with the observation that the legal climate for CAs is uncertain. Uncertainty increases costs and discourages transactions.{212} In the case of CAs it threatens to produce overpowerful incentives for CAs to underproduce certificates and/or disclaim all liability for certificates, which threatens to limit their utility.{213} It is also likely to lead to considerable litigation until all the relevant rules are identified.

As we have seen, absent legislation a CA's liability is potentially high. Much of the social benefit of having a certificate-based system of electronic commerce is foregone if Carol's exposure to liability is so high that the cost of insurance is enormous. In that case Carol will self-insure, and declare bankruptcy if a large claim is decided against her, which does not help the injured parties and creates a risk that CAs will not last. Alternately, Carol will have to charge high prices and issue few certificates, which also defeats the purpose of the system.

A CA's liability can be fixed by legislation, but this requires a policy choice as to what the appropriate level of liability should be. The Utah Act provides one model. Under that Act, a CA that complies with relatively onerous requirements{214} is granted a safe harbor from consequential damages, and indeed from most liability in excess of a reliance limit stated in the certificate, even if the CA itself is guilty of a negligent misstatement.{215} It is certainly possible to imagine other levels at which the CA's liability might be fixed in the event that it is negligent, levels which create an additional incentive to be careful but fall short of open-ended liability.{216}

Another reason legislation might be needed is to make provisions for certificates issued by a CA that later goes out of business. A CA cannot recall all of its certificates; a bankrupt CA might have no incentive to even notify its former clients that it was ceasing operations. Some certificates, particularly transactional certificates, may be on documents with a long lifespan. The need to check the validity of the digital signatures on a deed may not arise until many years after it is affixed, but the need is no less real. If the CA is to go out of business in a manner that does not undermine the utility of such certificates, someone must be found to store the certificates that validate the CA's key and to take over the management of the CA's CRL, without which all of its certificates must be considered unreliable.{217}

Legislation may also serve the goal of consumer protection (depending on its content), since a statute can require that CAs carry insurance or reserves to meet any claims for their errors. CAs resemble notaries public in that both verify the authenticity of signatures, and it may follow that, like notaries, CAs require some level of licensing by governmental entities to ensure public confidence.{218}

A single standard should also prevent the duplicative litigation that would otherwise be required to identify the relevant rules in many jurisdictions. Furthermore, the likelihood that different jurisdictions will have different liability rules reduces the utility and ease of use of certificates. Without new laws, uniformity among states, much less among nations, is unlikely. The American Bar Association is working on Guidelines for Digital Signatures,{219} and the Commissioners on Uniform Laws are studying the issue.

While the liability and uncertainty arguments have power, the strongest argument for legislation is that it would create an opportunity to standardize the rights and duties of CAs, their customers, and those who rely on certificates, regardless of the jurisdiction in which they happen to reside. It is possible to imagine a system in which users grade certificates according to the liability regime that applies, but it seems unwieldy and inefficient to force users (or their software) to take account of factors such as the effect of the geographical location of the CA and the trading parties on the choice of law. This is especially true when information about geographical location may not necessarily be accessible to participants in Internet commerce.{220} Users cannot reasonably be expected to keep abreast of changes in the law of multiple jurisdictions, and the challenge of programming a certificate system to do more than classify certificates by their reliance limits seems daunting. One can imagine the introduction of yet another intermediary that would perform this rating function, but requiring the introduction of a trusted fourth party to rate trusted third parties seems to be too much of a good thing. A uniform national or even international rule would be much easier to understand and to administer.

