This document is a response to the proposals outlined by the DTI in March 1997 entitled ‘Licensing of Trusted Third Parties for the Provision of Encryption Services’. It aims to meet the following objectives:

1. Discuss a number of topics that require further clarification;
2. Provide views on subjects specifically requested by the DTI;
3. Make a number of recommendations in addition to the DTI proposals;
4. Provide supporting evidence for the recommendations; and
5. Build on the DTI document for the benefit of everyone.

The fifth point is important: the DTI document has been valuable in initiating an important debate on matters vital to everyone; in addition, there are a number of elements that are to be supported (even though this submission will recommend major changes to the DTI proposals). Cryptography is important to the country, thus it is also important to get the legislation right, balancing the needs of the individual and society.

Given the complexity of the issues, the interplay of the technological, human and social factors and the limited time given for this response, many topics are dealt with in insufficient detail or are completely missed out. However, it is believed that it is preferable to provide some response, albeit imperfect, rather than none at all.

This document is organised around a number of issues, which are all discussed in the main text. There are a number of recommendations, which appear throughout the document, and so are also listed after the acknowledgements for easy access.

This document would not have been possible without the contributions and help from a large number of people, and I have attempted to reflect their views in an integrated manner. Where possible, people have been credited and references given; where this has been impossible I now take the opportunity here to thank them unreservedly. Of course, all errors, omissions and inaccuracies remain entirely my responsibility.

The following are the recommendations from this document, and the page number of each is shown. If it is in response to a request for comment from the DTI, the appropriate paragraph number from the DTI document is also given. Trusted third parties are referred to as ‘TPs’:

1. The word ‘trust’ should be avoided, and the third parties should be renamed as ‘validated third parties’ or another name that more accurately reflects their role (page 5).
2. TPs should never have signing keys, even when they are also confidentiality keys (page 7).
3. The Government should make its future intentions clear with regard to TPs and their voluntary use (page 7).
4. LEAs should justify their position on key escrow, and should provide evidence for its necessity (page 11).
5. The use of TPs, and the use of key escrow, should be voluntary, not mandatory (page 11).
6. The legislation should provide for contracts to allow key access for data recovery, and extend the current legislation for information access in the case of civil matters (page 11, in response to paragraph 82).
7. Electronic warrants and electronic key delivery systems can be implemented, as long as key escrow is not mandatory (page 12, in response to paragraph 81).
8. Licensing of TPs should be voluntary, and licensed and unlicensed TPs should operate alongside each other. Because it is not clear what services TPs will offer, consideration should be given to having different licences for different types of TP (page 13, responding to paragraph 60).
9. Intra-company TPs’ licensing should also be voluntary (page 13, in response to paragraph 50).
10. Licensing conditions should measure results, not how they are achieved, which should be left to the TPs (page 13, responding to paragraph 65).
11. Specific exemptions for certain types of TPs are not required, as licensing should be voluntary (page 13, responding to paragraph 70).
12. The licensing of services to ex-UK businesses and citizens should be voluntary. In addition, the licensing of ex-UK TPs should also be voluntary (page 13, in response to paragraph 71).
13. ITSEC evaluation should also be voluntary rather than mandatory for TPs (page 14, in response to Annex C).
14. The DTI proposals with regard to the TPs’ strict liability, the appeals board and the Tribunal are all supported, subject to some comments (page 15, in response to paragraphs 89, 91 and 93).
15. Deliberate and/or negligent key disclosure should be made a specific criminal offence (page 15, responding to paragraph 84).
16. It is recommended that legislation to introduce some form of rebuttable presumption for the recognition of signed electronic documents should be implemented. The legislation should also cover hash functions, the structure of digital signatures and the process of key revocation (page 16, in response to paragraph 54).
17. The OECD Cryptography Policy Guidelines should be fully implemented in the DTI proposals, as should their balance towards individual privacy (page 17).

