Dear Nigel,
Subject: Licensing of TTPs for the Provision of Encryption Services
The following is my personal response to your Public Consultation Paper.
I was very pleased to see this bold attempt by the DTI to seek consultation and comment from a wide audience on this important issue. I believe that this issue is critical for the economic future of the UK; electronic commerce and the development of new network-based public services is clearly set to become a major contributor to UK economic growth over the next decade. The DTI has a very important role to play to ensure that the potential benefits for the public, for SMEs and for government can be realised promptly and in a safe manner, and I believe this Consultation Paper is a constructive step along that road. As I understand it, the DTI’s attention is aimed primarily at the needs of the public and SMEs rather than at the needs of larger corporates. This is exactly as I would wish to see it, and I wholeheartedly support your determination to maintain this focus despite the criticism you and the your colleagues have received of late on this issue.
However, I would also add that the pace of commercial development today is extremely fast. A number of major commercial service providers are not going to wait for legislation to be put in place before they develop new network-based services. They believe that it will be extremely difficult for the DTI or any other arm of HMG to develop legislation that makes either illegal or non-competitive any investment they have made in infrastructure or service provision. Consequently, it is imperative that the DTI should recognise the commercial imperatives and develop its strategy around supporting the commercial health of UK industry rather than around providing interception capability. The support for interception is a burden to the DTI’s programme as well as to the main players in the marketplace, and where the major players lead the smaller industries and private users will be led.
The ability of government agents to conduct effective wiretaps depends inversely on the ability of criminals and terrorists and other governments to develop and/or use strong encryption features of their own design. How does HMG propose to prevent or limit the use of non-escrowed encryption by such people?
It is important that the paper and future proposals and legislation should define clearly and separate the use of encryption for confidentiality services and the use of crypto functions for non-confidentiality (i.e. authenticity) services. The control requirements differ widely for these two types of service and much of the criticism you have received could have been deflected had this separation been clearer. If a TTP provides authenticity-based services only and does not provide support for strong confidentiality services, it should still need to be licensed but should not need to meet the licensing conditions specific for confidentiality-based services.
The OECD talks had some limited commercial representation but cannot be taken to have obtained commerce’s endorsement. Continually, when I have asked clients and attendees at my training courses if they are aware of the OECD talks and Guidelines, only the tiniest fraction of those asked have responded affirmatively. This might be more a criticism of the commercial representatives at the talks than of the OECD, but it does limit seriously the value of the talks and Guidelines.
I have a number of specific points I would like to make on the OECD talks and on Escrow schemes such as the Royal Holloway scheme, and on the initiative that I believe the DTI should now be showing. I believe they are relevant to the current discussion of TTP licensing.
The main issues as I see them are, in summary:
The following is a more detailed exposition of the points above, in support.
A shopper goes into a retailer’s store, purchases some goods, and, instead of paying by cash, leaves behind a promissory note of some form (usually a cheque or a coupon made up from the shopper’s plastic card). Then she walks out of the store with the goods in hand. Even though the shopper hasn’t given the retailer cash, the retailer is prepared to let the shopper walk out of the store with the goods. This works because the retailer trusts the promissory note the shopper leaves behind. He has confidence that he will receive the right payment at the right time (the next day, perhaps, or three days later) on the basis of that promissory note. The banks collectively provide the retailer with this confidence, and in doing this, will in most cases carry the financial liabilities should the transaction go bad.
The shopper trusts his bank. He receives a cheque book and plastic cards from the bank, and pays the bank any agreed annual charges or fees for services provided. The retailer trusts his bank in a similar way. Neither needs to have any particular knowledge of or trust in the other party’s bank (other than that the retailer needs to be happy that the cheque or plastic card presented by the shopper looks to be a valid one, preferably one issued by a familiar UK bank). The shopper expects her bank, working in co-operation with the others, to protect her from any attempt by the merchant at merchant fraud, and to sort out any liability issues should there be a successful fraud. The merchant expects his bank, working with the others, to collect the funds from the shopper and to protect him should the shopper not have the funds to back up the shopping transaction. Neither party to the transaction needs to have a prior business relationship with the other, or a business relationship with the particular bank backing the other party. Neither party is at any risk from any errors, omissions, misuse or abuse by the other bank, and each assumes that its bank is able to protect it from any such errors, omissions, misuse or abuse as might occur.