2. The Case Against Legislation

The case against new legislation is that it would be too much too soon, and perhaps too unfair. First, although the idea of a CA is not new, commercial CAs are so new that the industry barely deserves to be called a fledgling. At this stage, with few providers, few clients, and few certificates, it is difficult to foresee how certificates will actually be used with sufficient precision to draft rules that will last. Any statute written today, including the Utah Act, is a first draft. Second, it is at least conceivable that the marketplace will provide an adequate solution without regulation. If a competitive market in certificates arises, it is possible that a struggle to the top{221} (or market stratification) may ensue, and that CAs may find that a willingness to back their certificates with at least some kind of guarantee may make their certificates more attractive to clients and third parties.{222}

The clients' interests depend in large part on how they plan to use the certificate. If Alice plans to use the certificate to transact with Bob, Alice wants the least expensive certificate that Bob will find acceptable.{223} Bob, on the other hand, may want a certificate that gives him recourse against the CA if Alice succeeds in defrauding him and turns out to be an imposter. Similarly, Alice's demands regarding the assurances she wants to receive about Bob will play a large role in the level of assurance Bob will want to be able to display. In other words, neither Alice's nor Bob's interests are necessarily well served by a world in which CAs have no liability to either of them under any circumstances. The CA itself may benefit from a regime in which it at least has the option of taking on liability to demonstrate its confidence in the certificates. Although the Utah Act allows CAs to take on additional liability if they want, market pressures arguably may produce optimal outcomes without regulation.

Even if Carol says that her Class A certificates are not suitable to transactions of more than five cents, Alice may be able to use the certificate millions of times in an hour. It might, however, be possible for Carol to say that Class A certificates are only suitable for transactions of five cents or less and that each individual third party may rely on a certificate only once per day. This would impose an additional, but perhaps not unreasonable, recordkeeping obligation on Bob since now he has to make sure that Alice has not used the certificate with him that day. Bob is of course free to dispense with this recordkeeping, but if he does so he bears the risk that the certificate is erroneous because his reliance on the certificate in excess of its terms is not justified. Even if such a scheme were feasible, it would only protect Bob against overreliance on a once-a-day certificate. It would not protect Alice against Mallet's misuse of her signature if he gained control of it. Because a digital signature supported by a valid certificate can be used to transact with a very large number of people in a short period of time, only usage monitoring by the CA itself, or by the CA's agent managing a unique CRL, could turn the reliance limit into an effective protection against multiple use. Unfortunately, there is reason to doubt whether it is technically and economically feasible for a CA to do this;{224} there has been no suggestion that any potential CA is interested in shouldering this substantial burden.

Utah's approach to the CA liability question creates two categories of CAs. Those that comply with the relatively strict requirements of the Utah Act by proving their technical and financial security can benefit from a very safe harbor from liability for erroneous certificates.{225} Noncomplying CAs are left to the tender mercies of the background law. The commentary to the Utah law notes that CA liability limits are justified because one of the principal impediments to the emergence of certification authorities has been the uncertainty of the legal risks such a business would undertake. {226} Indeed, when the Utah Act was enacted in early 1995, there were no commercial CAs offering certificates to the public in the United States, nor were there any as of February 1, 1996.

By early 1996, however, Netscape 2.x browsers came equipped to recognize certificates issued by CommerceNet, MCI Mall, ATT, RSA, and Netscape.{227} Although at this writing these entities have yet to begin issuing certificates on a large scale, it seems plausible that they will do so even in the absence of legislation. If they do begin issuing certificates on a large scale in the absence of legislation, the argument that they require substantial protection from liability in order to enter the market will be at least weakened, and perhaps even proved wrong. Perhaps is, however, the strongest word appropriate at this time. The willingness of large organizations to enter the market in advance of legislation that they may reasonably expect will provide liability shields does not necessarily prove that they would remain willing to issue certificates if it became clear that the legislation was not going to materialize. Some CAs may choose to take a calculated short-term risk to expose themselves to high liability in order to grab market share and create brand name recognition. These same CAs might be unwilling to shoulder the risk in the long term. Nevertheless, to an opponent of legislation, perhaps is good enough since the crux of the argument is that one should wait and see.

