© A. Michael Froomkin, 1996. All rights reserved. Associate Professor, University of Miami School of Law; B.A., 1982, Yale College; M.Phil., 1984, Cambridge University; J.D., 1987, Yale Law School. Internet: froomkin@law.miami.edu. Tom Baker, Caroline Bradley, Patrick Gudridge, Trotter Hardy, Richard Hausler, Francis Hill, Mark Lemley, Jessica Litman, Charles Merrill, Daniel Murray, and Katie Sowle provided helpful comments on earlier drafts of this paper. I am also grateful to Alan Asay, Bob Jueneman, Chuck Miller, and many other past and present members of the ABA Information Security Committee for helpful discussions of many technical questions; Richard Field, Hal Finney, and Lucky Green for sharing their expertise regarding electronic cash and related matters; Ann Klienfelter, Claire Donnelly, SueAnn Campbell and Nora de la Garza for reference and information retrieval help; Rosalia Lliraldi for secretarial assistance; and Erica Wright for research assistance. I am particularly grateful to Keith Aoki, Richard Painter, and the University of Oregon School of Law for inviting me to participate in this Conference on Innovation and the Information Environment. Unless otherwise noted, this Article attempts to reflect legal and technical developments up to February 1, 1996.

1. The FBI estimates that eighty percent of computer crime it investigates involves the Internet. David Icove et al., Computer Crime: A Crimefighter's Handbook 129

2. For an explanation of cryptographic techniques see infra Part I.A-C.

3. See generally A. Michael Froomkin, The Metaphor Is the Key: Cryptography, The Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709 (1995).

4. Attempts to do this are in progress. The state of Utah passed a Digital Signature Act in 1995, Utah Code Ann. tit. 46, ch. 3 (1995), and amended it in 1996. Digital Signature Act Amendments, 52nd Leg., Gen. Sess., 1996 Utah Laws 188 (LEXIS, Codes library, UTCODE file) (to be codified at Utah Code Ann. tit. 46, ch. 3) (hereinafter all cites to the Utah Code Ann. incorporate the 1996 amendments). As of November 1995, no certification authorities had qualified under the Utah Act. See Introductory Commentary, History and Current Status of the Utah Act *1, available online URL http://www.state.ut.us/ccjj/digsig/dsut-int.htm. The Information Security Committee of the Section on Science and Technology of the American Bar Association issued the Draft Digital Signature Guidelines for public comment which ended in January 1996. Draft Digital Signature Guidelines, available online URL http://www.state.ut.us/ccjj/digsig/dsut-gl.htm [hereinafter Guidelines]. The Guidelines are currently being revised. The state of California has passed a statute delegating to the Secretary of State powers to make rules regulating the use and verification of digital signatures. See 1995 Cal. Legis. Serv. Ch. 594 (A.B. 1577) (West). On March 29, 1996, Washington State approved a digital signatures statute with an effective date of January 1, 1998. See Washington Electronic Authentication Act, 1996 Wash. Legis. Serv. Ch. 250 (S.B. 6423) (WL, WA LEGIS Library).

5. The Net currently is a universe of browsers rather than shoppers. Larry Marion, Who's Guarding the Till at the CyberMall?, Datamation, Feb. 15, 1995, at 38, 41.

6. Utah Code Ann. Sec. 46-3- 309 (1996).

7. Introductory Commentary, History and Current Status of the Utah Act, supra note 4, at *1.

8. Utah Code Ann. Sec. 46-3- 201(5).

9. See Bruce Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C 470-74, 501-02 (1996) (stating that security of public-key systems depends on inability of factoring large numbers rapidly or on the continuing inability of mathematicians to solve the long- standing problem of calculating discrete logarithms).

10. This is the classic man-in-the- middle attack. Id. at 48-49.

11. One method of addressing this problem is the web-of-trust approach. See infra note 26.

12. Prototype anonymous Web proxies are in development. See, e.g., Anonymizer FAQ, available online URL http://anonymizer.cs.cmu.edu:8080/faq.html.

13. For a more detailed description of these mechanisms see Brendan P. Kehoe, Zen and the Art of Internet (1992), available online URL http://www.cs.indiana.edu/docproject/zen/zen-1.0_3.html.

14. For example, the organization that created www.trilateral.com is (almost certainly) not the real Trilateral Commission. See The Trilateral Commission, available online URL http://www.trilateral.com (including humorous cites and links to other conspiracies ).

15. See, e.g., Community ConneXion, The Internet Privacy Provider, available online URL http://www.c2.org/web.phtml.

16. See Schneier, supra note 9, at 48-49.

17. See infra Part I.D.4.

18. The Utah Digital Signature Law states that:

Verify a digital signature  means, in relation to a given digital
signature, message, and public key, to determine accurately that:
(a)  the digital signature was created by the private key corresponding 
     to the public key; and
(b)  the message has not been altered since its digital signature
     was created.
Utah Code Ann. Sec. 46-3-103(40).

19. Digital signatures achieve this by computing a hash value of the message and then encrypting the hash value with the user's private key. See infra text following note 59 (describing hash functions). The recipient checks the digital signature by decrypting the hash value with the sender's public key, then comparing the hash value with the hash value of the file received. If the two numbers are the same, the file is authentic and unchanged. See Paul Fahn, RSA Laboratories, Answers to Frequently Asked Questions About Today's Cryptography Sec. 2.13 (1993), available online URL http://www.rsa.com/pub/faq/faq.asc.

20. See Schneier, supra note 9, at 38 (noting that a digital signature using a 160-bit hash has only a one in 2**160 chance of misidentification).

21. Even if Bob does not know that the public key belongs to Alice, the key may have value in identifying a series of messages as emanating from a single source calling itself Alice. This property is particularly valuable in establishing the continuity of a pseudonym in public forums, in preventing nym collision (in which two or more parties accidentally use the same pseudonym), or nym hijacking (in which Mallet sends messages signed Alice in order to free ride on the good reputation Alice has accumulated among those familiar with her messages). See A. Michael Froomkin, Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases, 15 Pitt. J.L. & Commerce (forthcoming 1996).

