Response to the publication by the DTI of a proposal on the licensing of trusted third-parties
Abstract
Neil McEvoy, a Director of the IT management consultancy
Hyperion, prepared a detailed set of comments in response to the publication by the Department of Trade and Industry (DTI) of a proposal on the licensing of trusted third-parties (TTPs) and a request for comment. These comments were sent to the DTI and are reproduced here.
©Hyperion Systems Limited (1997).
Hyperion Credentials
Since our foundation in 1986, Hyperion has specialised in the specification and procurement
of systems and networks to support secure financial transactions. This has been backed
by thorough technical knowledge of cryptography, particularly asymmetric (public key) cryptography. One of our directors, Neil McEvoy, is credited with being the
first European to implement the RSA algorithm, in a service he designed in 1982,
which provided encrypted and signed file transfers over a multi-organisation wide
area network.
Hyperion has specified and procured secure networks for Bank of England settlement
services, including the Central Gilts Office, Central Moneymarket Office and CREST.
These systems, collectively, settle tens of billions of pounds of transactions daily.
We have assisted UK banks in the development of secure ATM and EFTPOS networks. We have
contributed to British and ISO standards in this field.
Hyperion played a leading role in the specification and design of the Mondex electronic
cash scheme. We were the first technical consultancy organisation to be consulted
by National Westminster Bank and continue to provide the greatest external input
to the NatWest team responsible for continued innovation in this field.
Since the foundation of Mondex International, we have assisted them with a number
of tasks, including the ongoing education of member banks, and other service and
manufacturing organisations, on how to construct secure commercial services based
on the Mondex core products.
For a European telecommunications company, we have designed, and supervised the construction
of, the first pilot service to utilise electronic purse technology to make purchases
of digital goods over the Internet, and to withdraw and deposit digital money from/to bank accounts.
We are retained by a number of global hardware, software and telecommunications companies
to advise on the use of smart cards to implement cryptographically secure identity
and payment functions over the Internet.
We believe that we were the first company to publicise the potential of smart card
based electronic cash schemes over the Internet and other networks (at the Worldwide
Electronic Commerce conference, New York, January 1993). As a result of our vision
and practical development management skills we are widely regarded one of Europe's leading
electronic commerce consultancies.
Summary Comments
We can see no express benefit deriving from a government role in the regulation of
trusted third party services (or any other service based on cryptography), but many
dangers.
The only claimed benefits we can find in the paper relate either to the facilitation
of the growth of electronic commerce in the UK or to help in the fight against crime
and terrorism. We find both claims deeply implausible.
We can see no evidence that the growth of electronic commerce in the UK is hampered
by lack of government regulation. In the words of the consultation paper itself:
"Advances in the computing, telecommunications and creative sectors, combined with
the worldwide explosion of electronic commerce are revolutionising the delivery and availability
of information and services". The use of the present tense is illuminating. A recent
report by Jupiter Communications justifies the use of 'explosion' by predicting online payments for items under $10 growing from $12M in 1996 to $76M in 1997 to $473M
in 1998--in the absence of government intervention.
We can see no gain flowing to the forces of law and order from these proposals. Effectively
unbreakable cryptography is already available to criminals, and is presumably widely
used by them. This particular genie is out of the bottle. As with any technology, it can be used for good or ill.
Whilst the claimed benefits appear illusory, the dangers inherent in the proposals
are manifest.
Firstly, there is an overt threat to individual liberty. As a matter of principle,
we believe an individual (or for that matter a corporation) should be able to turn
to any third party he chooses to help form an opinion as to the trustworthiness of
some other individual (or corporation), and that any third party should be free to give
such opinions. Imagine the moral outrage if the government sought to overturn this
principal for every day (non-cyberspace) transactions! This is the effect of the
proposed requirement for TTPs to be licensed.
The same thought experiment leads directly to another manifest danger; namely that
a centralised, regulated system for the dissemination of trust in Cyberspace could
not have the 'bandwidth' to disseminate trust in the same way that informal, loose,
overlapping and unregulated networks do in '3-d space'. This widespread dissemination of
trust has underpinned the United Kingdom's commercial success for centuries. Legislation
on the lines proposed would prevent the projection of this successful informal system onto Cyberspace.
Access to the limited trust 'bandwidth' would of course be rationed by price. Licensed
TTPs would justify high prices on the grounds of the expense of meeting onerous regulatory
requirements. This leads to the danger of a society of information 'haves' and 'have nots'. On the provider side, regulatory schemes by their very nature discriminate
in favour of established larger companies (with plenty of lobbyists, compliance officers,
lawyers and (dare we say it) consultants to support their cause) and against smaller, potentially more innovative, enterprises.
Support for decentralised business models is one of the foundations of the Internet's
astonishing success. The imposition in the United Kingdom of a centralised security
superstructure on the Internet would all but strangle at birth UK electronic commerce, in much the same way that the Red Flag Act crippled the nascent British automotive
industry. We believe this parallel to be quite striking--an ill-conceived piece of
legislation, imposed at a very early stage in an industry's development, nullifying
the very advantage offered by a new technology.
