Legislating for the Long Term?

Tue, 10 Mar 1998 17:20:41 -0000

Richard Claydon wrote:

>In article <3.0.5.32.19980309224539.00e5ba50@mail.netkonect.co.uk>,
>Nicholas Bohm <nbohm@ernest.net> writes
>
>>What the points about quantum computing make clear (again) is how
radically
>>the relevant landscape can change.  There is a lesson here for
legislators,
>>which is the futility of building castles in the air.
>>
>>What we need are the small, quick legislative tweaks that will help
>>electronic commerce get itself established, not elaborate underpinnings
for
>>elaborate infrastructures that will become out of date before anyone has
>>decided who might build what on top (and meanwhile make the whole
>>enterprise seem far more difficult than it really is).
>
>I wonder if there is any consensus on what these "quick legislative
>tweaks" might be.

[material deleted]

>I am starting to wonder whether the signing of keys by statutory bodies,
>even with no escrow in sight, is really a substantial benefit. Do we
>really need to know _exactly_ who we're ordering our online books from ?
>If they turn up in the post that will be good enough for most of us, and
>if not, is a signed key going to get us our money back ?

I think you are right - for the most part it is hard to see why independent
third party CAs will play that much of a role in the use of cryptography to
provide confidentaility or authentication.

If they ever had a role in confidentiality (which is doubtful anyway) then
the US and UK govenments could hardly have done a better job than they have
in killing this off through their promotion of key escrow.

In considering authentication for individual consumers, most paper documents
and signatures are not seriously authenticated and most businesses seem to
have survived and prospered within such an environment without major
difficulties.  For consumers, therefore,a self-certified digital signature
should work well and it is hence hardly a surprise to find that such
electronic commerce as there is works well enough with little more than
this.

Of course this may be because a global trusted infrastructure in the form of
credit cards is already in place but this is exactly the point - whereas we
can expect this new technology to be used in an evolutionary way to add
efficiency and effectiveness to existing trust relationships, it is most
unlikely to be used to implement any essentially new ones (except in the
very long term).

For 'business to business' relationships the banks have provided a basis for
global trust but again it is hard to see why they would hand this crucial
aspect of their business to outsiders when they can simply operate their own
CA functionality in a closed environment.   Given that it has taken them
many decades to establish their record for trust and reliability why on
earth would they suddenly make this dependent on a new and relatively
untried technology operated by third parties with no experience in banking?

Add to this the prospect of key escrow, costly licensing provisions and
heavy handed government control and an already precarious business case
becomes a completely untenable one.  CA products yes, but third party CA
services don't seem to make much business sense (except, possibly, in one or
two specialised areas).

>If one does accept that we need encryption to be more widely deployed
>than just "secure web sites" (a misnomer since the conversations are
>secure and the machines often are not!). The question then arises - is
>it lack of key signing which is holding back encryption ? is it the lack
>of standards ? is the lack of usable software. I'd suggest that the last
>of these was by far the most important practical issue.

I doubt that this is the real cause (although it is an artifact).  Although
many factors are involved I suspect that the biggest single one has been the
concerted action by a number of nations, led by the US, to prevent the
development of any global cryptographic product market for fear that this
would undermine their intelligence collection capabilities.  The UK has
certainly allowed its policies to be dominated by such arguments.

In fact I am inclined to believe that this was a valid stance until the
mid-1980s but since then it has become ever more suspect.  Despite the need
for change, however, the power and the influence of the intelligence
agencies (within the US government scene in particular) is such that they
have been able to sustain their side of the argument well beyond its 'sell
by date'.

>A year ago I thought that addressing the issues was a good idea... but
>I'm coming around to a view that I would welcome a DTI announcement that
>they were going to forget about legislation, but that neverthess they
>thought encryption was a "jolly good thing". ie doing almost nothing
>might be best.
>
>If I'm wrong then please explain, and I'll change my mind again :)

Doing nothing would be far better than their last attempt.  I suspect this
may also be true of their next attempt.  If, however, the UK government is
really serious about their stated desire to promote electronic commerce,
they should simply introduce legislation to remove all existing (export)
controls on cryptographic products.  The positive effect of this single
action will be orders of magnitude greater than any attempt to promote the
market through TTP based legislation.

   Brian Gladman