This is a full copy of the submission I made in May 1997 to the UK Department of Trade and Industry on their consulation paper.
I graduated from Manchester University with the top First in Computer Science in 1977. Before, and since, I have been working in the Computer Industry with a particular involvement in mass market software applications.
In the early 80s the company I co-founded created the operating system and BASIC interpreter for the Amstrad CPC series of home computers, which sold nearly two million units. In the mid-80s we created the Amstrad PCW word processor which sold in similar numbers. In the 90s we have turned our efforts to the Internet, producing a suite of programs which in particular allows offline use of email. This product does not yet sell in the same sort of volumes, but it has already been shipped to well over half the customers of Demon Internet, the largest European ISP, and on current projections will have three-quarters of a million users by the turn of the century.
My interest in the consultation paper stems from my belief that encryption will be an important function of mass market electronic communications software in the next few years. Many of my views about the proposals stem from a mass market perspective, and my judgement as to whether they will help or hinder the widespread take-up of encryption and cryptographic approaches to signatures and data integrity.
The opinions expressed below are not necessarily those of my current employer, but are my personal views, whose worth you must judge on their merits, and upon my record of placing software technology into the hands of the mass market.
The bulk of my response relates to public key cryptosystems. These are not the only form of encryption, and some of the proposals may be suitable for other schemes. However, they seem to be unsuitable when applied to the current, quite successful planet-wide usage of public key systems.
The consultation paper was not a masterpiece of clarity. It was possible during the consultation period to determine what was meant in some sections, but it gave the impression of being written to discuss the GCHQ designed "Cloud Cover" scheme of encryption and any mapping from that to other encryption schemes was poorly thought out and produced most confusing results.
Public key protocols for the usage of keys mean that you can be remarkably open about activities which you might naively expect to have to keep secret. This means that the nature of "trust" in a public key environment becomes a very complex idea.
People in the real world develop their own personal view of who to trust, and it will be no different in the electronic world either. Most people nowadays trust large institutions and bureaucracies because they have to, rather than because they inherently feel that they can.
People will decide for themselves whether to trust a vendor of cryptographic services. This involves a certain amount of effort, so most people will take someone else's opinion for it. The real advantage of having a licensed TTP scheme is that the State will have a role in providing that opinion. The careful (and of course the paranoid) will still wish to take their own steps to establish the appropriate level of trust, but for many people, the use of a licensed TTP service will be the obvious course of action.
However, the openness of public key systems, and the use of clever protocols for transferring information around, means that for many purposes there is in fact no need to "trust" the TTP at all. The levels of service, and the customer support may be better, but the TTP will find it very difficult to actually betray your trust. Some example of this are given below.
I discuss in section 3 my views on compulsory key escrow. This section assumes that this foolish and unworkable proposal will be dropped. The question then arises as to what general value licensed services have.
There are undoubted commercial advantages to being licensed, in that you can sell the "peace of mind" that this promotes. Nevertheless, there are few overriding technical reasons for choosing a licensed vendor, particularly if you, or your software package on your behalf, takes some care in using cryptographic services.
Thus it seems strange that the proposals wish to ban all non-licensed activities, and indeed go so far as to envisage prohibiting foreign vendors of services from advertising in the United Kingdom. Education in the benefits of using TTPs should ensure that incompetent vendors will be rapidly driven from the marketplace, but where sufficient trust can be established by the community as a whole in unlicensed activities I can see no policy reason why these should not continue to run just as they do at the moment.
In particular, the running of key servers, the provision of time stamping services, and the signing of keys should be allowed outside the licensing system. I discuss this further below.
One of the failings of the consultation paper is that it is somewhat wide-ranging in its definitions, and this makes it unclear what services (or, more particularly, what level of services) will require you to become licensed as a TTP. It is possible to read the paper in such a way as to believe that employers would not be able to certify their employees public keys for external correspondence. It is even possible to read them as prohibiting the display of public keys on web pages.
The "clarifications" made available during the consultation phase have not markedly improved matters. It is suggested that you can sign a friend's PGP key without being licensed, but that you cannot sign just any person's key if they turn up with a passport. There's a long way between these extremes - can you sign keys for members of your golf club, trade union, political party... and there is no indication of any obvious cut-off point which will not bring the whole system into disrepute for arbitrariness.
It may be that primary legislation is not in fact necessary to produce the licensing regime which best fits our needs, or if new laws are required, then they should be tied in with the establishment of a proper framework for "electronic signatures" rather than with the current blanket approach to regulating the entire fledgling industry.
para 72 of the proposals reads...