The DTI paper aims to describe a series of proposals for the licensing of trusted third parties (TTPs) for the provision of encrypted services. In doing so, it actually intermingles several issues which need to be separated and appraised for an effective discussion to take place. These issues include:

• Trust
• TP functions, including:
• Encryption services
• Keyholder information and identification
• Key escrow, its problems, its subversion, cryptographic technologies and LEA views
• Data recovery
• Key delivery to LEAs
• Licensing
• Liability and Appeals
• Digital signatures
• OECD policy guidelines

The DTI proposals develop a single paragraph in the foreword by Ian Taylor, which seems to define the Government position:

As Gladman has pointed out [1], there is no evidence supplied for the last sentence, yet this paragraph drives the entire set of proposals. It also misses out the fact that many believe that encryption may well directly help law enforcement. Appendix 1 briefly outlines the rest of the DTI document and some of the numerous issues raised can now be discussed.

The DTI document frequently refers to ‘trust’. Paragraph 17 highlights the need for TTPs to be trusted and states that licensing will help this. Paragraphs 34 and 39 reinforce this proposal.

Trust is a human concept; typically we trust people to do things or behave in certain ways. We often say things like ‘I trust Bob’, but there is usually an applied meaning such as ‘I trust Bob to arrive on time’ or to be honest, and so forth. Thus trust is embedded in a web of human relationships, and is an estimate by one human being of another’s behaviour under certain conditions, from the experience of knowing that person. In other words, if I don’t know you, I cannot trust you (although a recommendation from someone I know can start the process of forming a trust relationship).

This has a practical consequence: an institution cannot ‘trust’; only individuals can. Individuals can ‘trust’ an organisation to behave in a certain way or do certain things (from their experience of it), but the reverse cannot be the case: an organisation cannot ‘trust’ individuals (only individuals in the organisation can).

This leads to the following implications:

1. The term trust is inappropriate in the proposals, because the concept of ‘trusted third party’ as defined within the DTI document is probably meaningless (‘An entity trusted by other entities with respect to security related services and activities’, page 28, Annex D, DTI paper). Individuals do not trust remote, large organisations as implied in the document. They do trust next door neighbours.
2. ‘Trust’ is an emotionally loaded word that can lead to assumptions and misunderstandings. As such, it should be avoided at all times in such proposals that have to be extremely exact and will lead to legislation that may have significant effects on the future of society.
3. Large organisations dealing with other large organisations do not employ the concept of trust, and thus the term is valueless in such relationships.
4. The Government is clearly attempting to define whom the public should trust, when they have no experience of the selected organisations. This is most unlikely to be successful.

The conclusion is that the word ‘trust’ in all its forms should be removed. The TTPs as described in the paper are not really ‘trusted’ by anyone. However, they have gone through some sort of validation procedure (as proposed in the document), so a better term would be ‘validated third parties’, or ‘licensed third parties’, or some such equivalent. This also makes clear what these third parties are: entities that have gone through a checking procedure in order that they can provide services.

Thus the first recommendation is to cease using the words ‘trust’ or ‘trusted’, in the interests of clarity and accuracy. For the rest of this document, the TTPs will be known as TPs (third parties).

The TPs are defined as carrying out the following functions:

1. They will provide encryption services (paragraphs 39, 40).
2. They provide information about keyholders; in essence they affirm people are who they claim to be (paragraphs 34, 41).
3. They will hold privacy keys so that the law enforcement agencies (LEAs) can access communications and stored data. This is called ‘key escrow’ (paragraphs 37, 42, 46).
4. They can offer data recovery services, using escrowed keys (paragraph 42).
5. On receipt of a valid warrant they will yield privacy keys to the LEAs within one hour (paragraph 78).

It is this document’s contention that TPs are neither necessary nor sufficient to carry out these functions; in addition some of the functions are impractical or are not required. It is worth discussing each one.

TPs are meant to provide ‘trusted’ information on key holders. It is worth looking in detail at what this is and how it functions.

When a TP validates a cryptographic key, and issues some form of certificate, it is in effect saying:

‘on this date this person provided a specified amount of evidence as to his or her identity and key ownership; this cryptographic key was confirmed as belonging to this person on this date’.

