Lie in X.BlaBla...

Greg Broiles gbroiles at well.com
Sun Jun 3 14:00:31 EDT 2001 

At 08:53 PM 6/2/2001 -0700, jamesd at echeque.com wrote:
>     --
>te:
> > No server will ever fall afoul of the law, because servers aren't subject
> > to criminal liability. A person or an organization might fall afoul of the
> > law if they use a certificate server in a fraudulent way.
>
>The law defines the ordinary use of certificate servers as 
>fraudulent.  Yet another law making felons of us all.

It does no such thing. The law criminalizes the following -

(1) Knowingly misrepresenting one's identity or authorization to obtain a 
certificate which refers to a private key for creating signatures (Sec. 1(1))

(2) Knowingly forge a digital signature (Sec. 1(2)), which means -
         (a) creating a digital signature without the authorization of the 
rightful holder of the private key
         (b) creating a digital signature verifiable by a certificate 
listing as a subscriber a person who -             (i) does not exist
                 (ii) does not hold the private key corresponding to the 
public key listed in the certificate
         (RCW 19.34.020 (16))

(3) Knowingly present a certificate for which you are not the owner of the 
corresponding private key, IN ORDER TO OBTAIN UNAUTHORIZED ACCESS TO 
INFORMATION OR ENGAGE IN AN UNAUTHORIZED TRANSACTION. (Sec. 1(3), emphasis 
added because it's apparently common to stop reading halfway through that 
sentence)

Which of the above do you consider "ordinary"?

Which of those "makes felons of us all?"

I've been using PKI-based technology for a little over 8 years now, if I 
remember correctly, and can't remember ever needing to do any of (1)-(3) above.

Let's not turn this into another one of those "Postal service will charge 
$.25 per email! Write your senator!" net legends, ok?

I don't think the new law is necessary - it's basically a retread of 
existing fraud and computer misuse statutes - but I don't think it 
criminalizes anything that wasn't criminal before. I haven't spent a lot of 
time crawling through Washington's criminal code - nor criminal courts, 
where the rubber meets the road - so I don't know if the "felony" status 
for this is new, or meaningful, or exemplary - it sounds like overkill, to 
my ears, but so does much of what comes out of our federal and state 
legislatures so I've stopped thinking that's remarkable.

>I knowingly present certificates that are not my own all the time.

In order to obtain unauthorized access to information or engage in 
unauthorized transactions?

I knowingly use firearms and automobiles all the time, too - but I don't 
worry overmuch about laws which criminalize their misuse, because I'm not 
misusing them.

If your fear is that the "unauthorized" word is susceptible to later 
re-interpretation (as a factual matter, not as a legal matter - e.g., 
retroactively revoked permissions) - I agree that's a difficult issue, but 
this law doesn't modify an existing danger, because Washington has already 
criminalized (as a felony, in some cases) "gaining access" to a computer 
owned by another person "without authorization". (RCW 9A.52.110) I also 
note that inducing another to sign a written instrument under false 
pretenses is already a felony. (RCW 9A.60.030).

>In my observation, the way the law works is that they make a law that 
>criminalizes as many people as they can get away with, a dragnet law to 
>define the largest possible number of people as felons, and then they 
>apply that law only to certain people they do not like, and at first do 
>not apply the
>law to the vast majority of people who routinely break it.

I agree that this happens, and that it's bad, but this statute is too 
narrowly drawn to be much use in furtherance of that project.

>Obviously the intent is only to apply this law to pimply faced hackers, 
>just as the original intent of the drug laws was to apply only to blacks, 
>but eventually it will be applied to people like you and me.

If the " . . in order to obtain unauthorized access" language wasn't in 
section (3), I'd agree with you. But it's there, so I don't think this law 
presents a special danger, beyond the fact that it's referring to a new 
technology that's not necessarily well understood. I'd have preferred that 
the WA legislature wait another 5 or 10 years to see what turns out to be a 
real problem and what doesn't - but apparently they weren't inclined to. 
They've already got a statutory scheme at RCW 19.34 regarding certificate 
authorities and digital signatures; it doesn't seem surprising that they 
though it was appropriate to use criminal law to address misuse of or 
within that framework.


--
Greg Broiles
gbroiles at well.com
"Organized crrch.is the price we pay for organization." -- Raymond Chandler




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list