DTI's Secure Electronic Commerce Statement

Peter Lister P.Lister at cranfield.ac.uk
Wed, 29 Apr 1998 12:31:33 +0200 

> Question - However, the statement doesn't define what it means by a user.
> So, focusing on a CA that provides services only to the operating company's
> own employees, not to outside companies trading with it (what we might call
> a 1st party CA not a 2nd or 3rd party CA), is such a CA a user or a service
> provider?  DTI, please clarify what you define a user to be.

And define it very carefully...

I'd *hope* that in supplying encryption services to our own staff and students
(1st party in John's definition) we'd count as a user. But even if this turns
out to be the case, we also collaborate with external companies, and we
regularly have the case that a university resource requires access by such an
external company's representative using a system where we are effectively a CA.

As there is undoubtedly a contract between us and the company, money is
changing hands, and the person involved is definitely not our staff, does that
mean that we become a commercial CA requiring regulation? I'd hope not, because
we're only bothered about protecting our *own* resources, and we're not in any
way offering TTP services for general commerce (3rd party) or anything like
that - even if an "internal CA" is counted as a user for the DTI's purposes -
but this may be a pretty much useless exemption unless this kind of 2nd party
relationship is available.

Indeed, almost *any* secure electronic transaction may effectively end up being
a 2nd party if the definition is poor (e.g. when using a session key). When
research contracts are drawn up, would it be sufficient that a formula could be
inserted to state that any keys signed for access to shared resources do not
count as a commercial TTP service - or would the definition of such a service
be strictly defined in law, rather than in the contract between the 2 parties?

Peter Lister                             Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University    Voice: +44 1234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK        Fax: +44 1234 751814         
---     88.2% of statistics are made up on the spot - Vic Reeves     ---