The key certificate says nothing else. There are some important consequences of this:

1. The certificate says nothing about the honesty of the person. All it does is validate the key at some point in time.
2. The key is typically ‘bound’ to a name; as Ellison has observed [2], as the global namespace gets larger the names become meaningless.
3. The key can be stolen, or the owner suborned, almost immediately after the certificate is granted, and potentially the TP may not know (in fact, the owner may not know that someone has copied their key and can use it). As Ellison put it in [2], ‘If the bond between key and person is broken, no layer of certificates will strengthen it. On the contrary, in this case certificates merely provide a false sense of security to the verifier.’

TPs cannot, as such, provide guaranteed key certification. In addition, most users will still carry out their own checks if they are going to set up commerce with other parties. For example, banks will give their clients the appropriate permissions to carry out financial transactions: they will not just take TPs’ certifications. Thus the key certification services may be very limited. In addition, the DTI document does not cover the case when people accept TPs’ certificates, which are then found to be compromised. This will be discussed further in the liability section.

This is one of the most contentious areas of the document. It is proposed that the TPs should keep copies of the privacy keys of its clients (paragraph 37). The document accepts that the TPs would not keep copies of signing keys (paragraph 46). The purpose of this is to allow LEAs access to communications and stored data, with the use of a warrant. There are a number of issues and problems with this proposal, each of which is now discussed.

Certain types of cryptographic system (notably RSA, with PGP being a publicly-available implementation of RSA) use the same keys for confidentiality and signing. This could be regarded as a misuse of the system, as people should always have separate signing keys: however, some may not. If the legislation is implemented as proposed, the TPs would end up with the signature keys of some of their clients. This immediately compromises the signature key, as a TP could untraceably forge any transaction with that client’s signing key (consider Barings, BCCI and the Maxwell group, all of whom could have applied to be a TP). It is strongly recommended that TPs should never have copies of signing keys (even when they are also confidentiality keys), and this should be clearly stated in the proposed legislation.

Because the use of TPs will be voluntary, criminals will simply not register with them, which destroys the purpose of key escrow. It has been suggested that they would register for ease of use, but it should be noted that large criminal organisations are perfectly capable of organising complex support infrastructures for their operations (such as the Prohibition gangsters in the USA, and the cocaine barons in Colombia). However, if the Government intends to make the use of TPs mandatory it should say so: paragraph 47 is much too loose. It is recommended that the Government make its intentions clear.

There seem to be two aims in the escrow proposal: (1) to recover information content from intercepted encrypted communications; and (2) to recover information content from stored encrypted data (paragraph 46). However, the proposals do not fulfil these aims. This is because use of TPs is voluntary – the keys will not be available. More importantly, even if the use of TPs is made mandatory, there are a number of ways that criminals can subvert the standards (discussed below). However, consider the case of the simplest way the criminals deal with mandatory registration: by simply ignoring it and using unregistered keys.

If the LEAs wish to access stored information under these conditions, they would have to use a warrant to make the criminals reveal their stored data (assuming any required legislation were in place), in just the same way as the Inland Revenue may now force businesses to reveal their records. If they wish to access communications for content they cannot: although they could obtain a warrant to force the criminals to reveal the content, again assuming the appropriate legislation existed.

The point is that key escrow will not help the LEAs, although there are other ways by which they can get the information. Note that by a simple manoeuvre the criminals have frustrated what is probably the real reason for key escrow: the covert monitoring of communications without the knowledge of the participants. However, LEAs can achieve most of what they require by means that effectively already exist: the use of warrants to force people into giving up information.

