EU Draft Digital Signature Directive

[Brian Gladman]

Clare Wardle <Clare.Wardle@postoffice.co.uk> wrote:

>At the risk of joining Nigel in the pillory............
>
>Quite a few contributors to this group as well as others  have said there
is no reason to have  a public directory >at all because everyone only wants
to talk to their friends - now someone has noticed that it might be handy to
>have a method of checking whether the travel agent you are  thinking of
buying a holiday from  exists, and >being able to look him up in a public
directory would be quite useful too......I think it's quite fair for Nigel
to have >his little jokule.

Maybe I am missing the point but I don't think the real issue has ever been
about directories per se - most people accept the need for distribution of
public keys via directories etc.  - what they question is whether it is
necessary, desirable or useful to have third parties to certify the
properties
of the public components of public/private key pairs.

Banks are often used as an example to justify the concept of trusted third
parties but in my view this is misleading.  Banks do not establish three
party relationships - they simply provide a way of linking a series of two
party relationships - customer-bank, bank-bank and bank-customer in order to
transfer money between two parties that may never ever know or meet each
other (I am considering  here the relationships between private citizens and
their banks rather than  business-bank relationships).

As a customer of a bank I have no trust relationship with anyone other than
my bank - I put money into my account and I allow my bank to draw on this
money to settle debts that they attribute to me.  If I want  a digital
signature to operate my account I will get this from my bank and I would be
very surprised if they were to tell me to go down the road and get this from
some third party (if they did I would change my bank).

Equally, since it is my money, over which I have ultimate authority, I would
expect any keys that my bank uses to access my account to be digitally
signed by me using my own self certified signature key - that is I expect my
bank to trust my digital signature in exactly the same way that they trust
my written one - if they insisted that I go off and get it certified by some
third party I would again change my bank.  There has to be a certain amount
of trust in this ***two party*** relationship but neither I nor my bank
needs or wants a third party involved in this part of the process (and I
have
checked this out with senior staff of my bank).

So TTP CAs are probably not necessary for most things but are they desirable
or useful?  In answering these questions we move to opinions more than fact
and this is why we see such a large variation, with some seeing them as a
'waste of time' and others seeing them as essential to our future.  I
suspect that reality lies somewhere between these two extremes.  In my
opinion there are a few posibly valid TTP CA functions but these are small
in number and I cannot see them justifying a significant TTP market in the
forseeable future. In my view Electronic Commerce will be based on strong
two party trust relationships rather than genuine three party ones.  Quite
apart from security concerns the problems involved in namespaces will
dictate that this is so.

I am hence doubtful that third party CAs will become desirable very quickly
and I also doubt that they will become useful very soon either because we
don't yet have the technology (or the practical experience) needed to
operate them securely.  And I don't think this is 'round the corner' either.

In contrast, the two party CA functionality that my bank and I can use to
operate my electronic bank account can work in a closed network environment
that is not subject to the essentially unlimited threats faced by a TTP
operating on the Internet (note that my bank account can operate on the
Internet without the supporting CA functions also residing here)  So I see
CA functionality in support of two party relationships (and operated by one
of these two parties) as being where the serious digital signature work will
be done in the immediate future.

>I don't agree with Nick Bohm that there is a problem with appropriate
technology (and services)  being available >to consumers - by the time this
directive comes into force (a couple of years off minimum) there will be.
>Whether any signature should be totally non-repudiable under any
circumstances is another question.

Without wishing to offend, I do not share your confidence - where will this
technology come from?  I don't see it now and I see nothing round the corner
that gives me reason for optimism.  This could, just possibly, be achieved
using high grade hardware and, if there was an international market of
sufficent scale to justfy the investment, this could probably be delivered
at an economic cost.  However, export controls ensure that no such market
exists and we can be sure that anything that is 'approved by government' for
our use will have been subject to the well known forms of  'manipulation'
that will undermine any possible trust that we might have in it.


Without the heavy hand of governments I would be inclined to agree that
market pressures would lead to technological solutions in the medium term
but governments are determined to interfere so I think we can safely
discount the prospects for effective solutions even in these time scales.

I am sorry for the length of this posting but I feel that the politics of
TTPs and CAs has obscured the many important issues involved in the
practical introduction and use of digital signature technologies.  I feel
that we now need an open conference on such issues (NOT one of those
overpriced and overhyped '£500 a day' commercial events)  that moves away
from the politics and takes an honest look at the strengths and weaknesses
of this technology and the sorts of applications where it will provide
benefits for society and those where it will not.

There is too much politics and too little reality in the whole digital
signature field and we are rushing into legislation, directives etc. without
having the practical experience or undestanding of this technology that is
so essential
for effective deployment (and legislation).

So are there any companies or organisations on the list who would be
prepared to sponsor such a conference?

   Brian