At this point, we can see the difficulty with the Royal Holloway scheme. E-commerce needs essentially the same type business relationships and trust infrastructure to exist between the parties and their TTPs as exists today between the parties and their banks for conventional commerce. And the Key Escrow overlay to this e-commerce transaction needs to fit within the same or similar model of the commercial arrangements, even if it is provided as a separate layer of infrastructure and provided by a different set of organisations, not the Banks. Shoppers and retailers will not be prepared to work with a set of business relationships which is fundamentally different from those they have grown up with in support of conventional commerce over many decades.
The fundamental requirement of the business relationship between a transacting party and its TTP is that the party will expect the TTP from which it takes the service to protect it from any errors, etc. committed by any other TTPs. Yet under the Royal Holloway scheme this will not be possible. One TTP will not know, let alone be able to protect its customer, if the other party’s TTP discloses confidentiality keys improperly. At least with the financial networks, someone suffering damage (such as a wrongly charged credit transaction) would be aware of the situation and could initiate directed action to obtain appropriate redress. How would a TTP be able to provide effective protection for the damaged party if neither the TTP not its customer had any way of knowing that they had been the target, direct or indirect, of an unauthorised key disclosure?
Surely it would be better to design a different Key Escrow scheme, one that fitted more naturally onto the business relationships between the transacting parties. As well as being a more appropriate fit (and, thereby, being more efficient and effective), it would likely be more readily acceptable to the potential providers and users than a Key Escrow scheme which was not well matched to the commercial needs. And a properly fitting Key Escrow scheme would allow electronic commerce to become rapidly and broadly established, to the benefit of the UK’s general commercial and trading health.
To my knowledge there is currently no forum in which these issues are being discussed in a way that would achieve widespread agreement from the prospective provider and user communities. It is essential that this be taken forward urgently. There is an important task for the DTI to play here, in its role as the department for promoting UK commercial and trading health. The DTI should establish these talks, and should assist in the selection of a suitable facilitator/mediator for these talks. The mediator should not be from government circles, in order to avoid later accusations that the talks were biased. It should be either a respected individual of high stature from commerce, or someone drawn from an organisation that is equidistant between HMG and commerce. (Possibly, the PO would fit this role?)
If the DTI believes that it would be valuable to have the widest possible agreement on both the requirements for law enforcement access to encrypted private communications and on the manner by which such access is to be obtained (and I believe strongly that such agreement is necessary for real progress to be made), then the DTI should urgently set up a forum for obtaining that agreement. That forum should have representatives from both sides of government (the DTI and Law Enforcement), both sides of the commercial constituency (service purchasers and service providers) and representatives of the private user (one of which should be a civil liberties representative). This would not be an easy forum to moderate, but it is essential that the various parties around the table should try to agree the legitimacy of the users’ requirement for access to strong encryption and the government’s requirement for the ability to conduct wiretaps, and agree a set of requirements for how such agreed access should be obtained and controlled.
Back to the main thrust of my response
TTPs might offer Key Recovery as a commercial service, but it is not at all clear that there would be a commercial requirement for such a service. I have come across no commercial systems that require the recovery of communications keys, and where there has been a requirement for the recovery of storage keys there have been other ways in which the user’s key recovery requirement can be met. For example, by using key back-ups on diskette stored in a safe under dual control, as has been used by Banks and others for many years. Though I can see the attraction to HMG of dressing up Key Recovery of communications keys as a valuable user requirement, performing Key Recovery in a way that facilitates law enforcement access is fundamentally a law enforcement requirement and not a user requirement, and should be presented clearly as such.
It is important to realise that, in the early days at least, many TTPs might not interoperate with other TTPs. The TTP network will grow from the bottom up not from the top down. Individual service providers will set up TTPs to serve their community’s needs. For example, this could be the GMC setting up a TTP for GPs, the Law Society setting up a TTP for Solicitors, a Telco setting up a TTP to establish a VPN or a bank setting up a TTP for its electronic service customers. These might start off as stand-alone TTPs unconnected to other TTPs. Only when the business logic requires it will these TTPs start to interconnect and need inter-TTP trust relationships. Then the interconnections might be established to support only specific services and not to provide general support for all services. Any legislation must recognise this and apply licensing requirements only at the appropriate places in the infrastructure.