Even if the use of TPs is made mandatory, criminals can circumvent the escrow controls in several ways (aside from just using unregistered keys). They can make it effectively impossible to check that they are using illegal encryption, or they can bend any likely proposed legislation to their benefit. Here are a few examples of how this can be done:

The proposals for key escrow also seem to be flawed with regard to public key cryptography. To quote paragraph 77: ‘The purpose of this central repository will be to act as a single point of contact for interfacing between a licensed TTP and the security, intelligence and law enforcement agencies who have obtained a warrant requiring access to a client’s private encryption keys’ (my italics). There seems to be an assumption that obtaining access to one person’s key is all that is needed: this is valid for symmetrical single-key cryptography, but is invalid for public-key systems.

Let us take RSA as an example in a key escrow system. Each person has a public key, which is listed and is fully available to all, and a private key kept at home, a copy of which is lodged with the TP. Assume that Bob is a criminal, and the LEAs are interested in him. The points to note are:

1. All the messages received by Bob are encrypted by everyone else using his public key.
2. Each message Bob sends is encrypted with someone else’s (the recipient’s) public key.

Thus the execution of a warrant means that the LEA gets access to Bob’s private key: they can now read all the messages sent to Bob. However, one would suspect that they would be at least as interested (or probably more so) in the messages Bob creates and sends to other people (these are presumably the messages that show Bob is an initiator in criminal activities). The LEA cannot decrypt these messages unless it gets a warrant to access each of the private keys of the people Bob communicates with. However, most of these people will not be the target of the investigation; in fact, there will be no evidence against these people, and thus how can a warrant be executed for their private keys?

Unless the Government is willing to countenance open-ended fishing expeditions in the TPs’ databases by LEAs, it is difficult to see how the proposed escrow system would work. Consider the international case: a foreign Government asking for the keys of forty or fifty prominent citizens, with no evidence against them, because they might receive a message from a local criminal. It seems unlikely that such a request would be granted.

The LEA could propose that communications with a criminal gives them the right to obtain a citizen’s keys – but, of course, all Bob has to do is send an innocuous message to a few thousand people all using their different public keys. The LEAs’ position becomes untenable.

It has been suggested that it is the criminals’ communications with ordinary legal citizens that can shed light on their activities. However, in the end criminals are going to be careful with messages to ordinary people. It seems unlikely that they would incriminate themselves. As noted above, criminals can also undermine the value of these communications to the LEAs by blanket-mailing thousands of people.

It has been stated that communications monitoring is essential for successful LEA operations. For example, Bayse (Assistant Director, FBI Technical Services Division) has said in [8], with regard to telephony legislation: ‘Indeed, for many types of serious and life-threatening crime, electronic surveillance is the only viable tool for law enforcement to use.’ (Italics his.)

In general, telephone tapping has been taken as the model for the future of interception and deciphering of encrypted communications, especially with regard to its validity. In other words, how useful has telephone bugging been to the law enforcement agencies? Presumably the answer to this would give an estimate for the value of key escrow, in terms of making encrypted information available to the LEAs.

Unfortunately, there seems to be very little objective evidence for the value of wiretaps; in fact, it would seem essential that the LEAs should provide the evidence to support their case for key escrow, especially if they want further legislation which removes the right of individuals to privacy. It should be a relatively simple matter to ascertain the number of warrants for telephone taps in a certain period, and the number that then supplied evidence in court, with the number of successful prosecutions (or even the number that contributed to operational intelligence).

There also is no evidence relating law enforcement effectiveness to wiretapping at the gross level: countries of the developed world use greatly different levels of wire tapping, ranging from almost zero in Japan up to the (apparently) relatively high levels in the UK and USA. It would seem to be invidious as well as impossible to attempt to list the world’s countries in order of law enforcement effectiveness in relation to wiretaps (despite Denning’s attempt in [9] to suggest that Japan suffers from a larger corruption problem than the USA!).

Interestingly Freeh, another Director of the FBI, made the following comments in [10]:

Thus there is no evidence that LEAs do require access to escrowed keys: only opinion that such access is necessary. Whilst the position should be monitored, and the debate continued, there is a simple recommendation: LEAs should justify their position on key escrow, and give evidence for it.

