more words on electronic commerce vs. PKIs

Carl Ellison cme at cybercash.com
Tue, 28 Apr 1998 10:51:18 -0400 

-----BEGIN PGP SIGNED MESSAGE-----

If one defines "Infrastructure" loosely enough, then it is clear that if 
public keys are used in support of electronic commerce, there is some PKI.  
However, the claim that is often made is that electronic commerce needs only 
a PKI and then it will flourish -- where that PKI provides (name,key) 
certificates via a hierarchy of CAs.  Since credit cards, electronic 
checking and EDI clearly don't need such a PKI, the proponents of the PKI 
fall back on the idea of electronically signed contracts.

Digital signatures backed up by contracts on paper cover almost the entire 
monetary volume of electronic commerce, now and in the foreseeable future.  
For example, I signed up for my AMEX card with a paper contract decades ago 
and have been happily using that card for electronic commerce with no 
further contract requirement.

However, when one considers heavier contracts (e.g., the purchase of a home 
or the establishment of a major business relationship), it is clear that the 
signing of a contract needs to be backed up by knowledge on the part of each 
party about the other party.  If the parties are unknown to each other, this 
knowledge must come from some third sources.  One has to trust those 
sources, but that does not mean that these become TTPs, in the sense the DTI 
uses that term.

Specifically, the knowledge one must have about the other party is not that 
party's name (which is the thing CA proponents offer to provide, and loosely 
at that).  Rather, one needs to know the characteristics of the other party 
in order to make a judgement about the party's fitness to fulfill the 
contract.  This doesn't come from a (name,key) CA.  It calls for a different 
kind of infrastructure -- one not even mentioned in legislative proposals.

The flaw here (and pardon me if you've heard this too often) is that at the 
scale we're dealing with on the Internet, names no longer function as 
identifiers.  In a small community, if you knew someone's name, you knew 
what person was being identified and you knew things about that person -- 
e.g., fitness to enter into a contract.  (For example, would you sell a 
house to a 7 year old?  ..to a vagrant?)  The Internet is not a small 
community.  In this large community, names no longer call to mind the 
identified person (since you've probably never met that person) and 
names don't give you access to the information you need in order to
make your contract decision.

That information base you need, in order to decide to enter into a contract, 
could conceivably be computerized and put on the web, accessed by some 
distinguished name.  However, that process would almost certainly violate EC 
privacy directives.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNUXs5RN3Wx8QwqUtAQFILQP9HCDyptXyaXo6ljKbYeXCc/5fNyXvbww/
IQjyf4B2fz2kYdhSfexCLbkXypJUc0TYEVqS36+5b1GxHaaBNn+uZtrjtOMVEpjc
GiqDvEWZf2n//EF//W6Swv47MG7PaP0Az8FQCfCjmGQ8vuCLTq9kFxnFj1gLXI47
AEemxbqr44A=
=WzH6
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+