On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the Information Society
Abstract
It has been conventional wisdom that, for e-commerce to fulfill its potential, each party to a transaction must be confident in the identity of the others.
This is the law for commerce, except for cash transactions of non-controlled goods. Firearm sales usually require proof of identity (at least) even for a cash transaction.
That's a matter of state law - Federal law doesn't (yet) regulate firearm transactions between two residents of the same state where neither is licensed federally as a firearms dealer, so long as the firearms themselves aren't specially controlled (like Class 3 full-auto weapons, or short- barreled rifles/shotguns, etc). Nevertheless, the main point above is wrong, too - commercial law certainly does NOT require parties to be confident about the identity of counterparties. In most circumstances, identity is irrelevant; and even in disputed transactions, it's very rare that identity becomes crucial. Further, the identity of counterparties isn't fixed or decided at the time a contract is formed - one or more of the participants may later want to correct, amend, or restate the contractual listing of the parties, to include or exclude parties who are thought to have greater or fewer assets, or greater or lesser culpability, in order to enhance their chances for successful litigation. There's a persistent superstition among technologists who do ecommerce work that knowing someone's identity is necessary or sufficient to successfully litigate against them - neither side of that assumption is true. It can be the hardest thing in the world to successfully serve a summons and complain on a well-known party - cf. the ligitation against the Scientology head, whose name escapes me at the moment. On the other hand, big companies angry about message-board postings have been filing complaints very successfully against unknown (or pseudonymously named) entities, much to the aggravation of people who believe that their marginally greater understanding of technology makes them somehow unreachable or unaccountable. Even assuming that someone is successfully served with a complaint, that's a long way from winning a lawsuit, which is a long way from collecting on a judgement. Traditional non-legal means of enforcing contracts - like adding the person to a blacklist of "naughty debtors" doesn't depend on any sort of proof of identity or proof that a contract ever existed, or was breached - it's easy (if you're a commercial entity of at least moderate size) to add people you believe owe you money to the credit reporting agencies' databases, whether your target is an individual or a business. The reporting agencies require no proof at all - they'll accept the creditors' representations about the alleged debt, and proceed from there. Identity - and complicated theoretical proofs of identity - are not especially important in commercial law or litigation. It's relatively easy to follow the paths of money and/or goods in commercial transactions - and where it's not, the likelihood of recovery is slim even if the counterparty is well-identified, so litigation is unlikely. Identity does have the advantage of being a very familiar idea, so it's easy to generate and keep certificates about it, which give counterparties a nice warm feeling that they're doing something about the risks they face in a transaction. That feeling is unrelated to what's actually happening, but it does serve to lubricate the wheels of commerce. -- Greg Broiles gbroiles@netbox.com PO Box 897 Oakland CA 94604