DTI's Secure Electronic Commerce Statement
Dr John Leach
leach at eu.tis.com
Wed, 29 Apr 1998 08:34:00 +0100
So after a reasonably careful reading of the 27th April statement from
Barbara Roche at the DTI, it looks to me that paragraphs 11, 12 and 14 are
the key ones. Between them they say, so far as I can see:
1. The government intends to differentiate between the way it treats
digital signature services and encryption services;
2. Licensing applies only to service providers (TTPs, CAs and KRAs), not
to users;
Question - However, the statement doesn't define what it means by a user.
So, focusing on a CA that provides services only to the operating company's
own employees, not to outside companies trading with it (what we might call
a 1st party CA not a 2nd or 3rd party CA), is such a CA a user or a service
provider? DTI, please clarify what you define a user to be.
3. For digital signature services, it is clear that licensing will NOT be
mandatory. Those service providers that are licensed should, by virtue of
being licensed, be in a position to offer certificates that support digital
signatures that can be recognised as equivalent in force to hand written
signatures. Any key recovery or warranted access to private keys will
explicitly NOT apply to keys used solely for digital signatures;
(Therefore should we not expect to see the development of more products
that allow us to use different keys for digital signatures and encryption
functions? I would say we should, and I would also say that that would be
good security practice and should be encouraged.)
Question - The statement seems to imply that the future legislation on the
recognition of digital signatures will require the CA/TTP to be licensed
before the signature will be recognised as having force in law. DTI, what
is your intention here?
4. For encryption services, it is also clear that licensing will NOT be
mandatory. However, licensing will be "encouraged". The use of particular
technologies or products will NOT be required;
Question - DTI, do you have anything particular in mind when you use the
word "encouraged".
5. If a provider of encryption services chooses to become licensed, it
WILL be required to support key recovery ("to make recovery of keys ...
possible through suitable storage arrangements").
6. If a provider of encryption services holds decryption key information
as part of the service it provides, it will be required to recognise a
warrant that the LEAs (law enforcement agencies) might serve for GAK
(government access to keys). This would apply to licensed AND unlicensed
service providers.
Question - The statement appears to leave open the option that a provider
of encryption services might choose not to become licensed AND might choose
not to store decryption keys as part of its service (sounds to me like a
perfectly reasonable course for a service provider to take). The statement
implies that such a service provider would suffer no penalty by not being
able to honour an LEA's GAK warrant. DTI, is this your intention?
7. Such a GAK warrant would also be servable on users, not just on service
providers. Again, as users will not fall under the licensing scheme, it
appears to leave open the option that a user might choose not to store
decryption keys in a readily recoverable form and might then not be able to
honour the GAK warrant. For example, the decryption key might be stored
encrypted under a PGP pass phrase which the user would not have written
down anywhere in a form the LEA could seize. In such cases, the LEA would
no doubt seize the PC and hope to find a decrypted version of the encrypted
information elsewhere on the hard disk. Again, this is obscured a little
bit by the lack of definition as to what is a user and what a service
provider.
Question - and to my mind this is the most important one at this stage -
will it be possible for a service provider to become licensed for the
digital signature services it offers but to remain unlicensed for the
encryption services it offers? This is not touched on in the text of the
statement (and I have checked the text carefully to see if it is implied by
any of the wording, and I think the wording is neutral on this point) other
than where, in an early paragraph, the statement says "there is now a clear
policy differentiation between digital signatures and encryption". It does
not say if this policy differentiation extends to the separate licensing of
digital signature services and encryption services. If that separation is
permitted, that would allow a service provider to become licensed for its
digital signature services (and hence gain for its users the benefits of
recognised digital signatures) but remain unlicensed for its encryption
services (and hence gain for its users the freedom from GAK - provided it
did not store the users' decryption keys). If that licence separation is
not allowed, then the benefits of recognised digital signatures would be
the carrot to induce the service providers to provide support for GAK.
Then the claimed policy differentiation would turn out to be rather
limited. So, please, would the DTI clarify its intentions on this key
question.
John Leach
__________________________________________________________________________
Dr John Leach leach@eu.tis.com
Trusted Information Systems (UK) Ltd. Office : +44 (0)118 930 4413
8 Commerce Park Fax : +44 (0)118 930 4412
Theale GSM : +44 (0)467 417 694
Berkshire RG7 4AB Home Office : +44 (0)1264 332 477
ENGLAND Web : <http://www.tis.com>
PGP DH/DSS 2049/1024 public key ID: 0x6B5C E297.
Fingerprint: EF36 683B ... 6B5C E297
__________________________________________________________________________