22. See generally Warwick Ford, Computer Communications Security: Principles, Standard Protocols and Techniques 93-101 (1994). The International Telecommunications Union defines a CA as a body trusted by one or more users to create and assign certificates. Michael S. Baum, U.S. Department of Commerce National Institute of Standards and Technology, Federal Certification Authority Liability and Policy: Law and Policy of Certificate-Based Public Key and Digital Signatures 5 (1994) (quoting ITU-T, X.509 Sec. 3.3 (1993)).

23. Warwick Ford, Advances in Public-Key Certificate Standards, SIG Security, Audit & Control Rev., July 1995, at 9, 10.

24. See, e.g., Utah Code Ann. Secs. 46-3-104, 46-3-201.

25. The time stamp from an outside source is essential. Alice cannot trust a certificate from CA3 that claims to have been issued during the safe period because the party forging the certificate could be lying about the time as well. A certificate with an outside timestamp proving that it was issued before CA3's key was compromised can be revalidated by a new, trustworthy certificate from CA3 or any other CA, thereby extending its lifespan considerably. See Dave Bayer et al., Improving the Efficiency and Reliability of Digital Time-Stamping, in Sequences II: Methods in Communication, Security, and Computer Science 329, 332-33 (Renato Capocelli et al. eds., 1993).

26. Certification authorities are not the only means by which strangers can be persuaded to trust each other. An alternate system, called the web-of-trust, blurs the distinction between CAs and users. Every participant in a web-of- trust system is able to issue notices about whom they know and trust, and there is no central authority. In this system, Carol may provide a directory of e-mail addresses and public keys (the key server), but if so, she makes no representations at all as to their ownership or authenticity. Users then provide authenticating statements for each other. Typically this is done by meeting face-to-face and showing identification, and then by exchanging public keys signed with their private keys. Alternately, users can exchange key fingerprints a short form of the key that points to the key's location on the key server. If Alice wishes to make it easy for people she has not met to contact her securely, Alice must upload these authentications to the key server. If Alice has her key signed by David, whom Bob knows or trusts, Bob can safely assume that the signature purporting to be from Alice is not in fact an impostor's. Suppose, however, that Alice and Bob do not have any friends in common, but that Bob's friend David has signed Ted's key, and Ted has signed Alice's key. From Bob's point of view this is not as good as if David, whom he knows, had signed Alice's key, but it is considerably better than nothing. Bob needs to decide how many intermediaries he is willing to accept before he considers a public key to be unreliable. The increase in the length of the chain of authentication can be offset by finding multiple routes to Alice. For example, Bob may still feel reasonably secure if he can establish three relatively long but independent chains of authentication. See Philip Zimmermann, PGP User's Guide Volume I: Essential Topics (Oct. 11, 1994), available online URL ftp://net-dist.mit.edu/pub/PGP. This web-of-trust approach is the foundation of the PGP encryption system.

The web-of-trust model has the advantage of being independent of any central authority. It has the disadvantage that it requires Alice either to trust strangers when she has no friends in common with Bob or to accept that there are large numbers of people with whom she cannot securely communicate. In contrast, the CA model is designed to make it possible for all strangers to communicate regardless of whether they have any friends in common, and to define with some precision the degree of trust that they can put in the CA's representations about strangers. This Article discusses CA-based systems, but this is not intended to denigrate the utility of a web-of-trust system. If it is true that all people are within six degrees of separation from each other, the web-of-trust may be a valuable system.

27. See, e.g., The Sun CA's Certificate, available online URL http://www.incog.com/self.html; Internet PCA Registration Authority Root Key Information, available online URL http://bs.mit.edu:8001/ipra.html; Netscape Test Certification Authority, available online URL http://home.netscape.com/newsref/ref/netscape-test-ca.html.

28. Mirroring makes Mallet's job more difficult; however, if Mallet is able to filter all messages from Alice's computer to the rest of the world, no amount of mirroring will defeat him.

29. Warwick Ford, Looking into the Crystal Ball: Certificates Revisited, Presentation at the Worldwide Electronic Commerce Conference (Oct. 20, 1995).

30. See Ford, supra note 23, at 9. The Utah Act defines a certificate as a document that names or identifies its subscriber. Utah Code Ann. Sec. 46-3-103(3)(B). Arguably, this could be read to limit the reach of the Act to identifying certificates. Alternately, one could read the Act to say that any certificate that binds an attribute of the subscriber to the subscriber's public key identifies the subscriber in some manner. This seems the better reading since the Act clearly contemplates certificates other than identifying certificates, and even defines a transactional certificate as a valid certificate incorporating by reference one or more digital signatures, Utah Code Ann. Sec. 46-3-103(37), albeit stating a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference. Utah Code Ann. Sec. 46-3-103(39)(B).

31. Identifying certificates are described infra Part I.D.1.

32. VeriSign, Class 1 Digital IDs, available online URL http:\\www.verisign.com\netscape\class1.html. The name is unfortunate because it implies that an identifying certificate is, or should be, a prerequisite to Internet access.

33. Id.

34. Id.

35. VeriSign, Class 2 Digital IDs, available online URL http://www.verisign.com/netscape/class2.html.

36. VeriSign, Class 3 Digital IDs, available online URL http://www.verisign.com/netscape/class3.html.

37. VeriSign, Class 4 Digital IDs, available online URL http://www.verisign.com/netscape/class4.html.

38. See supra text accompanying notes 32-37.

39. Lawrence O. Gostin, Health Information Privacy, 80 Cornell L. Rev. 451, 459 (1995) (citing Hearing on the Use of the Social Security Number as a National Identifier Before the Subcomm. on Social Security of the House Comm. on Ways and Means, 102d Cong., 1st Sess. 24-25 (1991) (statement of Gwendolyn S. King, Commissioner of Social Security, estimating the cost of reissuing the cards from $1.5 to $2.5 billion)).

40. See infra Part III.A.1.

41. Recall that to verify a digital signature is to confirm that the public key associated with the party whose name appears on the message properly produces a numerical result that uses the plaintext as an input to the algorithm. See supra notes 19-20 and accompanying text.

42. See Ford, supra note 23, at 10. For more on CRLs see infra notes 107-08 and accompanying text.

43. See supra notes 32-38 and accompanying text.

44. See generally International Traffic in Arms Regulations, Pub. L. No. 90-629, 90 Stat. 744 (codified at 22 C.F.R. Secs. 120-130 (1995)) (ITAR). The ITAR are administered by the Office of Defense Trade Controls in the State Department. If the State Department chooses, it can transfer jurisdiction of an export application to the Commerce Department. The statutory authority for the ITAR is the Arms Export Control Act (codified as amended at 22 U.S.C. Sec. 2778 (1994)).

45. Whether such a prosecution could succeed is a question beyond the scope of this Article. Since the instruction to download software is issued by the recipient's computer, an argument can be made that the export is committed by the recipient, not the owner of the software. In any case, the risks incident to being a test case are substantial: up to a $1 million fine and ten years in jail. 22 U.S.C. Sec. 2778(c) (1994).

46. For a discussion of what valid means in this context see supra text following note 42.

47. Succession creates special problems for any system based on public-key cryptography. Any means Bob uses to create a backup copy of the pass-phrase to his private key introduces a new risk to his security. On the other hand, robust social protocols akin to those currently used in banking are needed to permit an executor or heir to enter into transactions that have been designed to require Bob's digital authorization.

48. For an example of an anonymous age credentialing service targeting persons seeking access to over 18 Web services, see Validate, available online URL http://www.zynet.com/~validate/services.html.

49. Transactional certificates are sometimes referred to as attesting certificates or notarial certificates.

50. The Draft ABA Digital Signature Guidelines define a transactional certificate as a certificate for a specific transaction incorporating by reference one or more digital signatures. ABA Draft Guidelines, supra note 4, Sec. 1.30.

51. Or, in some cases, a hash value, see infra text following note 59, and a pointer to the actual document.

52. This example is drawn from the ABA Draft Guidelines, supra note 4, Sec. 1.30.3.

53. See id.

54. In 1994, the Council of the ABA Section of Science and Technology resolved that its Information Security Committee should work with the ABA Standing Committee on Specializations to draft a proposal for ABA accreditation of the CyberNotary as recognized legal specialization. ABA Section of Science and Technology Section Minutes (Aug. 8, 1994) (copy on file with author). For updated information on the CyberNotary project see Theodore Sedgwick Barassi, The CyberNotary: Public Key Registration and Certification and Authentication of International Legal Transactions, available online URL http:// www.intermarket.com/ecl/cybrnote.html.

55. See Barassi, supra note 54.

56. See infra Part I.D.4.

57. Bayer et al., supra note 25, at 329. See generally Charles R. Merrill, The Digital NotaryTM Record Authentication System A Practical Guide for Legal Counsel on Mitigation of Risk from Electronic Records (June 22, 1995) (footnote omitted from title) (unpublished manuscript, on file with author).

58. See, e.g., Rudolph J. Peritz, Computer Data and Reliability: A Call for Authentication of Business Records Under the Federal Rules of Evidence, 80 Nw. U. L. Rev. 956, 960 (1986).

59. Bayer et al., supra note 25, at 329.

60. See Schneier, supra note 9, at 30-31.

61. See id. at 76.

62. See Bayer et al., supra note 25, at 331-32.

63. See Surety Technologies Homepage, available online URL http://www.surety.com; Schneier, supra note 9, at 78-79; Merrill, supra note 57.

64. Kelley Holland & Amy Cortese, E- Cash Could Transform the World's Financial Life: Where E-Cash Will Take Off, Bus. Wk., June 12, 1995, at 66, 70.

65. This list is an adaptation and simplification of the more formal and extensive list in Mihir Bellare et al., ikp A Family of Secure Electronic Payment Protocols (July 12, 1995), available online URL http://www.zurich.ibm.ch/Technology/Security/publications/1995/ikp.ps.

66. Payment in paper money or coin may create a demand for change. Problems may ensue if Bob lacks the correct change.

67. If Alice is careless, Mallet might be able to obtain Alice's credit card receipt, obtain her credit card number, and use it to run up charges on her credit card.

68. The discussion in the text greatly simplifies reality to underline the differences between face-to- face commerce and electronic commerce. In the ordinary check sale, there may well be multiple banks, since at a minimum, the check is likely to be drawn on one bank, deposited to a second and cleared by a third. Similarly, some credit card transactions involve multiple parties.

69. There is a significant difference between on-line clearance, in which Bob checks that the credit/debit card has sufficient credit/funds before authorizing the purchase, and off-line clearance, in which the purchase is not recorded with the credit card company until after the fact. In either case, transaction recording and customer profiling is possible if an electronic payment mechanism is used.

70. For example, Alice's cash cannot be paid out unless it is stolen; checks cannot be drawn unless Alice's signature is forged, and even then the bank may have a duty to refuse payment. The holder of a credit card or debit card is only liable for the first fifty dollars fraudulently charged to the card. 15 U.S.C. Sec. 1643(a)(1)(B) (1994); 12 C.F.R. Sec. 205.6(b) (1995) (limiting consumer liability to $50 for most unauthorized electronic funds transfers).

71. See 12 C.F.R. Sec. 205.6(b)(2)(ii).

72. The shop suggests, but does not prove, that Bob has attachable assets, since these assets may be encumbered by liens and mortgages with priority.

73. Other than bad publicity, most jurisdictions limit Alice's self-help remedies in the event of a dispute.

74. Consumables, perishables, and easily-copied materials excepted.

75. The UCC supplies a large variety of techniques that address each of these problems, and more. See generally Richard E. Speidel et al., Sales and Secured Transactions 452-60 (1993).

76. Indeed, some firms, notably airlines, commonly switch calls from 800 numbers to operators located abroad. Catherine Cleary, Telemarketing Harnesses Technology and Blarney, Irish Times, Dec. 29, 1995, at sec. 3, supp. 7 (LEXIS, News Library, Curnws file).

77. See Edmund L. Andrews, New Rules Are Approved for Nationwide Caller ID, N.Y. Times, May 5, 1995, at D5.

78. As the volume of trademark infringement suits demonstrates, goods as well as people can be inauthentic.

79. See supra note 71.

80. Typically, merchants do not receive payment from a credit card sale until the repudiation period has passed.

81. The call record may also identify the caller, but this is less certain. The caller could place the call from a pay phone.

