4 July 1997


1 July 1997,  American Banker:

Comment/ Digital Certification/ New Wrinkles in Managing Risk

By Thomas P. Vartanian, Fried, Frank, Harris, Shriver & Jacobson

The move toward electronic commerce forces bankers to confront entirely new issues and questions. One being posed by corporate customers concerns a bank's ability to certify that an electronic signature in fact belongs to the party using it.

While banks are currently considering the revenue potential in being certifying authorities, or CAs, they must be equally focused on the legal liabilities that come with CA responsibilities.

Acting as a CA for an important corporate customer engaged in electronic contracting may, at first blush, be an acceptable and possibily profitable accommodation to that customer. But the request takes on an entirely different light when the potential CA realizes that it is likely to be sued by its customer if the electronic transaction is not completed because of some problem with the electronic signature that it has certified.

Sixteen states have enacted electronic signature laws that permit the use of some form of digital certification in some range of electronic transactions. The principal thrust of these laws is to ensure that an electronic signature satisfies legal requirements that contracts be in writing and "signed."

But buyers and sellers wishing to transact business electronically will also need some way to authenticate their identities and warrant the integrity of messages transmitted through cyberspace. A solution could be to turn to trusted third parties to certify digital signatures and to escrow the encryption keys from which such electronic signatures will be calculated.

While various nonbank entities act or seek to act as CAs, entities that have a reputation for financial capacity and trustworthiness, such as banks, may be a natural choice to provide the service.

An electronic signature involves the creation of a unique electronic thumbprint for an electronic message by scrambling its text through the application of cryptography. At its most basic level, cryptography works in the same way that Commander Cody coder-decoder rings of the 1950s did.

Each symbol in a message was represented by a number derived from the application of a secret formula. The formulas and numbers make them difficult to decrypt. By assigning numbers in sequence to each letter of the alphabet, for example, starting with "A" equals 1, "Hi Mom" could be expressed as 0809131513.

Coding becomes even more complicated with asymmetrical public key cryptography. Using complex algorithms, two sister encryption keys-a public key and a private key-are created. Both keys would be required to encrypt and subsequently decipher a message, but only one key would be publicly available.

The second, private key would not be determinable through mathematical manipulation of the public key. Thus, if only the recipient of the message possesses the complementary piece of the key or keys used to encrypt a message, he or she can decipher it and, in so doing, verify both the authenticity of the message and the identity of its sender.

The application of asymmetrical keys to a message becomes a digital signature unique to the sender.

Public key encryption is quite complex, but for illustrative purposes, it may be simplified in the following manner. Assume that Tom's message to his Mom may be reduced through the application of cryptography to a single number: 42. Assume further that Tom's digital signature, which has been certified by a CA, is represented as follows: private key = 73; public key = 27.

When the message (42) is encrypted with the private key (73), Tom's digitally signed message, it becomes 115. To decrypt the message (115), Mom would open the electronic envelope by applying Tom's public key (27) to the message (115 + 27 = 142).

Then, by removing the total of both keys (100), Mom is left with 42. Because that matches the original message, Mom knows it has not been altered and was sent by Tom.

Some states, such as Utah, have enacted detailed digital signature laws that provide for state-sanctioned licensing of CAs. Others have taken a more informal approach that simply grants a digital signature the legal status of a written signature under state law.

The latter type of law allows the marketplace to construct an acceptable set of rules regarding how digital signatures will be issued, authenticated, used, and proven in a court of law. Some states also try to deal with the issue of liability for failed electronic transactions, but others do not.

Should banks certify digital signatures? Certainly they seem qualified to do so, but the issuance of such certificates is not without risk.

While different types and degrees of certificates may be issued, depending on the nature of the transaction and the degree of certainty that the parties seek, numerous questions remain unanswered about how the financial risks of a failed electronic transaction would be allocated.

Such failures may be the result of, among other things, negligence, fraud, or innocent operational defects. If one party suffers a financial loss, it is likely to seek to hold other parties liable, as having been more responsible than it for the failure.

For example, Bank A as a CA might issue a certificate to verify that the digital signature created by the application of particular private and public keys is indeed exclusive to Purchaser B. B proceeds to contract for the electronic delivery of $2 million worth of patents from C, whose digital signature has been certificated by Bank D.

As CAs, Banks A and D would function as trusted third parties whose certificates would guarantee the identities of B and C to each other and verify the sales contract, authorization, and payment messages.

Several things could go wrong. One digital signature might have been (1) fraudulently issued or used, (2) mistakenly certified, (3) altered after being certified, (4) invalid but not reported as such by the CA, (5) malfunctioning, or (6) used by unauthorized parties in a transaction that was not authorized or in which it was not intended to be used.

In any of these situations, the certificate could fail to perform its function and permit a transaction to be fraudulently consummated or simply misrouted. In either event, one party may incur a loss and try to repudiate or reverse the transaction and seek compensatory and consequential damages. At that point, the responsibility for the loss attributable to this transaction would have to be sorted out.

Since the only reason that a certificate would have been sought was to avoid the kind of disaster that ultimately occurred, the parties to the transaction might seek to impose liability on the CA.

__________

Mr. Vartanian is managing partner of the Washington office of the New York law firm Fried, Frank, Harris, Shriver & Jacobson, and head of its financial institutions transactions practice.


Thanks to ptharrison <ptharrison@delphi.com> and Robert Hettinga <rah@shipwright.com>