It is not sufficient to say boldly that interoperability between products is not possible. Interoperability is a problem being solved rapidly in many areas, in security as well as elsewhere within the IT field, by the market-led adoption of standard protocols and market leading products. Unfortunately, this means that Microsoft and the club of Internet product providers has an enormous capability to drive the shape of those standards. Currently the IT world is adopting for its standards such techniques as SSL, MSP, and other elements of the Microsoft Internet Security Framework. These provide the crypto support and interoperability needed for most electronic commerce, without the need for licensed TTPs.
This, as I read it, would allow an organisation to have multiple internal unlicensed TTPs interconnected. This is an important requirement which should be retained throughout the development of any legislation. However, defining the boundaries will be problematical. Will the internal TTPs for HMG be unlicensed? Will the internal TTPs for the NHS be unlicensed? Will they be unlicensed if they support GPs exchanging secure mail with pharmacists? Will they remain unlicensed if the trust hospital has an Internet connection and is involved in pan-European pilots and projects? Will they be unlicensed if they allow a patient to book an appointment with their GP or collect a letter with test results from their GP?
Consider further the case where a large UK enterprise had many TTPs for intra-group traffic and had occasional links to external organisations. For those external links, it would need to utilise licensed TTPs. The legislation must allow the enterprise to have to license only those TTPs involved in providing the external links, and then only for those parts of its operations that supported those external links. Otherwise the company would have to operate two TTPs in place of just one, one for purely intra-group traffic and one for the external links. This would not be well received.
Will the use of 3DES within Internet Banking applications be excluded under this paragraph? A number of banks already provide Internet banking using Java or ActiveX to provide the strong encryption on top of the limited encryption (40-bit) permitted within exportable browsers.
Another consideration that can be foreseen is where the TTP provides authenticity services but not confidentiality services. The TTP will be happy to issue the user with a certificate that authenticates the user’s identity and his authentication public key. The user can then generate multiple key pairs for himself for use in different relationships and services - one for writing digital signatures on documents at work and one for writing digital signatures in a private capacity at home, one for exchanging encryption keys in a work context and one for exchanging encryption keys in a private context. Each of the four public keys can be self-signed by the user using his authentication private key. Any interlocutor could verify the self-signed public keys using the TTP-issued (and therefore trusted) authentication certificate. Hence, a TTP in service to provide authenticity only would in fact be providing all the infrastructure support needed to enable the end user to use strong encryption. How would this use of the authenticity infrastructure be separated out from any other use that might be made of it?
There are some major liability issues to be worked out relating to the issuing of certificates, and liability in conventional commerce is currently resolved in different ways for different types of business model. The views being sought here will vary according to the business model under consideration and will depend on the allocation of liability between service provider and service purchaser deemed mutually appropriate to each.
Any TTP able to provide a service over the Internet will be capable, in principle, of offering and providing services to UK users, and might not be able reliably to identify when the user is in the UK and when not. One can foresee the development of "Offshore" TTPs able to provide services to users anywhere in the world and outside any bilateral reciprocity arrangements.
Currently there are no prohibitions on the domestic supply and use of strong encryption. If the intention is to introduce a new restraint on this, it will need a clear positive case to be made.
The central repository could play a positive role in sustaining the public’s confidence in the Key Recovery arrangements if it were to provide to the law enforcement agency only the decrypted data rather than the key. A natural concern of all users will be that the law enforcement agency should not be able to access information outside the scope of the warrant, and that cannot be done with the release of a key rather than of the data. A central repository would be an intermediary between the TTP and the law enforcement agent, and would be capable of enforcing independently the scope of any warrant.
The TTP will need to have a strong way to validate the warrant and authenticate its source. A secure electronic method based on the use of digital signatures may well be the only way to achieve this effectively.
As mentioned above, liability is an important issue that will have to be dealt with in a context-specific manner according to the business model appropriate to the context. Financial liability around the provision of financial services will be the easiest group of issues to resolve. However, that will not of itself be simple. Consideration will have to be given to the liability of a TTP issuing a certificate to a user in the name of someone else (a masquerade by the user, but not necessarily for fraudulent intent), or with privileges that the authentic user is not authorised to claim. More difficult to resolve will be the TTP’s liability if it has issued a certificate to a user who has generated his own key pair but one that is weak and easily broken.
What liability for the TTP if it has issued a certificate wrongly and that has led to the death or serious injury of a third party?
How would damages be determined for the disclosure of a secret confidentiality key by the TTP?
I hope these comments and questions are of use. I would be happy for these to be added to the public record, and to enter into further discussions on these or related issues should that be of interest.
Yours sincerely
[Signature]
Dr John Leach