Another argument frequently put forward is that cryptographic technology is new, and disadvantages the LEAs. However, we live in a world where the technological landscape is constantly changing and evolving. Not every technological advance will be beneficial to the LEAs, nor should this be the case. Otherwise, the final outcome will be a completely controlled society, with all power resting with the authorities.

The LEAs have been helped by a number of new technologies, the following three examples just give a flavour:

1. Bugging technology is now very effective. Thus whilst LEAs may have difficulty in deciphering an intercepted communication, they can always bug the end at which it is read.
2. Computer technology now provides very effective audit trails. Thus whilst a person can electronically steal from a bank, it is usually impossible to conceal the crime. These large and systematic audit trails are of enormous benefit to the LEAs.
3. Computer technology gives the LEAs great powers of structured storage and analysis: they can build large databases on criminals, their behaviour and their investigations which are an invaluable tool in the fight against crime.

In general, 20^th century technology has helped LEAs at least as much as it has hindered them, and I believe that if anything LEAs have gained more than they have lost. Naturally, being human, LEAs will attempt to tip the balance as much in their favour as they can, and will try to outlaw technologies that make their investigations more difficult. However, balance is essential, and key escrow should not be enforced.

Because of all the arguments given here, it is believed that key escrow is inappropriate, would not work, and requires more evidence as to its value. We recommend that key escrow, and the use of TPs, be made entirely voluntary, mostly for data recovery reasons.

Organisations may wish to make use of key escrow for the purposes of data recovery. However, this should be part of their normal business operations and not be made mandatory, as indicated in the conclusions to the key escrow section. One important point to note is that TPs are not required for data recovery key escrow: many businesses can easily implement such systems in-house. Thus the recommendation in response to paragraph 82 is that the legislation should simply make provision for private contracts to allow access to cryptographic keys, and extend the current legislation that allows information access in the case of civil dispute (where legislation allows records to be revealed now, then the owner can be forced to reveal them if they are encrypted).

TPs will have to provide the LEAs with keys within one hour of the presentation of a validated warrant. This seems a very onerous condition, especially as the warrant could be asking for hundreds of keys. In addition there will be an international dimension, and in Annex B, paragraph 8, it is stated ‘It is recognised that this sort of procedure will introduce some delays into the process of obtaining keys, but that these should be considerably less than those which would arise from the provision of plain text’. Thus if the Government admits that delays can occur in international cases, it cannot expect TPs to yield keys in unreasonable times.

However, we hope that TPs will not need to give up keys at all, and thus the recommendation with regard to paragraph 81, regarding electronic warrants and key delivery is straightforward: it is perfectly acceptable to set such a system up as long as key escrow is not mandatory.

In conclusion, it has been demonstrated that TPs are neither necessary nor sufficient for the functions as proposed. As it is also not clear what services they will provide, and it is likely that not all TPs will provide the same services, it is believed that their use should be voluntary. In addition, the market should determine their development.

As noted above, TPs will provide different services which are currently difficult to define. For example, time stamping can clearly be seen to be essential, but so is key revocation (which is not mentioned in the DTI document at all and is crucial if digital signatures are to have validity). I believe that TP services will develop as the market develops and experience is gained.

This means that one single license for all TPs may not be possible. Thus consideration should be given to more than one sort of license for TPs. In addition, the Government believes that the market will decide if TPs will be used or not (paragraph 42). In this case, then the market should be as little regulated as possible. The recommendation is that unlicensed TPs providing services to the public should be allowed, and operate alongside licensed ones. This will have the following benefits:

1. There is likely to be greater innovation (so far most of the cryptographic running has been made by small companies, not large ones).
2. It allows development of TPs from small, unlicensed ones to large, licensed ones.
3. The assumed model in the DTI document – that TPs will be large, central, organisations – may be inaccurate. TPs may develop as webs, with strong local contacts and a distributed infrastructure. The licensing regime as proposed makes assumptions, and may well throttle development of the TP market.

