Mr Nigel Hickson
Information Security Policy Group
CIID
Department of Trade and Industry
Room 224
151 Buckingham Palace Road
London
SW1W 9SS

28 May 1997

Dear Nigel,

Subject: Licensing of TTPs for the Provision of Encryption Services

The following is my personal response to your Public Consultation Paper.

  1. General Comment

    2. I was very pleased to see this bold attempt by the DTI to seek consultation and comment from a wide audience on this important issue. I believe that this issue is critical for the economic future of the UK; electronic commerce and the development of new network-based public services is clearly set to become a major contributor to UK economic growth over the next decade. The DTI has a very important role to play to ensure that the potential benefits for the public, for SMEs and for government can be realised promptly and in a safe manner, and I believe this Consultation Paper is a constructive step along that road. As I understand it, the DTI’s attention is aimed primarily at the needs of the public and SMEs rather than at the needs of larger corporates. This is exactly as I would wish to see it, and I wholeheartedly support your determination to maintain this focus despite the criticism you and the your colleagues have received of late on this issue.

    However, I would also add that the pace of commercial development today is extremely fast. A number of major commercial service providers are not going to wait for legislation to be put in place before they develop new network-based services. They believe that it will be extremely difficult for the DTI or any other arm of HMG to develop legislation that makes either illegal or non-competitive any investment they have made in infrastructure or service provision. Consequently, it is imperative that the DTI should recognise the commercial imperatives and develop its strategy around supporting the commercial health of UK industry rather than around providing interception capability. The support for interception is a burden to the DTI’s programme as well as to the main players in the marketplace, and where the major players lead the smaller industries and private users will be led.

  2. Para 15 - The ability to continue to fight serious crime and terrorism

    3. The ability of government agents to conduct effective wiretaps depends inversely on the ability of criminals and terrorists and other governments to develop and/or use strong encryption features of their own design. How does HMG propose to prevent or limit the use of non-escrowed encryption by such people?

  3. Para 17 and elsewhere - The use of the term encryption

    4. It is important that the paper and future proposals and legislation should define clearly and separate the use of encryption for confidentiality services and the use of crypto functions for non-confidentiality (i.e. authenticity) services. The control requirements differ widely for these two types of service and much of the criticism you have received could have been deflected had this separation been clearer. If a TTP provides authenticity-based services only and does not provide support for strong confidentiality services, it should still need to be licensed but should not need to meet the licensing conditions specific for confidentiality-based services.

  4. Paras 23 onwards, particularly para 25 - The OECD’s Guidelines

The OECD talks had some limited commercial representation but cannot be taken to have obtained commerce’s endorsement. Continually, when I have asked clients and attendees at my training courses if they are aware of the OECD talks and Guidelines, only the tiniest fraction of those asked have responded affirmatively. This might be more a criticism of the commercial representatives at the talks than of the OECD, but it does limit seriously the value of the talks and Guidelines.

I have a number of specific points I would like to make on the OECD talks and on Escrow schemes such as the Royal Holloway scheme, and on the initiative that I believe the DTI should now be showing. I believe they are relevant to the current discussion of TTP licensing.

The main issues as I see them are, in summary:

    1. The Royal Holloway Key Escrow scheme strongly favoured by HMG has not yet won the endorsement of UK commerce.

    2. The OECD talks nearing completion cannot be taken as implying that endorsement from UK commerce.

    3. A comparison with the banking infrastructure underpinning conventional commerce shows that the Royal Holloway scheme will not fit in well with the business infrastructure needed by electronic commerce.

    4. We all have an interest in the establishment of a TTP network which is both appropriate for electronic commerce and acceptable to the providers and users of TTP services. TTP arrangements that are not sufficiently acceptable will not be taken up by users or providers, and this would hugely disadvantage the future growth of electronic commerce in the UK.

    5. There are a number of issues that will need to be aired and agreed publicly through structured debate before any Key Escrow scheme, the Royal Holloway scheme or any other, can be established as acceptable.