82. Whether the exchange is performed simultaneously or in series is up to the parties.

83. See Arnold Kling, Banking on the Internet, available online URL http://www-e1c.gnn.com/gnn/meta/finance/feat/archives.focus/ bank.body.html.

84. See, e.g., Electronic Cash, Tokens and Payments in the National Information Infrastructure Sec. 1.1, available online URL http://www.cnri.reston. va.us:3000/XIWT/documents/dig_cash_doc/ElecCash.html. The average U.S. credit card purchase today is $60. Id.

85. Steve Glassman et al., The Millicent Protocol for Inexpensive Electronic Commerce, available online URL http://www.research.digital.com/SRC/millicent/papers/millicent-w3c4/millicent.html, argues that even digital coins are too expensive for microtransactions, and that a new form of scrip needs to be deployed for microtransactions. Proposals for two schemes that may meet the exacting requirements of efficient micro-transactions can be found in Ronald L. Rivest & Adi Shamir, Payword and MicroMint: Two Simple Micropayment Schemes (Apr. 3, 1996), available online URL http://theory.lcs.mit.edu/~rivest/ RivestShamir-mpay.ps.

86. Smart cards, sometimes called electronic wallets, also can be configured to be stores of value. Rather than digital cash embodied in coins that are a series of numbers in a cryptographic envelope, an electronic wallet contains a counter that records the amount of money held on the card. Movement of value on and off that counter can be hedged with a number of cryptographic safeguards. For example, cards can be programmed to only accept value from cards that properly identify themselves. Smart cards can be used to transfer value across the Internet if both parties to the transaction have smart cards or the equivalent, and both have computers outfitted with appropriate card readers. For a taxonomy of smart card types see David Chaum, Prepaid Smart Card Techniques: A Brief Introduction and Comparison, available online URL http://ganges.cs.tcd.ie:80/mepeirce/Project/Chaum/cardcom.html.

87. One can also imagine other, less practical, systems, including barter transactions, by which Alice and Bob exchange services or digitizable products (software, poems).

88. In contrast, in one incident, credit card information belonging to more than 20,000 customers that had been stored in an insecure database was compromised. See Jonathan Littman, The Fugitive Game 325, 348 (1996) (reporting apparent copying of credit card records by Kevin Mitnick).

89. Alternately, Alice and Bob may find each other's public keys on a keyserver that is part of the National Information Infrastructure; the keyserver may itself demand a valid certificate as a condition of the listing, or it may contain (optional?) pointers to the databases where the certificates reside.

90. The risk is not negligible; the consumer risks a fifty dollar charge, 12 C.F.R. Sec. 205.6(b), and considerable hassle, plus potential damage to a credit rating. The merchant takes the risk of nonpayment since the credit card company will not pay the merchant if the customer fails to pay.

91. See, e.g., Stefan Brands, Centrum voor Wiskunde en Informatica (CWI), Off-line Electronic Cash Based on Secret-Key Certificates 1-2 (Report CS-R9506 1995), available online URL ftp://ftp.cwi.nl/pub/brands/CS-R9506.ps.Z.

92. Whether Regulation E should apply to electronic money has been a matter of some debate in Congress. See, e.g., Bill's EFTA and Reg E Exemptions Need Reworking, Blinder Tells Panel, BNA Banking Daily, Oct. 12, 1995, at *2 (LEXIS, News library, Curnws file). ( Blinder said that he could support an extensive, and perhaps blanket exemption from Reg E for stored-value cards of $20, but that there are questions about whether such an exemption is appropriate for large amounts transferred over computer networks. ).

93. See, e.g., Peter Wayner, Digital Cash: Commerce on the Net (1996) (surveying a large number of existing and proposed systems); Froomkin, supra note 21, at Part III.B.2 (surveying fewer systems in more detail).

94. See generally Froomkin, supra note 21, at Part III.B.

95. Charging and payment might be built into the browser. Alice might program her browser to pay any fee up to a set amount, say two cents, without asking for confirmation. Glassman argues that even digital coins are too expensive for micro-transactions, and that a new form of scrip needs to be deployed for micro-transactions. See Glassman et al., supra note 85.

96. One United States financial institution currently offers a DigiCash implementation with real money. See Mark Twain Banks, Providing Global Investment Solution, available online URL http://www.marktwain.com.

97. See David Chaum, Achieving Electronic Privacy, Sci. Am., Aug. 1992, at *1-2, available online URL http://ganges.cs.tcd.ie/mepeirce/Project/Chaum/sciem.html (discussing electronic cash); Ecash Homepage, available online URL http://www.digicash.com/ecash/ecash-home.html.

98. If the coins are cleared off-line, and the double-spender has received value from the payee, then there is clearly theft from the payee. Whether the double spender can be charged with attempted theft from the bank may depend on whether the relevant jurisdiction allows prosection for attempted impossible crimes. Since in most protocols the bank checks the validity of every coin before exchanging it for value, there was no possibility that it would actually suffer a loss; the offense against the bank is thus impossible, and in some jurisdictions arguably noncriminal.

99. See infra text accompanying notes 102-04.

100. See Froomkin, supra note 21, at part III.B.3.

101. Electronic writings ordinarily satisfy the Statute of Frauds. See John R. Thomas, Note, Legal Responses to Commercial Transactions Employing Novel Communications Media, 90 Mich. L. Rev. 1145 (1992); Merrill, supra note 57, at 3. A digital time stamp may add evidentiary value. Id. at 1.

102. Whether a digital signature is a signature is beyond the scope of this article. See generally Benjamin Wright, The Law of Electronic Commerce Sec. 16 (2d ed. 1995).

103. For a description of how to obtain an anonymous credit card, see, e.g., Vax- buster, Safe and Easy Charging, 4 Phrack Issue 44, File 20, available online URL http://www.fc.net:80/phrack/files/p44/p44-20.html.

104. Banks are increasingly unwilling to provide truly anonymous bank accounts. See, e.g., William W. Park, Anonymous Bank Accounts: Narco-Dollars, Fiscal Fraud, and Lawyers, 15 Fordham Int'l L.J. 652, 668-69 (1991-92). Governments are increasingly unwilling to allow banks based within their regulatory reach to offer this service, in part because of the Council of Europe Money Laundering Convention whose reach extends beyond Europe. See EuroWatch, Banking Secrecy: Liechtenstein Signs European Money Laundering Convention (July 28, 1995) (LEXIS News library, Curnws file).

