CDR: Re: Public Key Infrastructure: An Artifact...

Thu Nov 16 16:28:50 PST 2000

On Thu, Nov 16, 2000 at 03:53:28PM -0800, Ed Gerck wrote:
> > http://www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html
> >
> > Public Key Infrastructure: An Artifact Ill-Fitted to the Needs of the
> > Information Society
> >
> > Abstract
> >
> > It has been conventional wisdom that, for e-commerce to fulfill its
> > potential, each party to a transaction must be confident in the identity of
> > the others.
> 
> This is the law for commerce, except for cash transactions of non-controlled
> goods. Firearm sales usually require proof of identity (at least) even for a
> cash transaction.

That's a matter of state law - Federal law doesn't (yet) regulate firearm
transactions between two residents of the same state where neither is
licensed federally as a firearms dealer, so long as the firearms themselves
aren't specially controlled (like Class 3 full-auto weapons, or short-
barreled rifles/shotguns, etc). 

Nevertheless, the main point above is wrong, too - commercial law certainly
does NOT require parties to be confident about the identity of counterparties.
In most circumstances, identity is irrelevant; and even in disputed 
transactions, it's very rare that identity becomes crucial. Further, the
identity of counterparties isn't fixed or decided at the time a contract is
formed - one or more of the participants may later want to correct, amend,
or restate the contractual listing of the parties, to include or exclude
parties who are thought to have greater or fewer assets, or greater or
lesser culpability, in order to enhance their chances for successful
litigation. 

There's a persistent superstition among technologists who do ecommerce
work that knowing someone's identity is necessary or sufficient to 
successfully litigate against them - neither side of that assumption is
true. It can be the hardest thing in the world to successfully serve 
a summons and complain on a well-known party - cf. the ligitation against
the Scientology head, whose name escapes me at the moment. On the other
hand, big companies angry about message-board postings have been filing
complaints very successfully against unknown (or pseudonymously named)
entities, much to the aggravation of people who believe that their 
marginally greater understanding of technology makes them somehow 
unreachable or unaccountable.

Even assuming that someone is successfully served with a complaint, 
that's a long way from winning a lawsuit, which is a long way from
collecting on a judgement.

Traditional non-legal means of enforcing contracts - like adding the
person to a blacklist of "naughty debtors" doesn't depend on any
sort of proof of identity or proof that a contract ever existed, or
was breached - it's easy (if you're a commercial entity of at least
moderate size) to add people you believe owe you money to the credit
reporting agencies' databases, whether your target is an individual or
a business. The reporting agencies require no proof at all - they'll
accept the creditors' representations about the alleged debt, and
proceed from there. 

Identity - and complicated theoretical proofs of identity - are
not especially important in commercial law or litigation. It's relatively
easy to follow the paths of money and/or goods in commercial 
transactions - and where it's not, the likelihood of recovery is
slim even if the counterparty is well-identified, so litigation
is unlikely. 

Identity does have the advantage of being a very familiar idea, so
it's easy to generate and keep certificates about it, which give
counterparties a nice warm feeling that they're doing something
about the risks they face in a transaction. That feeling is 
unrelated to what's actually happening, but it does serve to lubricate
the wheels of commerce.

--
Greg Broiles gbroiles at netbox.com
PO Box 897
Oakland CA 94604