    6. That structured public debate is not yet occurring. There is an urgent need for the DTI to establish that debate and to select or propose a suitable independent mediator to facilitate that debate. (Possibly, the PO would want to lend its offices for this, to be that mediator equidistant between both HMG and commerce.)

The following is a more detailed exposition of the points above, in support.

    1. The Royal Holloway Key Escrow scheme, adopted by HMG for its own messaging use, has been developed according to a particular set of requirements drawn up by HMG. These requirements are given within the Royal Holloway paper introducing the scheme. At first glance, the requirements appear to be suitable and attractive, addressing the main concerns of each of the Commerce and Law Enforcement communities. However, to my knowledge, these requirements have not been tested formally against the needs of commerce or endorsed by commerce. So far, what public comment there has been on the scheme has tended to be negative though much of this comment can be dismissed as not objective.

    2. The OECD discussions, the primary forum for inter-governmental discussions of Key Escrow arrangements, include representatives of UK commerce. However, this should not be taken to indicate UK commerce’s endorsement of the output of the OECD discussions. Both the representatives of HMG, the DTI in particular but CESG too, should be concerned to ensure that the output of these OECD discussions achieves representative, effective and committed endorsement from UK commerce. The DTI’s objective is to promote the development of e-commerce in the UK to the benefit of UK companies. This will not be achieved by trying to introduce Key Escrow arrangements that are not fully acceptable to users or providers.

    3. To see that CASM will not be well suited for working with electronic commerce, we should look to see how well it maps on to the business infrastructure and business relationships we might expect would be needed to support electronic commerce. And we can anticipate what business infrastructure and business relationships will be needed to support electronic commerce by looking at the business relationships and infrastructure supporting conventional commerce today (today’s banking networks). For this, look at how ordinary shopping works:

      4. A shopper goes into a retailer’s store, purchases some goods, and, instead of paying by cash, leaves behind a promissory note of some form (usually a cheque or a coupon made up from the shopper’s plastic card). Then she walks out of the store with the goods in hand. Even though the shopper hasn’t given the retailer cash, the retailer is prepared to let the shopper walk out of the store with the goods. This works because the retailer trusts the promissory note the shopper leaves behind. He has confidence that he will receive the right payment at the right time (the next day, perhaps, or three days later) on the basis of that promissory note. The banks collectively provide the retailer with this confidence, and in doing this, will in most cases carry the financial liabilities should the transaction go bad.

      The shopper trusts his bank. He receives a cheque book and plastic cards from the bank, and pays the bank any agreed annual charges or fees for services provided. The retailer trusts his bank in a similar way. Neither needs to have any particular knowledge of or trust in the other party’s bank (other than that the retailer needs to be happy that the cheque or plastic card presented by the shopper looks to be a valid one, preferably one issued by a familiar UK bank). The shopper expects her bank, working in co-operation with the others, to protect her from any attempt by the merchant at merchant fraud, and to sort out any liability issues should there be a successful fraud. The merchant expects his bank, working with the others, to collect the funds from the shopper and to protect him should the shopper not have the funds to back up the shopping transaction. Neither party to the transaction needs to have a prior business relationship with the other, or a business relationship with the particular bank backing the other party. Neither party is at any risk from any errors, omissions, misuse or abuse by the other bank, and each assumes that its bank is able to protect it from any such errors, omissions, misuse or abuse as might occur.

      At this point, we can see the difficulty with the Royal Holloway scheme. E-commerce needs essentially the same type business relationships and trust infrastructure to exist between the parties and their TTPs as exists today between the parties and their banks for conventional commerce. And the Key Escrow overlay to this e-commerce transaction needs to fit within the same or similar model of the commercial arrangements, even if it is provided as a separate layer of infrastructure and provided by a different set of organisations, not the Banks. Shoppers and retailers will not be prepared to work with a set of business relationships which is fundamentally different from those they have grown up with in support of conventional commerce over many decades.

      The fundamental requirement of the business relationship between a transacting party and its TTP is that the party will expect the TTP from which it takes the service to protect it from any errors, etc. committed by any other TTPs. Yet under the Royal Holloway scheme this will not be possible. One TTP will not know, let alone be able to protect its customer, if the other party’s TTP discloses confidentiality keys improperly. At least with the financial networks, someone suffering damage (such as a wrongly charged credit transaction) would be aware of the situation and could initiate directed action to obtain appropriate redress. How would a TTP be able to provide effective protection for the damaged party if neither the TTP not its customer had any way of knowing that they had been the target, direct or indirect, of an unauthorised key disclosure?

      Surely it would be better to design a different Key Escrow scheme, one that fitted more naturally onto the business relationships between the transacting parties. As well as being a more appropriate fit (and, thereby, being more efficient and effective), it would likely be more readily acceptable to the potential providers and users than a Key Escrow scheme which was not well matched to the commercial needs. And a properly fitting Key Escrow scheme would allow electronic commerce to become rapidly and broadly established, to the benefit of the UK’s general commercial and trading health.

    4. The above discussion shows the need for a structured public debate on the issues relating to Key Escrow schemes. We take it as given that we all (government, commerce, providers and users) have an interest in the establishment of a suitable and acceptable TTP infrastructure for e-commerce. We need to consider what is required to achieve that goal. What is required is to establish one or more Key Escrow schemes that are acceptable to all parties and that support each party’s legitimate interests and address their main concerns. UK commerce will not support a scheme or schemes that it has not had a chance to review critically. It will not accept the Law Enforcement objectives as legitimate until they have been discussed in open forum. And it will not accept that HMG properly understands its business objectives until it has discussed them with HMG in open forum. Consequently, it would appear that a structured public debate of the issues is needed, to agree around the table the requirements for a Key Escrow scheme or schemes, and to achieve the support of the potential users and providers of services under the scheme(s).

    5. There are a number of issues that need to be aired in this debate. Some of these should require little more than rehearsal of the issues to ensure that everyone around the table agrees on what should be widely and readily acceptable principles. Others will be more hard fought. I suggest the issues are these:

    1. Does commerce and do private individuals accept that HMG has either a legitimate right or a duty, in principle, to control the crypto techniques available to commerce and private individuals.

    2. What in particular are the Law Enforcement community’s control objectives, and if these are not already fully acceptable to commerce and private individuals, what would be needed to make them so?

    3. There will always be some people who refuse to accept the legitimacy of any government role in controlling the use of encryption technology. How will their public criticisms be handled to minimise any embarrassment or discomfort to those that are prepared publicly to accept the principle of government controls.

    4. Is Key Escrow the best or the only way forward. We have tried living with export controls based on limiting the strength of the crypto techniques that can be exported. We are now working with Key Escrow as an alternative control approach. Is there a third option we should be discussing?

    5. Is it necessary for the community to agree on one Key Escrow scheme or could we enjoy several schemes working alongside each other, each aimed at a particular community (for example, one for financial services, one for GPs, one for the legal profession) or different set of requirements.

    6. How realistic are the fears and needs of commerce and Private Individuals, and what requirements on the Key Escrow schemes do these lead to?

    7. Is there any reason not to expect that, provided we can get agreement around the table on a particular set of requirements, we could design a suitable and acceptable Key Escrow scheme to match those requirements?

    8. Who should sit around the table to achieve agreement on the requirements for a UK Key Escrow scheme? I suggest the list should include at least:

    1. What controls are required on the servicing of Interception Warrants to ensure that the users of Key Escrow-based TTP services can trust the procedures for the disclosure of keys or data. Sceptical users will need to be convinced that keys are not being, and cannot in future be, disclosed to unauthorised people or disclosed in an improper way.