105. I am greatly indebted to Hal Finney for alerting me to this scenario.

106. See Froomkin, supra note 21, at part IV.

107. See supra text accompanying note 42 (describing the Certificate Revocation List).

108. A certificate also might be suspended for a brief period, pending inquiries as to whether it should be revoked. A prudent CA that received an emergency telephone call asking that a certificate be revoked might suspend it while waiting for proof that the person making the request had the authority to do so. Cf. Utah Code Ann. Secs. 46-3-306, -307 (providing for suspension of a certificate).

109. Ford, supra note 23, at 9. The ITU was formerly known as the Consultative Committee on International Telephony and Telegraphy (CCITT).

110. Id. at 10, 11.

111. Id. at 12-14.

112. Id. at 13.

113. Peter Sutherland, The Internal Market After 1992: Meeting the Challenge, Report to the EEC Commission by the High Level Group on the Operation of Internal Market (1992), identified consumer uncertainty as a major impediment to the realization of a single European market.

114. Stephen Weatherill, The Role of the Informed Consumer in European Community Law and Policy, 2 Consumer L.J. 49, 59 (1994).

115. For a discussion of the likely reception of digital signatures in Canadian law, see Serge Parisien, Aspects Juridiques et Technologiques des M‚canismes de Signature lectronique: Une Analyse Comparative, available online URL http://www.droit.umontreal.ca/Palais/ Invites/AQDIJ/Colloque_10_11_95/Parisien/parisien_udm.html.

116. Because this Article already exceeds the length limits suggested by the editors of this symposium volume, it does not include any discussion of choice of law issues.

117. For a discussion of the liabilities of a public CA, see Baum, supra note 22.

118. See supra note 4.

119. See supra notes 6-8. As this Article went to press, Utah was joined by the State of Washington. See supra note 4.

120. Utah Code Ann. Sec. 46- 3-406 (1996).

121. See Benjamin Wright, Eggs in Baskets: Distributing the Risks of Electronic Signatures, available online URL http://www.sig.net/~jbc/ signatur.html.

122. See supra note 4 for a summary of state legislation to date.

123. U.C.C. Sec. 2-102 (1994); see also note 132.

124. U.C.C. Sec. 2- 314.

125. U.C.C. Sec. 2-315. An example of a claim under section 2-315 might be against a CA that had provided a certificate signed with an insecure key or a key known to be compromised.

126. See James J. White & Robert S. Summers, Uniform Commercial Code ch. 12 (4th ed. 1995).

127. U.C.C. Sec. 2-318, alternative A. This alternative is the most commonly used of the three. White & Summers, supra note 126, at 392 n.3.

128. U.C.C. Sec. 2-318, cmt. 3.

129. U.C.C. Sec. 2-318, alternative B. This alternative is the least frequently used of the three, but it has been adopted in six states. White & Summers, supra note 126, at 393 n.6.

130. U.C.C. Sec. 2-318, alternative C. This alternative, or some form of it, is used in at least eight states. White & Summers, supra note 126, at 393 n.7.

131. White & Summers, supra note 126, at 393 n.8.

132. See U.C.C. Sec. 2-102 ( Unless the context otherwise requires, this Article applies to transactions in goods . . . . ). Proposed revisions to Article 2 may extend its coverage to include service contracts. See Raymond T. Nimmer, Intangible Contracts: Thoughts of Hubs, Spokes, and Reinvigorating Article 2, 35 Wm. & Mary L. Rev. 1337, 1374, 1389 (1994). This change would greatly increase the likelihood that Article 2 applies to the provision of a certificate.

133. U.C.C. Sec. 2- 105(1).

134. See supra text accompanying notes 107-08.

135. White & Summers, supra note 126, at 3-4.

136. Id. at 3-4; see also Crystal L. Miller, Note, The Goods/Services Dichotomy and the U.C.C.: Unweaving the Tangled Web, 59 Notre Dame L. Rev. 717, 720-23 (1984).

137. Miller, supra note 136, at 726.

138. Id. at 728-29.

139. See 1 Ronald A. Anderson, Anderson on the Uniform Commercial Code Sec. 2-105:51 (3d ed. 1981); Miller, supra note 136, at 717- 20.

140. See White & Summers, supra note 126, at 3-4.

141. Whether this result best serves public policy is a difficult question, one which may become easier to answer once certificate-based electronic commerce becomes more commonplace and CAs have more of a track record.

142. One issue in this context is whether that information is an intangible since it is generally but not universally agreed that Article 2 of the UCC does not apply to intangibles. Several writers have argued that the UCC should apply to software, even though it has properties that make it appear to be an intangible. See, e.g., Andrew Rodau, Computer Software: Does Article 2 of the Uniform Commercial Code Apply?, 35 Emory L.J. 853 (1986); Bonna L. Horovitz, Note, Computer Software as a Good Under the Uniform Commercial Code: Taking a Byte Out of the Intangibility Myth, 65 B.U. L. Rev. 129 (1985). Indeed, the courts that have spoken on this issue appear to be in general agreement that the UCC should apply to software. See Mark A. Lemley, Intellectual Property and Shrinkwrap Licenses, 68 S. Cal. L. Rev. 1239, 1249 n.38 (1995) (noting that most courts and commentators have concluded that distribution of mass-market software constitutes a sale of goods, thus invoking the UCC ). It could be argued that a certificate on a disk is more tangible than a certificate on a web site, but this privileges form over substance.

143. ABA Draft Guidelines, supra note 4, Sec. 3.11 cmt. 4.

144. See Nimmer, supra note 132.

145. A CA should not be liable for the ways in which accurate certificates may be used by others. Both the Utah Digital Signature Act and the draft ABA Guidelines create a safe harbor from liability for a CA that has made accurate representations and complied with certain other requirements. See, e.g., Utah Code Ann. Sec. 46-3- 304(4)(a) (providing for subscriber's indemnification of CA against claims due to subscriber's misrepresentation); id. Sec. 46- 3-309(2) (creating safe harbor against liability in excess of reliance limit stated in certificate for licensed CAs and limiting recovery in tort to compensatory damages). As a general matter, this makes sense: there is no reason why a CA should be involved in Alice's securities claim against Bob if the CA's only involvement was to provide accurate identifying certificates for the people involved. Of course, a different result would be appropriate if the CA provided an attesting certificate that was materially misleading. Different rules might arguably be appropriate for certain consumer transactions.

