In the 1997 consultation paper, the DTI proposed to make the licensing of TTPs compulsory. Having licensed TTPs is a Good Thing. Insisting on compulsion is a Bad Thing.
Before we can examine this, we'd better start by examining the proposals and so determine exactly what they mean. I then give an example of the use of encryption, which shows how various services are used. Some of these services are then examined in detail to see how licensing affects them. In particular I cover Identity services, Timestamping and Key Servers. Finally I draw some Conclusions.
para 72 of the consultation paper reads...
The legislation will prohibit an organisation from offering or providing encryption services to the UK public without a licence. Prohibition will be irrespective of whether a charge is made for such services. The offering of encryption services to the UK public (for example via the Internet) by an unlicensed TTP outside of the UK will also be prohibited. For this purpose, it may be necessary to place restrictions on the advertising and marketing of such services to the public.
This looked straightforward - if you offer services, then the DTI would insist that you have to have a license and you have to be in this country. The licensing criteria, set out elsewhere in the paper, look pretty daunting, so I think it would be safe to rule out the continued existence of free services.
However, it turned out to be rather hard to understand what was being proposed - which was a bit of shame for a consultation paper! It all turns on what an "encryption services" might be and there the DTI fell over its own feet.
para 45 tells us with a certain amount of bold text
The legislation is directed solely towards the provision of encryption services to subscribers in the UK and not the use of encryption.
This sounds good - we can all use encryption without problems, but again what are these services... so off we go to para 74 for the definitive answer.
Encryption services is meant to encompass any service, whether provided free or not, which involves any or all of the following cryptographic functionality - key management, key recovery, key certification, key storage, message integrity (through the use of digital signatures), key generation, time stamping, or key revocation services (whether for integrity or confidentiality), which are offered in a manner which allows a client to determine a choice of cryptographic key or allows the client a choice of recipient/s.
OK - so now we know ! The stuff at the end about "choice of crytographic key" and "choice of recipients" is to try and exclude pay TV or home banking from the legislation. Most of the other terms are defined in an appendix to mean what you'd expect them to (apart from key recovery, which the DTI confuses with key escrow in a very dubious manner). The appendix fails to explain what "key storage" is, which is inconvenient because its an important point.
But let's leave the fine print for a while... the broad sweep is clear. The DTI is saying that you will be able to use encryption as much as you wish, but you can't offer a service - even for free - which involves certifying keys, storing keys, signing things or time stamping them without becoming a TTP.
Some people have read the proposals as being all-encompassing, and have been suggested that the DTI has made a fool of itself by making you become a TTP if you sign a friend's PGP key or publish your own key on a web page. I think that's overstating it, the first case is clearly not a service - but it might be if you offered to sign the key of anyone who showed you their passport. The second case hinges on what "key storage" is, which you'll remember was never defined. Some have argued that it is "obvious" that "key publishing" will be exempt - viz, you can just make the keys available without promises of any kind. They suggest that "key storage" is something to do with keeping private keys in locked boxes. The DTI remained uninformative.
However, even without taking an extreme view of what these proposals mean, it is quite clear that the practical day-to-day use of encryption (which you'll recall the DTI is trying not to affect) actually involves the use of lots of these encryption functions. We'll see how this happens in the next section by looking at a practical example.
Let us suppose that I am a PGP user, a well-known piece of encryption software and I want to order a book from a computer bookshop. I'll be sending my credit card number which would be best kept private, and I'd also like to be placed on the bookshop mailing list for information on upcoming Star Trek titles. I'm slightly embarrassed by this interest, so I'm grateful that the shop sends this sort of personal information encrypted for my eyes only.
I start by asking a key server for the bookshop key so that I can send them an encrypted message. I will then tell them who I am (expressed as an email address). When they write back, encrypted, to me twice a year with the new titles list they will use a key server to look up my current key.
Besides encrypting what I send, I electronically sign the order, so that the bookshop can assure the bank that it was me that sent the order, and not someone else who knows my credit card number. If my key was compromised in the future it would make all my signatures worthless (because people could forge messages from the past), so I use a time stamp service which gives a record that the document and signature existed "now".
Whenever the bookshop or I fetch keys from the server, we check that they were signed by someone appropriate which might be my bank manager or WeCheckCarefully Ltd, a company which has verified my identity.
All the services used, key storage on the servers, signing of keys, time stamping, indeed the generation of the keys I am using in the first place are all done today for no charge and with a great deal of integrity. The DTI is proposing to only allow these services to be provided by a TTP. It is nice to think that they may be provided "better", but it is a long way from being necessary.
We'll now examine these services in turn...
If "WeCheckCarefully Ltd" signs my key to say that they have taken a great deal of trouble making all sorts of checks to ensure that the key really does belong to "Richard Clayton, 10 Acacia Avenue, Surrey" (or whatever they decided "identity" really is -- a complex question in itself) then that is a useful service, and if I want this sort of signature today, I have to pay a few dollars for it. Identities with less stringent checks are free. You get what you pay for!
It would be even more useful in the future if you could go to a DTI web page to check "WeCheckCarefully"s key (or get their key over the counter at the local Post Office, or see it published in a press advert or have it provided in the innards of your email software). So WCCL is almost certain to want to become a licensed TTP because it means that their service is more useful (and I expect that they will then charge a few dollars more for it).
Note that the licensing is desirable for the authentication service - not for anything to do with the crypto per se.