To my knowledge there is currently no forum in which these issues are being discussed in a way that would achieve widespread agreement from the prospective provider and user communities. It is essential that this be taken forward urgently. There is an important task for the DTI to play here, in its role as the department for promoting UK commercial and trading health. The DTI should establish these talks, and should assist in the selection of a suitable facilitator/mediator for these talks. The mediator should not be from government circles, in order to avoid later accusations that the talks were biased. It should be either a respected individual of high stature from commerce, or someone drawn from an organisation that is equidistant between HMG and commerce. (Possibly, the PO would fit this role?)

If the DTI believes that it would be valuable to have the widest possible agreement on both the requirements for law enforcement access to encrypted private communications and on the manner by which such access is to be obtained (and I believe strongly that such agreement is necessary for real progress to be made), then the DTI should urgently set up a forum for obtaining that agreement. That forum should have representatives from both sides of government (the DTI and Law Enforcement), both sides of the commercial constituency (service purchasers and service providers) and representatives of the private user (one of which should be a civil liberties representative). This would not be an easy forum to moderate, but it is essential that the various parties around the table should try to agree the legitimacy of the users’ requirement for access to strong encryption and the government’s requirement for the ability to conduct wiretaps, and agree a set of requirements for how such agreed access should be obtained and controlled.

Back to the main thrust of my response

  1. Para 36 - The commercial need for Key Recovery

    2. TTPs might offer Key Recovery as a commercial service, but it is not at all clear that there would be a commercial requirement for such a service. I have come across no commercial systems that require the recovery of communications keys, and where there has been a requirement for the recovery of storage keys there have been other ways in which the user’s key recovery requirement can be met. For example, by using key back-ups on diskette stored in a safe under dual control, as has been used by Banks and others for many years. Though I can see the attraction to HMG of dressing up Key Recovery of communications keys as a valuable user requirement, performing Key Recovery in a way that facilitates law enforcement access is fundamentally a law enforcement requirement and not a user requirement, and should be presented clearly as such.

  2. Para 41 - Trust agreements between TTPs

    3. It is important to realise that, in the early days at least, many TTPs might not interoperate with other TTPs. The TTP network will grow from the bottom up not from the top down. Individual service providers will set up TTPs to serve their community’s needs. For example, this could be the GMC setting up a TTP for GPs, the Law Society setting up a TTP for Solicitors, a Telco setting up a TTP to establish a VPN or a bank setting up a TTP for its electronic service customers. These might start off as stand-alone TTPs unconnected to other TTPs. Only when the business logic requires it will these TTPs start to interconnect and need inter-TTP trust relationships. Then the interconnections might be established to support only specific services and not to provide general support for all services. Any legislation must recognise this and apply licensing requirements only at the appropriate places in the infrastructure.

  3. Para 42 - Interoperability between different products

    4. It is not sufficient to say boldly that interoperability between products is not possible. Interoperability is a problem being solved rapidly in many areas, in security as well as elsewhere within the IT field, by the market-led adoption of standard protocols and market leading products. Unfortunately, this means that Microsoft and the club of Internet product providers has an enormous capability to drive the shape of those standards. Currently the IT world is adopting for its standards such techniques as SSL, MSP, and other elements of the Microsoft Internet Security Framework. These provide the crypto support and interoperability needed for most electronic commerce, without the need for licensed TTPs.

  4. Para 48 and paras 66-69 - Exclusions

    5. This, as I read it, would allow an organisation to have multiple internal unlicensed TTPs interconnected. This is an important requirement which should be retained throughout the development of any legislation. However, defining the boundaries will be problematical. Will the internal TTPs for HMG be unlicensed? Will the internal TTPs for the NHS be unlicensed? Will they be unlicensed if they support GPs exchanging secure mail with pharmacists? Will they remain unlicensed if the trust hospital has an Internet connection and is involved in pan-European pilots and projects? Will they be unlicensed if they allow a patient to book an appointment with their GP or collect a letter with test results from their GP?