146. Unless Alice and Carol have made a special arrangement, a CA should have no duty to monitor the use of a certificate that they have agreed will be publicly available. Once notified of a key compromise, a CA should have a duty to publish this in the CRL quickly. ABA Draft Guidelines, supra note 4, Sec. 3.11 cmt. 4.

147. Presumably the critical issue in this scenario will be whether Carol acted quickly enough. The common-law approach to this problem would rely on usages of trade, but it is difficult to do this when (1) there is as yet no trade to speak of, and (2) technology is changing very rapidly.

148. Liability here may in part depend on how the key was compromised. There are differences between an inside job, penetration of Carol's systems by a hacker (perhaps due to bad security), an extraordinarily lucky brute force attack on Carol's key, advances in key-cracking technology (which raise the question whether these advances should have been anticipated), or Carol's failure to update her keys.

149. This scenario resembles a bank dishonoring a check when there are sufficient funds in an account or a credit card clearer erroneously reporting that a credit limit has been exceeded or the card stolen.

150. The degree to which Bob's reliance actually was reasonable may turn on a number of factors. One of the most important is the content of the certificate itself. If the certificate states that it should not be relied on for transactions over five dollars, Bob's reliance on the certificate for a $1 million transaction is unreasonable.

151. But see supra notes 141-43 and accompanying text (suggesting that CA who makes no representations as to service may be selling a good subject to UCC because no service is provided).

152. A document such as the proposed ABA Digital Signature Guidelines, see ABA Draft Guidelines, supra note 4, may in time come to play this role.

153. For a discussion of the similar problem of defining negligence in the absence of established usages of trade for Internet security professionals, see Michael Rustad & Lori E. Eisenschmidt, The Commercial Law of Internet Security, 10 High Tech. L.J. 213, 243-52 (1995).

154. See supra text accompanying note 37.

155. Unless they have reason to know of the errors, publishers and book distributors are not liable for errors in works they publish and sell. See, e.g., ALM v. Van Nostrand Reinhold Co., 480 N.E.2d 1263 (Ill. App. 1985) (dismissing negligence claim against publisher of allegedly unsafe How To book); Cardozo v. True, 342 So. 2d 1053 (Fla. Dist. Ct. App.) (holding UCC did not make book dealer liable to purchaser of cookbook for lack of adequate warnings as to poisonous ingredients used in recipe), cert. denied, 353 So. 2d 674 (Fla. 1977).

156. Other remedies are available if Article 2 of the UCC applies. See supra part III.A.1.

157. See L.L. Fuller & William R. Perdue, Jr., The Reliance Interest in Contract Damages, 46 Yale L.J. 52 (1936) (defining three types of contractual interests).

158. See Restatement (Second) of Contracts Sec. 302 (1979); David M. Summers, Note, Third Party Beneficiaries and the Restatement (Second) Of Contracts, 67 Cornell L. Rev. 880 (1982).

159. See Gary Lawson & Tamara Mattison, A Tale of Two Professions: The Third-Party Liability of Accountants and Attorneys for Negligent Misrepresentation, 52 Ohio St. L.J. 1309, 1319 (1991).

160. See Restatement of Contracts Sec. 133 (1932).

161. Id. Sec. 147.

162. Id. Sec. 133(1)(a).

163. See, e.g., Ultramares Corp. v. Touche, 174 N.E. 441, 445 (N.Y. 1931) (Cardozo, J.). Cardozo wrote: In the field of the law of contract . . . the remedy is narrower where the beneficiaries of the promise are indeterminate or general. Something more must then appear than an intention that the promise shall redound to the benefit of the public or to that of a class of indefinite extension. Id.; Moch Co. v. Rensselaer Water Co., 159 N.E. 896, 897 (N.Y. 1928) (Cardozo, J.); Restatement of Contracts Sec. 145 (1932); see also Restatement of Contracts Sec. 147 ( An incidental beneficiary acquires by virtue of the promise no right against the promisor or the promisee. ).

164. See Harry G. Prince, Perfecting the Third Party Beneficiary Standing Rule Under Section 302 of the Restatement (Second) of Contracts, 25 B.C. L. Rev. 919 (1984) (summarizing wide variety of judicial responses to third-party benefit claims).

165. Melvin A. Eisenberg, Third- Party Beneficiaries, 92 Colum. L. Rev. 1358, 1385 (1992).

166. See William L. Prosser, The Fall of the Citadel (Strict Liability to the Consumer), 50 Minn. L. Rev. 791 (1966) [hereinafter Fall of the Citadel]; William L. Prosser, The Assault Upon the Citadel (Strict Liability to the Consumer), 69 Yale L.J. 1099 (1960).

167. Lucas v. Hamm, 364 P.2d 685, 687 (Cal. 1961) (citing Biakanja v. Irving, 320 P.2d 16, 19 (Cal. 1958)), cert. denied, 368 U.S. 987 (1962).

168. See e.g., Eisenberg, supra note 165, at 1374; Summers, supra note 158, at 893. Note that the breach by Alice of her contractual promise to tell the truth may not inevitably prevent recovery from Carol by a third party. See Lewis v. Benedict Coal Corp, 361 U.S. 459 (1960). But see Restatement (Second) of Contracts Sec. 309(1)-(2); Eisenberg, supra note 165, at 1413 n.188.

169. Restatement (Second) of Contracts, Sec. 302(1). For a dissection of this section and its associated comments, see Eisenberg, supra note 165, at 1382-84.

170. Furthermore, the courts are not in agreement as to whether Alice's intent, Carol's intent, or their joint intent should control. See Jean F. Powers, Expanded Liability and the Intent Requirement in Third Party Beneficiary Contracts, 1993 Utah L. Rev. 67, 73- 74.