However, my employer, my university, or my bank manager might also wish to certify my key - as an indication that I am employed, or studying or a customer. This is something which they might wish to do for free, as much for their convenience as for my direct benefit. The DTI is apparently going to disallow this signing, unless my company, institution or bank becomes a licensed TTP. This is a complete farce, and is probably, on a small scale, totally unenforceable.
Let's be clear, the quality of identity services is a big problem in using encryption today. The PGP "web of trust" where "a friend of a friend is a friend" doesn't work in theory (a friend of a friend could be just about anyone) and doesn't work in practice (it is far too small, has a very poor notion of identity, and its provisions for key revocation and key lifetime are extremely limited). Therefore, having Licensed identity services where you know the government is enforcing some standards will be a Good Thing.
They're such a Good Thing that it's unclear why there is need for legislation to outlaw the unlicensed versions, because the market will do ignore them anyway. Joe's Unlicensed Identity Service just isn't going to be a commercial success outside the scheme - but employers, universities, clubs, societies, political parties and groups of all kinds still have a need to sign keys and should not have to ignore the law, or jump through hoops to become licensed. If the conditions of licensing are weakened so that all these other groups are able to become licensed, then WeCheckCarefully Ltd is going to get very little advantage from the scheme.
The DTI has thought about this a bit, and it does have some exemptions (paras 66-68) but they are narrowly cast and seem to deal only with what will happen inside a single company. Indeed it is suggested that if a company wanted to use cryptograpic protection in dealing with suppliers then it would need to become licensed (para 69). This is bureaucracy writ large.
You do need to trust a signer. The government will be a good ultimate guarantor for many practical purposes in a business world. But you may be able to trust the signer for other reasons, and of course some people don't trust the government, or Big Business, to be as careful as they should be.
What of the time stamp service ? which you will recall is an essential part of a practical electronic signature system.
You might think it would wish to be licensed for similar reasons to identity services. If you had a choice between a licensed and unlicensed service then you might pick the higher quality one - feeling that some government inspectors would be checking they are reliable.
Interestingly, there is no need for this! To use a time stamp service you send a cryptographic hash of your document (an MD5 fingerprint works well) to the stamper. They send back a signed document containing the hash and the last ten hash values and the email addresses they were stamped for.
That means that the only way for a wicked time stamp server to forge a timestamp would involve them in suborning the last ten (or a hundred if you think that's too small) people who used the service. As an extra guarantee, to allow the records to be relied on many years in the future, the weekly hash values of their records is published somewhere like the New York Times where it is effectively unchangeable. Since the time stamp service never knows anything about your documents, even if they feel like being wicked and bribing all those people, they've no idea if it would be worth doing.
When reading the DTI proposals, the thought sometimes springs to mind that they don't understand the neat protocols (such as the time stamp one) which public key has allowed to be created. Public key cryptography has allowed the mathematicians to develop protocols which allow us all to do a lot of things in the open, where fraud is instantly detectable, without compromising the privacy or integrity of the systems. You don't need a license from Whitehall to make it trustworthy.
What of the key servers which day to day use of encryption will rely upon, perhaps they need to be run by a licensed accountable body ? Well it helps, that's undeniable, but the beauty of public keys as we currently know them, is that provided one makes some end to end checks when first using a key, you don't have to trust the key servers at all! Even if the key server is run by the bad guys, all they can really do is to stop you talking by turning the service off.
They cannot substitute another key for the one you asked for because they will not be able to forge the signature from WeCheckCarefullyLtd which says that it is authentic. They might hope you didn't notice it wasn't signed. Even without the signing, if you take some elementary precautions they cannot listen in to anything other than the first message between private individuals "I think this is your key, tell me something only you and I know and I'll believe it is correct".
There is more scope for fraud by a wicked key server substituting keys when commercial transactions are intercepted, but one might expect the type of bank enquiries one makes in business before trusting another company to make this extremely difficult. Essentially, this is not really all that much different than the situation in the physical world where one is cautious in dealing with strangers, especially if all you know about them is their address and phone number. There are no radically new dangers in cyberspace.
Key servers and key signing are a bit like the phone book... this is mainly accurate and is mainly trusted, but only a fool will blurt out their deepest secrets or the password for their phone banking account before checking that the person who picked up the receiver is actually the intended recipient.
We don't currently license people who produce phonebooks because years of experience has shown us that there is no practical need. The new technology hasn't really changed anything - the servers can be as unreliable as the phonebook and you won't lose your shirt. Indeed, you do better in cyberspace becase a signature on a keys should allow you to trust it - and that's far more important than whether or not you fetched the key from a licensed server.
The advent of TTPs is a Good Thing. In particular WeCheckCarefully Ltd gets some validation that they appear to be competent at running a key signing business. Perhaps other services would be more attractive if they were licensed; though in fact a few precautions should be taken anyway.
That said, there is no necessity to make the provision of services by non-licensed organisations illegal. In the areas where being trusted by the government helps, the unlicensed services will fail to be used, or will work on a very small scale where trust already exists. In other areas, the provision of unlicensed (and probably free) services will keep the TTP price list honest.
If using a TTP is going to require you to hand over your private keys (see separate discussion) then a lot of people are going to stay well away from TTPs, and for very good reason. If there are no unlicensed services then this is going to stop many people from making as much use of crypto as would be desirable to allow online commerce to flourish.
Thus, though it is true that in the DTI proposals private crypto between 'consenting partners' is not disallowed (some would say "yet"), the effect of their compulsory licensing is to make it quite significantly harder to use crypto than it is at present, and you are going to have to rely far more on personal contact than on exploiting existing networks of infrastructure.
HTML problems? mailto: webmaster@happyday.demon.co.uk