Institute of Directors

_____________

31 March 1999

Dear Mr de Souza

Thank you for inviting us to comment on this document. Our response is as follows:

  1. Paragraph 18. We would support the Government taking powers in primary legislation to amend existing legislation by statutory instrument. Such powers ordinarily, and rightly, cause concern about lack of Parliamentary control. But such concerns could be dealt with by limits on the powers taken. The powers should be limited to use in order to make electronic signatures and writing acceptable substitutes for hard-copy signatures and writing. The powers should also perhaps have to be renewed by Parliament in the event of any changes to the system of certification authorities that are themselves significant enough to require primary legislation. It is not however suggested that exercises of the powers prior to those changes should retrospectively become invalid in the event of non-re-confirmation by Parliament: that would be quite impractical.

  2. Paragraph 20. If someone did allege forgery of an electronic signature, they would want a right of access to information about the certification authority's methods. Without such access, it would be very hard for someone alleging forgery to show that forgery was possible. There are however two different issues here, algorithms and security procedures:
    1. Encryption algorithms are claimed to be uncrackable within any reasonable timescale, but until the algorithms are scrutinised by independent mathematicians those claims should not be relied upon in a court of law.
    2. More likely than a defect in an algorithm is a defect in the certification authority's security procedures, leading to leaks. It might be difficult for these procedures to be disclosed without rendering them open to criminal attack in the future. There is no easy answer here.

  3. Paragraph 21. What is the risk that, where a signature is not in fact backed by a certification authority, a certificate purporting to be from such an authority could be forged? Parties might then place more reliance on a signature than they should. Even if certification is checked each time by e-mail to the authority, such checks might be defeated by diverting the e-mail to someone else's computer.

  4. Paragraph 31. Spoofing should probably be prevented. If it can be prevented effectively, world-wide, that would have the additional benefit of making the taxation of electronic commerce a lot easier than it would otherwise be.

  5. Paragraph 31. Requiring attachment of "Advertising" to all commercial e-mail would be too drastic, because many e-mails sent for commercial purposes are communications deliberately and legitimately aimed at a specific recipient. An example would be a reply to a customer's request for detailed information about a product. "Circular" might be a more appropriate word, indicating something that is being sent to a large number of people for no better reason than that their e-mail addresses have been bought from a list-provider or they have previously had unrelated dealings with the sender.

  6. Paragraph 42. If the details of liability régimes had to be stated on certificates and other instruments, consumers would probably be confused by the detail or just ignore it. Communication would be more effective if there could be standard liability régimes, and certificates etc could simply say "standard consumer liability régime applies" or "standard commercial liability régime applies". Having said that, non-standard liability régimes (which might have to be set out in detail) could still be allowed.

  7. Annex A, Part II: licensing criteria for certification authorities: generation of key pair and private signature key. In drafting these conditions, regard should be had to the possibility of new types of encryption algorithm that might not follow the public key-private key model. If something general can be drafted now, eg "Must provide details of the algorithm and of how data are generated and passed securely between the parties", the conditions should be able to handle future developments.

Yours sincerely

Richard Baron

Deputy Head of the Policy Unit

Go to the library of current responses.

Go to FIPR home page.

_____________

Last Revised: July 8 1999