31 March 1999
Dear Mr de Souza
Thank you for inviting us to comment on this document. Our response is
as follows:
- Paragraph 18. We would support the Government taking powers in
primary legislation to amend existing legislation by statutory
instrument. Such powers ordinarily, and rightly, cause concern about
lack of Parliamentary control. But such concerns could be dealt with by
limits on the powers taken. The powers should be limited to use in order
to make electronic signatures and writing acceptable substitutes for
hard-copy signatures and writing. The powers should also perhaps have to
be renewed by Parliament in the event of any changes to the system of
certification authorities that are themselves significant enough to
require primary legislation. It is not however suggested that exercises
of the powers prior to those changes should retrospectively become
invalid in the event of non-re-confirmation by Parliament: that would be
quite impractical.
- Paragraph 20. If someone did allege forgery of an electronic
signature, they would want a right of access to information about the
certification authority's methods. Without such access, it would be very
hard for someone alleging forgery to show that forgery was possible.
There are however two different issues here, algorithms and security
procedures:
- Encryption algorithms are claimed to be uncrackable within any
reasonable timescale, but until the algorithms are scrutinised by
independent mathematicians those claims should not be relied upon in a
court of law.
- More likely than a defect in an algorithm is a defect in the
certification authority's security procedures, leading to leaks. It
might be difficult for these procedures to be disclosed without
rendering them open to criminal attack in the future. There is no easy
answer here.
- Paragraph 21. What is the risk that, where a signature is not in
fact backed by a certification authority, a certificate purporting to be
from such an authority could be forged? Parties might then place more
reliance on a signature than they should. Even if certification is
checked each time by e-mail to the authority, such checks might be
defeated by diverting the e-mail to someone else's computer.
- Paragraph 31. Spoofing should probably be prevented. If it can be
prevented effectively, world-wide, that would have the additional
benefit of making the taxation of electronic commerce a lot easier than
it would otherwise be.
- Paragraph 31. Requiring attachment of "Advertising" to all
commercial e-mail would be too drastic, because many e-mails sent for
commercial purposes are communications deliberately and legitimately
aimed at a specific recipient. An example would be a reply to a
customer's request for detailed information about a product. "Circular"
might be a more appropriate word, indicating something that is being
sent to a large number of people for no better reason than that their
e-mail addresses have been bought from a list-provider or they have
previously had unrelated dealings with the sender.
- Paragraph 42. If the details of liability régimes had to be stated
on certificates and other instruments, consumers would probably be
confused by the detail or just ignore it. Communication would be more
effective if there could be standard liability régimes, and certificates
etc could simply say "standard consumer liability régime applies" or
"standard commercial liability régime applies". Having said that,
non-standard liability régimes (which might have to be set out in
detail) could still be allowed.
- Annex A, Part II: licensing criteria for certification
authorities: generation of key pair and private signature key. In
drafting these conditions, regard should be had to the possibility of
new types of encryption algorithm that might not follow the public
key-private key model. If something general can be drafted now, eg "Must
provide details of the algorithm and of how data are generated and
passed securely between the parties", the conditions should be able to
handle future developments.
Yours sincerely
Richard Baron
Deputy Head of the Policy Unit
Go to the library of current responses.
Go to FIPR home page.
Last Revised: July 8 1999