On Mon, 3 Jan 2000, Dave Del Torto wrote:
> Here the plot thickens: If the only two sigs on the key at CDNOW are
> the key-owner's sig and David's, then the ability of any CDNOW
> customer to trust the key's security is based on David's "trustability
> quotient" as well as the ability of CDNOW to prevent spoofing of its
> webpages. Giving CDNOW the benefit of the doubt in this case, this
> means that David has become the defacto PGP Certificate Authority for
> CDNOW, which implies more liability than he's probably willing to take
> on personally, so it may be that he's a CDNOW employee and therefore
> has some legal protections (one hopes it's in his contract).
Does it? I'm skeptical as to whether there's ever been a strong legal
opinion written on this matter, so it's unclear what a court would say if
someone tried to sue someone else who's PGP signature they relied on. I
would hope that a court would rule that with the absence of clear legal
wording in a 'signature' which is really just a technical artifact, it
should be treated as rumor.
Lack of clear legal meaning is a definite weakness of current public key
systems. It may seem boring and tedious to work out detailed legal
meanings of what all the public key technical artifacts mean, but unless
those artifacts refer to specific meanings themselves, a court will make
them up later, and will probably make them up in a way which the original
authors (meaning you) aren't happy with.
-Bram