Similarly, the opponent of legislation is unlikely to be fazed by the preliminary evidence that fear of liability has forced one CA to include scattershot disclaimers in its certificates.{228} Even if one agrees that if this practice persisted it would risk undermining the utility of certificates, there is arguably little to be gained by legislating before the market for certificate policies has had an opportunity to reach equilibrium.{229}

Finally, if the market requires standardized rules, the competition between states may provide them without federal assistance, as demonstrated by the predominant role of Delaware's corporate law.{230} Perhaps Utah, or some other state, or even a foreign country, will become the address of choice for CAs that wish to signal their trustworthiness.

3. The ABA Digital Signature Guidelines

One of the difficulties in determining the duties and liabilities of CAs in the absence of legislation is the paucity of trade practices or best practices.{231} A further difficulty is that lawyers and judges are generally unfamiliar with the purpose and functions of digital signatures and CAs. The ABA Section on Science and Technology's Information Security Committee is attempting to address these problems with its Digital Signature Guidelines. At this writing, the first, still unofficial, exposure draft is being revised.{232} This Article has avoided discussing the Draft Guidelines because of their preliminary nature and the likelihood that they might change significantly by the time this Article is published. Whatever their final form, however, it is already clear that the Guidelines stand a chance of influencing both the practice and regulation of CAs and that they warrant careful reading.{233}


Persons who are not previously acquainted, but wish to transact with one another via computer networks such as the Internet, will need a means of identifying or authenticating each other. One means of achieving this is to introduce a trusted third party into the bilateral relationship. This third party, a Certification Authority, can vouch for a party by issuing a certificate identifying her, or attesting that she possesses a necessary qualification or attribute. CAs may become essential to much, but not all, electronic commerce. Although at this writing there are few CAs in operation, and what electronic commerce takes place rarely relies on certificates, the dollar value of electronic commerce is forecast to grow quickly. If it does, the demand for CA's services should grow rapidly as well.

Outside the states of Utah and Washington, which have passed comprehensive digital signature acts but currently have no CAs qualified to take advantage of their terms, state rules likely to be applicable to CAs are unclear. Basic concepts, such as whether a CA's sale of a certificate is the sale of a good, a service, or the mixture of the two for UCC Article 2 purposes, remain to be determined. State common-law rules concerning the liability of a CA for negligent misrepresentations in a certificate are anything but uniform, and in some cases likely to be unclear also.

The more general lack of regulatory and legal standardization that these examples evince may prove to be a large impediment to the development of reliable electronic commerce. A national or even possibly international standard for accurately signaling what a certificate promises, and the extent to which a certificate can reasonably engender reliance, may be needed. Such a standard is unlikely to emerge until the relevant legal rules that already exist are identified; the development of standards is also likely to be retarded by the great diversity of legal regimes in different jurisdictions that may be involved in a single transaction. Whether it would be best to produce the needed legal standardization through legislation, the judicial process, or market mechanisms such as the bargaining process and the usages of trade, is debatable. However, until some standardization is achieved, users of digital signatures will find it difficult to determine what degree of commercial reliance to place on a representation in a certificate.

Standards aside, the current uncertainty about the law creates a climate in which CAs have an enormous incentive to understate the reliability of their certificates in order to avoid exposure to liability whose contours are difficult to predict. This understandable behavior undermines the justified reliance that CAs should be designed to achieve; if it persists, legislation to balance CA incentives and liability is likely to become necessary. State legislation holds out the promise of clearer rules and the avoidance of much litigation, but today this clarity comes at the price of having to determine the distributional consequences of mistakes by CAs and the people who use certificates before there is any significant evidence of the nature and patterns of certificate use and abuse.

After a reasonable period of experimentation in which market-driven certificates that do not purport to be worthless have a chance to surface, it will be appropriate to consider whether the national interest in a functioning national information infrastructure might be better served by uniform national rules. The CA equivalent of Delaware's corporate law might emerge from a competition among state regulatory authorities. If not, uniformity could be achieved via the traditional channels for state law harmonization, such as model laws and uniform acts, or by federal legislation. In addition to these national standards, at least minimal international norms for certificate recognition and CA regulation will become increasingly necessary as electronic commerce becomes more global.