Legislating for the Long Term?

Richard Clayton richard at turnpike.com
Tue, 10 Mar 1998 12:52:51 +0000 

In article <3.0.5.32.19980309224539.00e5ba50@mail.netkonect.co.uk>,
Nicholas Bohm <nbohm@ernest.net> writes

>What the points about quantum computing make clear (again) is how radically
>the relevant landscape can change.  There is a lesson here for legislators,
>which is the futility of building castles in the air.
>
>What we need are the small, quick legislative tweaks that will help
>electronic commerce get itself established, not elaborate underpinnings for
>elaborate infrastructures that will become out of date before anyone has
>decided who might build what on top (and meanwhile make the whole
>enterprise seem far more difficult than it really is).

I wonder if there is any consensus on what these "quick legislative
tweaks" might be.

There is fairly overwhelming rejection of "key escrow" in this community
- but I also detect in the various submissions to the DTI made last year
(and I am as guilty as anyone) a sense of "hoorah for raising the
subject, something must be done" but, [in most cases] "however, this is
not an acceptable thing to do".

In the intervening year I've thought, and read, a lot more about the
nature of identity and how we, as individuals, and in business, deal
with strangers all the time, with limited amounts of knowledge of
identity. We only take specific measures, dating back to Victorian times
or even longer, to deal with the natural lack of trust when the sums
involved become non-trivial.

I am starting to wonder whether the signing of keys by statutory bodies,
even with no escrow in sight, is really a substantial benefit. Do we
really need to know _exactly_ who we're ordering our online books from ?
If they turn up in the post that will be good enough for most of us, and
if not, is a signed key going to get us our money back ?

I think almost everyone believes that encryption is going to be a vital
part of using the Internet for commerce, its open nature being otherwise
a problem -- phonecalls or postal services which stay within the borders
of Western democracies have, in general, avoided the need for security;
though registered post and the courier are still important day-to-day
features of commercial life. The Internet, is somehow different, though
I think there's a certain amount of fear of the unknown in many peoples
reactions, rather than an exact assessment of the risks.

If one does accept that we need encryption to be more widely deployed
than just "secure web sites" (a misnomer since the conversations are
secure and the machines often are not!). The question then arises - is
it lack of key signing which is holding back encryption ? is it the lack
of standards ? is the lack of usable software. I'd suggest that the last
of these was by far the most important practical issue.

It's hard to see how any legal changes in one small island is going to
make any difference to this (notwithstanding the export of InvisiMail
from New Zealand and/or the Isle of Man).

But this is special pleading... being a software builder I tend to see
the problem as a software problem. The lawyers seem to see the problem
as a tightly legal one (we need a law for digital signatures... but do
we ? wouldn't a precedent do just as well ? and more flexibly). The
people who want to run TTPs see the problem as being a need for laws to
make them look like essential services.... (pay us more money, we're
licensed by the DTI).

I wonder, about "legislative tweaks". Are there areas where we actually
need the law changed ? or can we all build the systems and services we
need in the current framework ? I think what I am asking would be 'Is
there actually anything "broken" to "fix" ?'

A year ago I thought that addressing the issues was a good idea... but
I'm coming around to a view that I would welcome a DTI announcement that
they were going to forget about legislation, but that neverthess they
thought encryption was a "jolly good thing". ie doing almost nothing
might be best.

If I'm wrong then please explain, and I'll change my mind again :)

-- 
richard                      richard.clayton    @    T U R N P I K E .com
 http://www.demon.net/news/features/crypto/  for Demon's views on crypto
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM