Lie in X.BlaBla...
gbroiles at well.com
Sun Jun 3 14:00:31 EDT 2001
At 08:53 PM 6/2/2001 -0700, jamesd at echeque.com wrote:
> > No server will ever fall afoul of the law, because servers aren't subject
> > to criminal liability. A person or an organization might fall afoul of the
> > law if they use a certificate server in a fraudulent way.
>The law defines the ordinary use of certificate servers as
>fraudulent. Yet another law making felons of us all.
It does no such thing. The law criminalizes the following -
(1) Knowingly misrepresenting one's identity or authorization to obtain a
certificate which refers to a private key for creating signatures (Sec. 1(1))
(2) Knowingly forge a digital signature (Sec. 1(2)), which means -
(a) creating a digital signature without the authorization of the
rightful holder of the private key
(b) creating a digital signature verifiable by a certificate
listing as a subscriber a person who - (i) does not exist
(ii) does not hold the private key corresponding to the
public key listed in the certificate
(RCW 19.34.020 (16))
(3) Knowingly present a certificate for which you are not the owner of the
corresponding private key, IN ORDER TO OBTAIN UNAUTHORIZED ACCESS TO
INFORMATION OR ENGAGE IN AN UNAUTHORIZED TRANSACTION. (Sec. 1(3), emphasis
added because it's apparently common to stop reading halfway through that
Which of the above do you consider "ordinary"?
Which of those "makes felons of us all?"
I've been using PKI-based technology for a little over 8 years now, if I
remember correctly, and can't remember ever needing to do any of (1)-(3) above.
Let's not turn this into another one of those "Postal service will charge
$.25 per email! Write your senator!" net legends, ok?
I don't think the new law is necessary - it's basically a retread of
existing fraud and computer misuse statutes - but I don't think it
criminalizes anything that wasn't criminal before. I haven't spent a lot of
time crawling through Washington's criminal code - nor criminal courts,
where the rubber meets the road - so I don't know if the "felony" status
for this is new, or meaningful, or exemplary - it sounds like overkill, to
my ears, but so does much of what comes out of our federal and state
legislatures so I've stopped thinking that's remarkable.
>I knowingly present certificates that are not my own all the time.
In order to obtain unauthorized access to information or engage in
I knowingly use firearms and automobiles all the time, too - but I don't
worry overmuch about laws which criminalize their misuse, because I'm not
If your fear is that the "unauthorized" word is susceptible to later
re-interpretation (as a factual matter, not as a legal matter - e.g.,
retroactively revoked permissions) - I agree that's a difficult issue, but
this law doesn't modify an existing danger, because Washington has already
criminalized (as a felony, in some cases) "gaining access" to a computer
owned by another person "without authorization". (RCW 9A.52.110) I also
note that inducing another to sign a written instrument under false
pretenses is already a felony. (RCW 9A.60.030).
>In my observation, the way the law works is that they make a law that
>criminalizes as many people as they can get away with, a dragnet law to
>define the largest possible number of people as felons, and then they
>apply that law only to certain people they do not like, and at first do
>not apply the
>law to the vast majority of people who routinely break it.
I agree that this happens, and that it's bad, but this statute is too
narrowly drawn to be much use in furtherance of that project.
>Obviously the intent is only to apply this law to pimply faced hackers,
>just as the original intent of the drug laws was to apply only to blacks,
>but eventually it will be applied to people like you and me.
If the " . . in order to obtain unauthorized access" language wasn't in
section (3), I'd agree with you. But it's there, so I don't think this law
presents a special danger, beyond the fact that it's referring to a new
technology that's not necessarily well understood. I'd have preferred that
the WA legislature wait another 5 or 10 years to see what turns out to be a
real problem and what doesn't - but apparently they weren't inclined to.
They've already got a statutory scheme at RCW 19.34 regarding certificate
authorities and digital signatures; it doesn't seem surprising that they
though it was appropriate to use criminal law to address misuse of or
within that framework.
gbroiles at well.com
"Organized crrch.is the price we pay for organization." -- Raymond Chandler
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography