A Successful Encryption Policy for E-Commerce

26/1/98

To:                  Barbara Roche

From:             Caspar Bowden

Summary

A public/private key pair may be used for two purposes - for digital signatures[1] or for confidentiality[2]. A Certification Authority (CA) is an organization that certifies that a public key belongs to a named individual, by “stamping” a public key with the CA’s digital signature, to produce a certificate.

 

Approximately 85% of consultation responses opposed the mandatory licensing framework of the March policy. The primary objection was to key escrow – the requirement for some agency to obtain and keep a copy of a user’s private key. The overwhelming majority of informed opinion will still oppose any “voluntary” licensing policy that is linked to key escrow.

 

Certification Authorities have no technical or commercial need to know the private key of the applicant in order to produce a certificate. There are few circumstances in which a key-owner will prefer to escrow voluntarily (rather than backup key copies on their own), so compulsion or incentives are required to obtain private keys from key-owners.

 

There is no economic case or public support for any form of key escrow. The new DTI policy attempts to promote escrow through licensing conditions that will cause serious market distortions. These will not effectively assist law enforcement, but will unacceptably damage e-commerce in the UK, and be received with general dismay and dissent.

 

Legislation to clarify recognition of digital signatures is necessary, but licensing Certification Authorities is not. With two modifications, the new policy would be widely acclaimed:

 

·         If “light-touch” licensing is thought necessary, a licensed CA should be able to certify keys used both for signature and confidentiality, without the requirement to escrow.

 

·         Licensing should not confer an unfair commercial advantage (such as presumption of signature validity).

 

 

What are the new DTI proposals ?

The new policy does propose linkage between voluntary licensing and escrow.

 

It is intended that for licensed Certification Authorities:

 

·         certification of confidentiality keys will be prohibited, unless the private key is escrowed

 

·         certified digital signatures will be preferentially granted a legal presumption of validity

 

 

What is wrong with these proposals ?

Licensing should not be used as an instrument of coercion towards escrow. There is no consensus among businesses, the professions or the Internet community that licensing is necessary or desirable. A clarification of the legal force of digital signatures would be welcomed in many quarters, however linking signature recognition to confidentiality key escrow would be counterproductive, because international products are unlikely to be modified to accommodate UK-specific regulatory requirements.

 

The practical difficulty is that de facto encryption standards (PGP, S/MIME) use the same key for signing and for confidentiality. Thus imposing a requirement on CAs to escrow confidentiality keys will have the immediate effect of escrowing signature keys. Leading software will continue to mix signature and encryption functions in the foreseeable future. The intent of the proposals is to corral end users towards licensed CAs, through granting a presumption of validity not available to unlicensed or plaintext signatures (currently acceptable in common law). Ironically, if licensed CAs are compelled to escrow confidentiality keys also used for signature, their presumption of validity becomes suspect. In Germany an escrowed signature key is invalid.

 

Linking certification to escrow will also tilt the playing field against UK-based CAs and retard e-commerce, without effectively assisting law enforcement in catching serious criminals. This is because:

 

1.       CAs operate trans-nationally over the Internet (Verisign, SET). Extra-territorial bans are not enforceable.

2.       The higher costs of licensing and operation for UK CAs, and insurance against the much greater liabilities and risks of escrow, jeopardize their viability.

3.       Avoidance strategies that hinder e-commerce are encouraged (e.g. “self-certified” confidentiality keys).

 

These problems will be compounded by the need for escrowing-CAs to offset higher costs through cross-subsidy, and lead to anti-competitive concentrations of market share.

 

Policy should promote a diverse plurality of CAs, which would instantly increase market penetration, and rapidly develop e-commerce with vigorous competition across and between tiers of service. Professional and voluntary associations, accountants, solicitors, trade unions, and financial and commercial brands have valuable goodwill and fiduciary relationships established over many years with their clients, members, and customers. None should be discouraged from participation as CAs, if they can reinforce existing social and commercial trust networks.

Labour Policy on Encryption

The policy set out in “Communicating Britains Future” (1995) does not accept arguments for key escrow:

 

“We do not accept the ‘clipper chip’ argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it. The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant (in the same way that a warrant is required in order to search someone's home).

Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks. Furthermore, the rate of change of technology and the ease with which ideas or computer software can be disseminated over the Internet and other networks make technical solutions unworkable. Adequate controls can be put in place based around current laws covering search and seizure and the disclosure of information. It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers”

 

What about law enforcement?

Law enforcement is primarily interested in tracing contacts. Traffic analysis of messages will provide this, together with the permanent records and co-operation of legitimate organizations. When necessary, intrusive surveillance (authorized under the 1997 Police Act) can be used to overcome encryption, in a number of ways, and such technologies would in any case be required against non-escrowed targets. Revising the Interception of Communications Act 1985 to admit telephone intercepts as evidence (already widely used in the US) would also aid prosecutions.

Who opposes escrow ?

·         Industry and Business – Microsoft, Hewlett Packard, Sun, Netscape, ISPs, potential CAs (e.g. De La Rue), UK computer SMEs (Acorn, ESI, ITS, Ncipher)

·         Trade and general press – Guardian, Telegraph, Independent, Computing, Network Week, Wired

·         Civil liberties groups – LIBERTY, JUSTICE

·         Academics – all UK centres of excellence with exception of Royal Holloway College

·         Trade Unions – UNISON

·         85% of respondents to the March consultation exercise

·         95% of the opinions expressed in Internet discussion groups (Usenet)

·         82% of respondents to a BBC Online poll (after the Jack Straw 29th December announcement)

·         Most EU member states (Netherlands, Belgium, Germany, Scandinavians)

 

In anticipation of the Labour Government honouring its commitment against escrow in “Communicating Britain’s Future”, these groups remain a loose coalition. If an escrow policy were announced, an umbrella organization would swiftly form to campaign concertedly for its reversal, and the blight would spread to other aspects of Superhighway policy dependent on certified digital signatures (Government Direct, Freedom of Information, EDI, Data Protection).

What policy makes sense ?

There is nothing economically to be gained, and large technical and commercial risks, in attempting to pioneer escrow legislation. A top-level global network of CAs to transact e-commerce has already emerged without government intervention (e.g. the Global Trust Register), and UK companies need every incentive and encouragement to establish comparative advantage from a strong domestic base. Unilateral escrow legislation will make the UK uncompetitive and unattractive to inward investment.

 

Legislation to clarify recognition of digital signatures is necessary, but licensing Certification Authorities is not. With two modifications, the new policy would be widely acclaimed:

 

·         If “light-touch” licensing is thought necessary, a licensed CA should be able to certify keys used both for signature and confidentiality (such as PGP), without the requirement to escrow.

 

·         Licensing should not confer an unfair commercial advantage (such as presumption of signature validity).

 

The European Commission DGXIII policy document “Towards a European Framework for Digital Signatures” (October 97) recommends governments do not link certification with escrow, and warns that  restrictions imposed by national licensing could lead to Internal Market obstacles and reduce the competitiveness of the European Industry”.

 

The March policy undermined confidence in the DTI to an extent that should not be underestimated. Measures to restore confidence could include:

 

·         Eliminate “Trusted Third Party”- the name is mistrusted and associated with a failed policy. The style of the March paper suffered from (intentionally) confounding the functions of “Certification Authority” and “Key Recovery Agency”. Distinguishing the terms would make the regulatory intent clear, and allow more logical drafting.

 

·         Establish an Advisory Committee on the Regulation of Encryption  - a standing committee of experts fairly reflecting the views of industry, academia, and civil liberties NGOs. ACRE would consult with law enforcement officials, advise the regulator, and report to a parliamentary scrutiny committee.

 

·         A new public consultation over licensed Key Recovery Agencies. There is a limited commercial need for key recovery in specific sectors, but the first consultation did not achieve any consensus over the more stringent licensing requirements. International agreement is also needed over jurisdictional issues.



[1] A document can be “signed” with a private key, and anyone can check the digital signature against the public-key certificate (certified by a CA and published in a directory), to verify that the document was signed by the private key-owner (and has not been altered).

 

[2] A document “encrypted” with the public key of the recipient (obtained from a directory) is confidential, because only the owner of the private key can decrypt it.