In conclusion, we believe there to be no clear benefits to the proposals. On the contrary, we believe they are morally wrong and would be damaging to the UK economy if implemented.
Allowing unlicensed TTPs freedom to operate in the UK would overcome both objections.
The proposals to establish a licensing regime would then amount to no more than a
potential waste of taxpayers' money.
Detailed Comments
Foreword, Paragraph 1
...ensure that everyone in the UK exploits the full potential of information and communication
technologies
This sounds rather authoritarian! "...ensure that everyone in the UK is able to exploit..."
would be a better turn of phrase. We believe that the proposals hinder rather than
help this requirement. Those who do not trust the government would not have access to UK based 'TTPs' whom they actually trust. The few licensed TTPs would be able
to charge large fees (and indeed would have to, to cover the cost of compliance),
effectively disabling poorer people from participating in electronic commerce.
Foreword, Paragraph 4
"The UK is already a world leader in the telecommunication, broadcasting and multi
media industries..."
...precisely because of the UK's relatively light regulatory regime in these areas.
Section I, Paragraph 1
...licensing and regulation of trusted third parties...
Trust has to be "in the eyes of the beholder". Whilst for some people, a government
license may be a badge of trust, for others it may be quite the reverse! People must
have the freedom to place their trust elsewhere, which means that everyone should
have the freedom to assert their trustworthiness, backed up by track record, evaluation
under other schemes, insurance cover or anything else which a user of TTP services
may deem appropriate.
Section I, Paragraph 2
...the requirement to preserve the ability of intelligence and law enforcement agencies
to fight serious crime and terrorism.
Insofar as this relates to the understanding of encrypted messages, the law enforcement
agencies do not have this ability to preserve. The proposals inconvenience law abiding
citizens whilst not preventing, or facilitating the detection of, criminal activity.
Section II, Paragraph 1
Advances in the computing, telecommunications and creative sectors, combined with
the worldwide explosion of electronic commerce are revolutionising the delivery and
availability of information and services.
The use of the present tense is illuminating. A recent report by Jupiter Communications
justifies the use of 'explosion' by predicting online payments for items under $10
growing from $12M in 1996 to $76M in 1997 to $473M in 1998--in the absence of government intervention.
Section II, Paragraph 11
The UK is already a world leader in telecommunications, broadcasting and multimedia--benefiting
from Government action to liberalise the market and promote competition.
Indeed. The TTP market is currently perfectly liberal and competitive. The proposals
will constrain people's freedom to offer and subscribe to TTP services, and limit
competition by raising barriers to entry.
Section II, Paragraph 12
...the Government has an important role to play in providing leadership in certain
key areas...
Whilst one can only nitpick with the motherhood statements which follow the above
preamble, the objectives can be better met without the proposed legislation. Naturally,
the government has to decide for itself which TTPs to trust for its own purposes.
This could be licensed TTPs or indeed an internal operation, run for example by the DTI.
Section II, Paragraph 14
...businesses ... have raised legitimate concerns about the adequacy of security measures...
...which businesses are perfectly capable of addressing for themselves.
Section IV, Paragraph 34
Such an infrastructure ... can be based on a hierarchy or network of certificate authorities
...
The operative word is 'can'. Other structures can also be postulated. Regulation should
not seek to favour a particular model, which may prove to be sub-optimal in the long
term. Rather, the market should decide.
Section IV, Paragraph 36
Private parties may also have legitimate reasons and a legal basis to obtain access
to encrypted information.
The example requirements in the paper are very general (i.e. wider in scope than cryptography)
and can be met by a variety of means, without the need for elaborate, licensed escrow
schemes. For example, it is convenient for all concerned if all of our affairs are ordered in the event of our death. It is just as important for my solicitor
to have access to the physical key to my filing cabinet containing my bank statements
and share certificates, as to my private key to unlock secrets on my hard disk. Nobody has seen the need to license third parties to look after physical keys in this regard,
far less to demand that such third parties make available such keys to law enforcement
agencies. If there is a need for third parties to keep "back ups" of private keys, then the market will ensure that they spontaneously arise.
Section V, Paragraph 39
A user in the UK, under these proposals, would be free to choose their own TTP.
In the light of subsequent paragraphs outlawing unlicensed TTPs, this statement is
insulting to the intelligence of the reader. The user's freedom to choose would be
of the "any colour as long it's black" variety. Only a few, expensive TTPs, conforming
to a single operational model, would be available.
Section V, Paragraph 40
The use of a TTP is dependent on the fundamental requirement that it is trusted by
the entities it serves...
Quite so. But under the proposed scheme, all TTP users would be asked to place their
trust in the government licensing regime, which is clearly unrealistic.
Section V, Paragraph 42
TTPs are being licensed to protect the consumer...