171. There is great merit to Professor Eisenberg's complaint that: the entire enterprise of finding an intent to benefit the third party as an end is misguided. Except in some cases involving true donee beneficiaries, the intent of the contracting parties is typically to further their own interests, not the interests of a third party. Accordingly, the question whether there is an intent to benefit the third party as an end normally cannot generate a meaningful answer. Eisenberg, supra note 165, at 1381.

172. See infra Part III.A.2.b(iv) (discussing imposition of strict liability on CAs).

173. Cf. Restatement (Second) of Torts Sec. 299A cmt. c (1965) ( In the ordinary case, the undertaking of one who renders services in the practice of a profession or trade is a matter of contract between the parties . . . . ).

174. The definition of ordinary care is itself an issue. If there is an industry, trade usages may supply a guide, see supra note 147. Otherwise, judges and juries will have to resort to general principles of ordinary care by reasonable people in like circumstances, whatever those may be.

175. See infra Part III.A.2.b(iv) (discussing applicability of strict liability to CAs).

176. Perhaps David's lawyer might accuse Carol of a privacy tort, or of casting David in a false light by identifying him with the evil Alice.

177. The misrepresentation is clearly of a matter of fact, not opinion, as those terms are used in the Restatement (Second) of Torts, Secs. 538A, 548A.

In some cases one could also hypothesize other claims against Carol, including false representation under 15 U.S.C. Sec. 1125(a)(2) (1994) (trademark), which requires neither privity nor negligence, or a privacy tort. If Alice manages to acquire a certificate saying she is David, David may have a tort claim for appropriation of name or likeness, see Restatement (Second) of Torts Sec. 652C ( One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy. ), or a false light claim against Carol, id. Sec. 652E (publicity placing another in false light that is offensive, based on reasonable person standard, subjects publisher to liability if published with knowledge of or reckless disregard as to falsity), or perhaps even a new tort of impersonation.

178. See 9 Stuart M. Speiser, et al., The American Law of Torts Sec. 32:74, at 367 (1992).

179. There may be interesting choice of law problems if Carol and Bob live in different jurisdictions.

180. See generally Jordan H. Leibman & Anne S. Kelly, Accountants' Liability to Third Parties for Negligent Misrepresentation: The Search for a New Limiting Principle, 30 Am. Bus. L.J. 347 (1992).

181. James R. Adams, No Privity Required for Negligent Misrepresentation Action, 60 Def. Couns. J. 601 (1993).

182. See, e.g., Bily v. Arthur Young & Co., 834 P.2d 745, 773 (Cal. 1992) (adopting Restatement (Second) of Torts Sec. 552 approach). The relevant part of section 552 states:

(1) One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.
(2) Except as stated in Subsection (3), the liability stated in Subsection (1) is limited to loss suffered
(a) by the person or one of a limited group of persons for whose benefit and guidance he intends to supply the information or knows that the recipient intends to supply it; and
(b) through reliance upon it in a transaction that he intends the information to influence or knows that the recipient so intends or in a substantially similar transaction.
Restatement (Second) of Torts Sec. 552.

183. Restatement (Second) of Torts Sec. 552(2)(a); see, e.g., Rosenblum Inc. v. Adler, 461 A.2d 138, 145 (N.J. 1983).

184. Arthur Young & Co., 834 P.2d at 772.

185. See Restatement (Second) of Torts Sec. 552 cmt. a (noting that liability for negligent misstatement is more restricted than for fraudulent misrepresentation).

186. See Lawson & Mattison, supra note 159, at 1310.

187. See, e.g., Howard B. Wiener, Common Law Liability of the Certified Public Accountant for Negligent Misrepresentation, 20 San Diego L. Rev. 233, 250 (1983); Richard D. Holahan, Jr., Note, Security Pacific Business Credit, Inc. v. Peat Marwick Main & Co.: Just in Case You Had Any Doubts There Is No Tort of Negligent Misrepresentation in New York, 13 Pace L. Rev. 763, 771- 76 (1993).

188. See, e.g., Victor P. Goldberg, Accountable Accountants: Is Third-Party Liability Necessary?, 17 J. Legal Stud. 295 (1988); Thomas L. Gossman, The Fallacy of Expanding Accountants' Liability, 1988 Colum. Bus. L. Rev. 213; John A. Siliciano, Negligent Accounting and the Limits of Instrumental Tort Reform, 86 Mich. L. Rev. 1929 (1988).

189. See, e.g., Siliciano, supra note 188, at 1944.

190. The picture is somewhat more complicated if Alice's employer obtains the certificate for Alice, since the certificate may have uses within the organization.

191. Restatement (Second) of Torts Sec. 552(2)(b). Arguably these third parties are thus within the limited group of persons for whose benefit and guidance [Alice] intends to supply the information or knows that the recipient intends to supply it, id. Sec. 552(2)(a), even if this limited group is in fact limited only to those with computers.

192. See 9 Speiser, supra note 178, Sec. 32:75, at 370.

193. Ultramares Corp. v. Touche, 174 N.E. 441, 444 (N.Y. 1931).

194. See Lawson & Mattison, supra note 159, at 1319.

195. See supra note 169 and accompanying text.

196. Cf. Holahan, supra note 187. A CA that wanted to take on liability in such a state in order to signal that its certificates were reliable would either have to draft a contract that made its intentions very clear, or it might have to adopt a business model in which Carol does not put Alice's certificate on a web page, and does not make it available to all, but instead provides an automated e-mail credential response service in which Carol meters Alice's usage of the certificate, and perhaps charges accordingly.

197. See supra note 193 and accompanying text.

198. But see supra text at notes 120-21 (discussing proposals to make consumers presumptively liable for all transactions with their digital signature supported by valid certificate).

199. See supra text accompanying notes 133-34 (making the argument that certificate is not a good for UCC purposes).

200. Baum, supra note 22, at 130-31.

201. See supra note 140 and accompanying text.

202. See MacPherson v. Buick Motor Co., 111 N.E. 1050 (N.Y. 1916).

203. Restatement (Second) of Torts Sec. 402A, cmt. i (1977) (discussing definition of unreasonably dangerous ).

204. Prosser, Fall of the Citadel, supra note 166, at 826.

205. See Guido Calabresi, The Cost of Accidents: A Legal and Economic Analysis (1970); Guido Calabresi & Jon T. Hirschoff, Toward a Test for Strict Liability in Torts, 81 Yale L.J. 1055, 1077 (1972).