Gladman [1] has also pointed out that under the current proposals, if one friend supplies another with a key, then a service has been provided and both have broken the law (one is providing a prohibited service, and the other is a knowing accomplice). Clearly any legislation must deal with this, and allowing unlicensed TPs deals with the whole issue quite effectively.

In essence, we believe that the market should be as deregulated as possible. Licensing, which may well have benefits in conferring quality levels on TPs, should be evaluated in an open market. We thus recommend that licensing be voluntary, and consideration should be given to more than one license type, as TPs may provide very different services.

The DTI document also asks for comments on other aspects of licensing; here are the recommendations:

1. Paragraph 50 asks about exclusions for intra-company TPs; the recommendation is that intra-company TPs licensing should be completely voluntary (as for all TPs).
2. It is difficult to respond to paragraph 65, as not all the licensing conditions are listed (some are yet to come, paragraph 64). The recommendation is that where TPs voluntarily license the conditions should apply to quality, delivery and security levels. How these levels are achieved is up to the TP: it just has to demonstrate that it can achieve them.
3. Paragraph 70 asks about specific exemptions. These are not needed as TP licensing is voluntary.
4. In paragraph 71, the licensing services to foreign businesses and citizens should be voluntary, as should the licensing of foreign TPs. This is especially important as it gets around another problem in paragraph 72: where it is proposed that the advertising and marketing of an unlicensed foreign TP will be made illegal. It is not believed that this is possible: does the Government propose to censor every web site and every imported computer or lifestyle magazine?
5. Lastly, the DTI ask for comments on ITSEC evaluation (Annex C): it is recommended that this too be made voluntary, in the free market that we are envisaging. TPs may find it beneficial to undergo ITSEC evaluation, but that is a matter for them.

In paragraphs 86 to 89 strict liability is proposed, and appeals and the Tribunal are covered in 90 to 93.

The strict liability proposal is probably acceptable, with a relatively low limit, for a new market (comment from Kelman [11]). However, there are a few provisos:

1. It should not be used as a mechanism to allow LEAs to avoid the consequences of any misdeeds.
2. Clients should be encouraged to insure themselves against compromise by the TP.
3. The strict liability provisions should be reviewed as the market develops.
4. The strict liability legislation will have to make it clear what the effects are. For example, Alice has a contract with an insecure TP and is using a symmetric secret-key protocol. In the process of communicating with Bob, a criminal manages to get Alice’s (and thus Bob’s) key from the TP. The criminal uses the information to seriously damage Bob’s business. What redress has Bob against the TP? The contract is with Alice, not Bob. It may be that Bob’s redress is actually against Alice, but any legislation needs to clarify the position.
5. Building on this case, it is believed that deliberate and/or negligent exposure of a client’s key should be a specific criminal offence.
6. The legislation must deal with compromised certificates and TP liability with regard to these; especially for the case when a TP issues an erroneous or fraudulent certificate.

With regard to the appeals body as proposed in paragraph 90, TPs should be allowed to appeal against licensing decisions (where they have voluntarily applied to be licensed), and such a body should be created.

To help enhance confidence in the system, the proposed independent Tribunal should be created. If the proposed Tribunal found against an LEA, then the injured party (which depending on circumstances could be the client, the TP or an insurance company) should be able to sue for redress.

Subject to the comments above, I generally agree with the proposals in regard to the strict liability, the appeals body and the Tribunal. I also believe that unauthorised key exposure should be made a criminal offence. However, it is likely that a considerable amount of further analysis and discussion is needed before the legislation can be framed to cover these areas.

It is clear that TPs have a huge potential role in the storage and management of large public key databases, and can supply certification to certain levels of security (subject to comments above). This infrastructure support may well allow the use of digital signatures to proliferate, to the benefit of society as a whole.

In paragraph 54 comments are requested on legislation and digital signatures. The following are recommended:

1. Some form of rebuttable presumption should be established in legislation, so that the use of a digital signature is as valid as a written one.
2. The legislation will also have to cover the validity of hash functions (as it is usually these that are signed, rather than the documents themselves).
3. The legislation should also define some of the properties of a valid digital signature, such as they must be time-stamped and have some form of attached certifications.
4. There must be a method for key revocation, so that people effectively ‘tear up’ keys that have been compromised, again incorporating time stamps and certifications.