There are many mechanisms by which the consumer can protect himself; for example by
relying on evaluation by bodies such as the Consumers' Association or reviews in
specialist magazines (or on web sites) or by demanding indemnity insurance to a suitable
level, etc. The possibilities of users evaluating TTPs using their own criteria and
on any advice should not be removed.
Interoperability between different [encryption] products is not possible.
Manifestly untrue. For example there are several interoperable versions of PGP, SSL,
etc.
Encrypted communication, therefore, will no longer be limited to governments and larger
organisations.
It isn't now: many smaller organisations (including Hyperion) and individuals use
encryption. PGP can be obtained for free or for a nominal sum and the "web of trust"
method of distributing trust has been, for us at least, an entirely voluntary exercise.
SSL encryption is built in to standard web browsers. 'Class A' certificates from Verisign
Inc., which provide a level of assurance that the holder is the legitimate user of
the e-mail address in the certificate, are available for free.
TTPs will allow UK Business to take advantage of secure electronic trading
Very probably: but this is not dependent upon a licensing scheme.
TTPs will be also be able to offer Data Recovery Services.
Quite so: also not dependent on a licensing scheme.
Products that are designed to operate within a TTP environment will be subjected to
simpler export licence procedures
This is an arbitrary and unfair distinction to draw.
Use of licensed TTPs is voluntary...
...but alternatives are banned. The worst kind of Orwellian doublespeak!
UK taking a lead in very important area...
...but in the wrong direction!
Many countries agree with the UK...
This is presumably shorthand for "civil servants in many countries agree with civil
servants in the UK".
Section VI, Paragraph 43
Positive Licensing Scheme
This certainly looks likely to create and sustain jobs...in the DTI !
Section VI, Paragraph 44
Either [rejected] arrangement could ... lead to the presence of unsuitable or incompetent
TTPs
Elaborate regulatory regimes are no guarantee of competence or probity in regulated
organisations: witness personal pension mis-selling and other financial scandals
in regulated organisations.
Section VI, Paragraph 45
Organisations offering ... such services outside the UK will be required to be licensed
We can see no way of enforcing this requirement, which will place licensed UK-based
TTPs at a competitive disadvantage in a global market.
Section VI, Paragraph 57
The legislation will give the Secretary of State discretion to determine appropriate
licence conditions.
In practice therefore, civil servants will be free to make up rules they deem fit,
free from parliamentary scrutiny.
Section VI, Paragraph 58
The DTI has been chosen as the initial authority...
This should create and preserve jobs in the DTI for years to come.
Section VI, Paragraph 59
Licence fees will be payable
This will represent just part of the unnecessary cost burden placed on UK licensed
TTPs, placing them at a disadvantage to international competitors and effectively
levying a tax on users of UK licensed TTPs.
Section VI, Paragraph 62
the Licensing Authority ... will need to be satisfied...
One can anticipate reams of documentation expanding on the stipulated criteria, as
in, for example, the ITSEC criteria. Many of the criteria are by their nature subjective
and decisions will therefore be arbitrary, for example on trustworthiness of directors and information security personnel. Neither it is obvious that the DTI is equipped
to establish the "competence" of information security personnel, directors and management.
The market alone should determine the relative importance of these and other criteria.
Section VI, Paragraph 68
Similarly, an employee offering cryptographic protection between its employees would
not be covered by the legislation. However, should it decide to extend the protection
service to its suppliers, then it would require a licence.
This stipulation is based on an employment model which is increasingly outmoded. For
example our consultants, who have employment contracts with Hyperion, are frequently
seconded on a medium-term basis to our clients, who generally treat them in most
respects (for example access to networks and information services) as though they were
their own employees. The above stipulation would prove highly impractical in such
cases.
Section VI, Paragraph 72
The legislation will prohibit an organisation from offering or providing encryption
services to the public without a licence
This is the core stipulation of the document and is an unwarranted restriction on
personal and economic liberties and detrimental to the economy of the UK.
Prohibition will be irrespective of whether a charge is made for such services.
This stipulation seems particularly reprehensible to us. Translated to the world of
pen and ink, it would require a person to be licensed before he/she verified someone's
signature to his/her spouse! In the cryptographic sense, despite DTI public assurances to the contrary, this would severely disable PGP in the UK, since no-one would be
free to sign public keys to securely 'introduce' two parties.
Section VI, Paragraph 83
...some forms of sanction will be required against those ... more seriously (sic),
providing encryption services without a valid licence.
This does not seem to us, to quote Brideshead Revisited, to "rank high in the catalogue
of mortal sins".
Section VI, Paragraph 84
The government seeks views on whether deliberate (and perhaps wilfully negligent)
disclosure of a client's private encryption key should be a specific criminal offence,
or whether existing civil and criminal sanctions would suffice.
A private encryption key is just a secret, and it seems to us there are already legal
remedies against organisations which reveal their clients' secrets. We would soon
be out of business if we revealed our clients' secrets!