206. See generally Part I supra.

207. There is also some danger that under a strict liability regime, the fact that Carol was willing to become an insurer for Alice might itself be a signal that Carol was not trustworthy.

208. VeriSign Corp., Secure Server Legal Agreement 3, available online URL http://www.verisign.com/netscape/legal.html.

209. In California, where VeriSign is located, the disclaimer will not work if a certificate is a good because an as is disclaimer or one which disclaims all implied warranties that would otherwise attach to the sale of consumer goods under the provisions of this chapter, Cal. Civ. Code Sec. 1791.3 (West 1985), must be a conspicuous writing . . . attached to the goods. Id. Sec. 1792.4(a). It is unclear how one achieves this for a certificate. For a survey of limits on disclaimers in the U.S. see Donald F. Clifford, Jr., Non-UCC Statutory Provisions Affecting Warranty Disclaimers and Remedies in Sales of Goods, 71 N.C. L. Rev. 1011 (1993).

210. Indeed, one can imagine a court throwing out the disclaimers as unconscionable. See U.C.C. Sec. 2-302; see also id. at cmt. 1 (suggesting courts should strike as unconscionable clauses contrary to public policy or to the dominant purpose of the contract ). This section has been applied to many kinds of contracts other than those for goods either by analogy or as an expression of a general doctrine. E. Allan Farnsworth, Contracts Sec. 4.28, at 325 (2d ed. 1990); see also Restatement (Second) of Contracts Sec. 208 (1979); Cal. Civ. Code Sec. 1670.5 (West 1985). Compare Wile v. Southwestern Bell Tel. Co., 549 P.2d 903 (Kan. 1976) (finding disclaimers of liability for error in telephone book not unconscionable) with Allen v. Michigan Bell Tel. Co., 232 N.W.2d 302 (Mich. Ct. App. 1975) (finding disclaimers for errors in telephone book to be unconscionable).

211. VeriSign Corp., supra note 208, at 3.

212. See generally Karl N. Llewellyn, Why We Need the Uniform Commercial Code, 10 U. Fla. L. Rev. 367 (1957).

213. However, the existence of standards such as X.509 impose significant constraints on CA behavior. For example, to comply with X.509 a CA must uniquely identify itself in a certificate. See Ford, supra note 23, at 12. Failure to produce a certificate that complies with the standard designed into systems that use certificates will result in users rejecting the certificate.

214. These requirements include: having a secure system, trusted personnel, clear certification policies, insurance, a CRL, a certificate from the root CA operated by the state, regular financial audits of its balance sheet, and regular security audits of its computer systems. Utah Code Ann. Sec. 46-3-201, -202, -203, -301, -307.

215. The Utah Act states that a CA which complies with its terms is: B. not liable in excess of the amount specified in the certificate as its recommended reliance limit for either:

(I) a loss caused by reliance on a misrepresentation in the certificate of any fact that the licensed certification authority is required to confirm; or

(II) failure to comply with [rules relating to the proper issuance of a certificate] in issuing the certificate; C. liable only for direct, compensatory damages in any action to recover a loss due to reliance on the certificate, which damages do not include:

(I) punitive or exemplary damages;

(II) damages for lost profits, savings, or opportunity; or

(III) damages for pain or suffering. Id. Sec. 46-3-309(2).

216. On the other hand, once the decision to have comprehensive legislation has been made, the case seems overwhelming for reemphasizing that a CA should never be liable for anyone's use of an accurate certificate that the CA had no reason to suspect was no longer accurate even if this is certain to be the common-law result absent legislation.

217. Utah addresses these issues in its administrative rules issued pursuant to Section 104 of the Utah Digital Signature Act. See id. Sec. 46-3- 104(3).

218. Henry H. Perritt, Jr., Access to the National Information Infrastructure, 30 Wake Forest L. Rev. 51, 100 (1995). On the other hand, equal public confidence might be achieved by clear legal rules which either impose liability on CAs for their errors or at least make it possible for CAs to signal their confidence in their certificates by undertaking a measured amount of liability.

219. See ABA Draft Guidelines, supra note 4.

220. See generally Froomkin, supra note 21.

221. See generally Ralph K. Winter, Jr., State Law, Shareholder Protection, and the Theory of the Corporation, 6 J. Legal Stud. 251 (1977).

222. The Utah Act allows CAs to take on additional obligations to clients or others if they so desire. Utah Code Ann. Sec. 46-3-302(3).

223. If Alice plans to transact with many people, she will have to trade the expense of the certificate against the likelihood that it will be accepted by those with whom she wishes to transact.

224. One of several obstacles to any system that seeks to count the number of uses of a certificate is that both certificate lists and CRLs are easily copied. If Bob runs a high-volume, low-margin business, in many cases it will be far more efficient for him to copy an entire CRL at random intervals, and take the risk of honoring a revoked certificate from time to time, than to continually contact the CA to check individual certificates.

225. See Utah Code Ann. Sec. 46-3-309.

226. Id., cmt. a, available online URL www.state.ut.us/ccjj/digsig/dsut-act.htm.

227. Netscape 2.01, Options menu, Security Preferences menu, Site Certificates menu; see generally Netscape Handbook: Application Features, available on- line URL http://home.netscape.com/eng/mozilla/2.01/handbook/docs/appans.html#C37.

228. See supra note 211 and accompanying text.

229. A supporter of legislation would be likely to counter that the process of finding this equilibrium would requires enormous amounts of wasteful litigation.

230. Cf. Roberta Romano, Competition for Corporate Charters and the Lesson of Takeover Statutes, 61 Fordham L. Rev. 843 (1993) (discussing competition among states for the business of corporate charters).

231. See supra note 153 and accompanying text.

232. ABA Draft Guidelines, supra note 4. The comment period ended January 15, 1996.

233. In the spirit of full disclosure, I should confess that I am a quondam member of the ABA's Information Security Committee and was involved in drafting parts of the draft Guidelines.