In addition, a key item in this area will be training of the public and businesses. The implications of an electronic signature will be that it is legally binding, so people must be trained in the usage of the technology and the protection of their keys. Otherwise failure in usage could completely undermine the effectiveness of electronic signatures. With these provisos, I fully support Government legislation aimed at enhancing the validity of electronic signatures.

The OECD has released a set of eight principles [12], which are discussed in paragraphs 18 to 27, and actually listed in paragraph 24. An excellent analysis is also given by Baker [13]. In the OECD guidelines it should be noted that proposal 6, Lawful Access, is much weaker that proposal 5, Protection of Privacy and Personal Data (a ‘may allow lawful access’ phrase versus ‘The fundamental rights of individuals to privacy . . . should be respected’). In general the OECD policies are more balanced towards the privacy of the individual than the DTI proposals.

Given that the OECD represents a consensus of a number of nations, and given the concerns with the DTI proposals already covered, it is strongly recommended that the OECD policy guidelines be fully implemented in the Government proposals. In addition their balance should be followed in respect of privacy rights.

This should also encourage international agreements with regard to encryption, as the OECD document represents a communal position, with the following benefits:

1. Where useful, it will be easier to set up international webs of TPs.
2. It will lead to reduced barriers between Governments over encryption matters.
3. The export controls on cryptographic products will be reduced.
4. A free market in cryptography will develop, to the benefit of all.

The DTI document is structured as follows:

1. There is the Ian Taylor foreword, whose key paragraph has been given in the text. After the usual contents, there is Section 1: Introduction, involved with background, structure of document and process.
2. There is then Section 2: Government Policy Framework. This sets the tone for the rest of the document. Paragraph 15 covers the need for security balanced against the individual’s right to privacy; Paragraph 16 covers the need for licensing; and Paragraph 17 fundamentally defines the ‘trust’ and escrow parameters of the future licensing regime.
3. Section 3 covers international initiatives, especially EU and OECD developments.
4. Section 4 covers cryptography; however, it is not a dry section. Paragraph 34 describes trust for a TTP; paragraphs 35, 36 and 37 describe the importance and justification of key escrow; paragraph 38 covers (briefly) exportation.
5. Section 5 is about the ‘Trusted Third Parties’. Paragraph 39 is crucial: it actually defines their function (with paragraphs 40 and 41 building on it: paragraph 41 also refers to ‘Annex E’, which covers international issues). Paragraph 42 expands on the benefits.
6. Section 6 is entitled ‘Structure of the Proposals’. It goes much further, is the meat of the document. Much of this submission is concerned with it. The following make up the section:

• Paragraphs 43 and 44 cover the assumptions (that licensing should take place);
• Paragraph 45 may be the oddest paragraph in the document, covering voluntary use of encryption;
• Paragraphs 46 and 47 cover ‘key recovery’, escrow and future legislation (these are key to the document);
• Paragraphs 48 to 50 cover exclusions for intra-company TPs;
• Paragraphs 51 to 54 discuss electronic signatures (including ‘Annex A’);
• Paragraph 55 is another odd snippet, covering international relationships, and includes ‘Annex B’, which also seems unusual;
• Paragraphs 56 to 65 cover the licensing criteria (the conditions are not in the document and are to come later), including ‘Annex C’;
• Paragraphs 66 to 71 cover more exclusions, mostly to do with TV decoders and payment systems;
• Paragraphs 72 to 75 cover prohibitions, mostly to do with TTPs’ interactions;
• Paragraphs 76 to 82 cover legal access – this means access to keys;
• Paragraphs 83 to 85 state that non-licensed TTPs should be sanctioned;
• Paragraphs 86 to 89 cover the TTPs’ liability;

1. Paragraphs 90 to 94 discuss appeals.