    Consider further the case where a large UK enterprise had many TTPs for intra-group traffic and had occasional links to external organisations. For those external links, it would need to utilise licensed TTPs. The legislation must allow the enterprise to have to license only those TTPs involved in providing the external links, and then only for those parts of its operations that supported those external links. Otherwise the company would have to operate two TTPs in place of just one, one for purely intra-group traffic and one for the external links. This would not be well received.

  5. Para 49 - Exclusions

    6. Will the use of 3DES within Internet Banking applications be excluded under this paragraph? A number of banks already provide Internet banking using Java or ActiveX to provide the strong encryption on top of the limited encryption (40-bit) permitted within exportable browsers.

    Another consideration that can be foreseen is where the TTP provides authenticity services but not confidentiality services. The TTP will be happy to issue the user with a certificate that authenticates the user’s identity and his authentication public key. The user can then generate multiple key pairs for himself for use in different relationships and services - one for writing digital signatures on documents at work and one for writing digital signatures in a private capacity at home, one for exchanging encryption keys in a work context and one for exchanging encryption keys in a private context. Each of the four public keys can be self-signed by the user using his authentication private key. Any interlocutor could verify the self-signed public keys using the TTP-issued (and therefore trusted) authentication certificate. Hence, a TTP in service to provide authenticity only would in fact be providing all the infrastructure support needed to enable the end user to use strong encryption. How would this use of the authenticity infrastructure be separated out from any other use that might be made of it?

  6. Para 53 - Electronic Signatures

    7. There are some major liability issues to be worked out relating to the issuing of certificates, and liability in conventional commerce is currently resolved in different ways for different types of business model. The views being sought here will vary according to the business model under consideration and will depend on the allocation of liability between service provider and service purchaser deemed mutually appropriate to each.

  7. Para 55 - Foreign TTPs

    8. Any TTP able to provide a service over the Internet will be capable, in principle, of offering and providing services to UK users, and might not be able reliably to identify when the user is in the UK and when not. One can foresee the development of "Offshore" TTPs able to provide services to users anywhere in the world and outside any bilateral reciprocity arrangements.

  8. Para 72 - Prohibitions

    9. Currently there are no prohibitions on the domestic supply and use of strong encryption. If the intention is to introduce a new restraint on this, it will need a clear positive case to be made.

  9. Para 77 - Legal Access

    10. The central repository could play a positive role in sustaining the public’s confidence in the Key Recovery arrangements if it were to provide to the law enforcement agency only the decrypted data rather than the key. A natural concern of all users will be that the law enforcement agency should not be able to access information outside the scope of the warrant, and that cannot be done with the release of a key rather than of the data. A central repository would be an intermediary between the TTP and the law enforcement agent, and would be capable of enforcing independently the scope of any warrant.

  10. Para 81 - Electronic Warrants

    11. The TTP will need to have a strong way to validate the warrant and authenticate its source. A secure electronic method based on the use of digital signatures may well be the only way to achieve this effectively.

  11. Paras 86-88 - Liability

As mentioned above, liability is an important issue that will have to be dealt with in a context-specific manner according to the business model appropriate to the context. Financial liability around the provision of financial services will be the easiest group of issues to resolve. However, that will not of itself be simple. Consideration will have to be given to the liability of a TTP issuing a certificate to a user in the name of someone else (a masquerade by the user, but not necessarily for fraudulent intent), or with privileges that the authentic user is not authorised to claim. More difficult to resolve will be the TTP’s liability if it has issued a certificate to a user who has generated his own key pair but one that is weak and easily broken.

What liability for the TTP if it has issued a certificate wrongly and that has led to the death or serious injury of a third party?

How would damages be determined for the disclosure of a secret confidentiality key by the TTP?

I hope these comments and questions are of use. I would be happy for these to be added to the public record, and to enter into further discussions on these or related issues should that be of interest.

Yours sincerely

[Signature]

Dr John Leach