Sirs,

With regard to the proposals for licencing of TTPs, I am
concerned that the public consultation paper, seems to confuse
Trusted Third Parties with Certifying Agencies. They are two
separate entities and do not need to be combined.

Certifying Agencies (CAs) are authorities who check identity and
confirm it to be accurate. They then issue a signature or
certificate to confirm that the relevant checks have been made.
There is a definite need for such. There should be laid down
standards for how such firms operate. It is rather like a
solicitor who certifies that he knows an individual, and has
examined his or her driving licence/birth certificate, and signs
the back of a passport photograph and a declaration to the same
effect. The checks need to be organised in such a manner that
certification is a low cost affair.

Trusted Third Parties (TTPs) are a totally different matter. A
TTP is a body who holds the encryption key (which depending on
the crypto-system, may also be the digital signature) of an
individual. The idea that such should be done and the key made
available to Government or anyone else without the knowledge of
the key owner is totally abhorrent in any free society. That this
is to be done in the name of law enforcement is, to say the
least, laughable. Do you really expect all potential lawbreakers
to deposit their keys with the TTP? Perhaps there should be a
register for all potential criminals, to which they should
register first before law-breaking! Both suggestions have about
the same chance of being enforcable. All your proposals will do
is to provide facilities for snooping on law-abiding citizens.
1984 has passed, but it appears that we are drawing nearer to the
idea of Orwell's 'Thought Police'. I lock my house when I leave
it, but I certainly do not deposit the keys with any designated
authority, which has powers to release them without my knowledge.
Would you? 

The idea of depositing such information where it can be accessed
by a corrupt employee is questionable. It is already common
knowledge that confidential information held by banks and credit
card companies on an individual can be purchased on the black
market. There have been many cases exposed in the media over the
last few years. Your proposals will create a similar illegal
market in encryption keys.

You will no doubt receive further comments from businesses
expressing their grave concerns, which are different to that of a
private individual.

I certainly will not deposit my secret cryptographic key with a
designated TTP, voluntary or mandatory. Should you therefore
consider that the next step may be a register of potential
criminals, you had better register my name there.

Law-abiding up until now.

Yours faithfully,

Noel Bell