The legislation will prohibit an organisation from offering or providing encryption services to the UK public without a licence. Prohibition will be irrespective of whether a charge is made for such services. The offering of encryption services to the UK public (for example via the Internet) by an unlicensed TTP outside of the UK will also be prohibited. For this purpose, it may be necessary to place restrictions on the advertising and marketing of such services to the public.
This looks nice and clear - if you offer services, then you have to have a license and you have to be in this country. The licensing, particularly the quality issues, look daunting, and perhaps if the State is going to endorse the TTP so they should. The quality conditions alone are likely to rule out the continued existence of free services. Also, the requirement for the TTP operation to be completely isolated is likely to be a major disincentive to the provision of experimental services offered on a best-efforts basis by companies or groups of individuals.
I therefore believe that compulsory licensing is going to have a significant dampening effect on innovation.
Practical day-to-day usage of encryption is likely to use a great many services and functions.
For an example, let us suppose that I am using PGP, a well-known and widely available example of encryption software. Let us suppose that I want to use it to order something from a computer bookshop. I'll be sending my credit card number along with its expiry date (both of which would be best kept private), and I'd also like to be placed on their mailing list for information on upcoming Star Trek titles (the arrival of this mail is something I consider embarrassing and not for public view).
I start by asking a key server for the bookshop key so that I can send them an encrypted message. I will then tell them who I am (expressed as an email address). When they write back twice a year to me, encrypted, with the new titles list they will then go to a key server to look up my current key, (and not the one I repudiated last year when I accidentally published my private keys on Usenet...) [[this is an imaginary example!]]
Besides encrypting what I send, I will electronically sign the order, so that the bookshop will be happy it was me that sent the order, and not someone else who knows my credit card number. If my key was compromised in the future it would make all my signatures worthless (because people could forge messages from the past), so I use a time stamp service which gives a record that the document and signature existed "now".
The bookshop will want to have confidence in the signature, so they will fetch a copy from a key server and check that it was signed by my bank manager or Joe's Identity Service, or WeCheckCarefully Ltd. In fact, I might have been paranoid earlier that it really is a bookshop I am telling about my Star Trek fetish... If JoesIS or W.C.C.Ltd signed their key I will be much happier.
All the services used, key storage on the servers, time stamping, key revocation, indeed the generation of the keys I am using in the first place can all be done today for no charge and with a great deal of integrity. The proposed legislation will only allow these services to be provided by a TTP. It is nice to think that they may be provided "better", but since all the services I've mentioned exist today, it is obviously a long way from being necessary.
If "WeCheckCarefully Ltd" signs my key to say that they have taken a great deal of trouble making all sorts of checks to ensure that the key really does belong to "Richard Clayton, 10 Acacia Avenue" (or whatever they decided "identity" really is -- a complex question in itself) then that is a useful service.
It is even more useful if you can go to a DTI web page to check "WeCheckCarefully"s key (or get their key over the counter at the local Post Office, or see it published in a press advert or have it provided in the innards of your email software). So W.C.C.Ltd will almost certainly want to become licensed because it means that their service is more useful (and they can charge more for it).
Note that in this case the licensing is desirable for the service of authenticating my identity - not for the use of encryption per se.
However, my employer, my university, or my bank manager might also wish to certify my key - as an indication that I am employed, or studying or a customer. Under the proposals, this is apparently going to be disallowed, except possibly by close friends. This is a complete farce, and is probably totally unenforceable.
Let's be clear. The existence of identity services is a big problem in using encryption today. The PGP "web of trust" where "a friend of a friend is a friend" doesn't work in theory (a friend of a friend could be just about anyone) and doesn't work in practice (it is far too small, has a very poor notion of identity, and its provisions for key revocation and key lifetime are extremely limited). Therefore, having licensed identity services where you know the government is enforcing some standards will be a Good Thing.
They're such a good thing that it's unclear why there is need for legislation to outlaw other schemes. Joe's Identity Service just isn't going to be a commercial success outside the scheme - but employers, universities, clubs, societies, political parties and groups of all kinds still have a need to sign keys and should not have to jump through hoops to become licensed. If everyone becomes licensed then the conditions will be so weak that W.C.C.Ltd is going to get very little advantage from the scheme.
The proposals do have some exemptions (paras 66-68) but they are narrowly cast and seem to deal only with what will happen inside a single company. Indeed it is suggested that if a company wanted to use cryptographic protection in dealing with suppliers then it would need to become licensed (para 69). This is bureaucracy writ large.
Some people may wish to apply other authentication of their own on top. Their notion of identity may not be the same as that of the TTP - how do you know where I live ? the TTP's description of my house in Acacia Avenue may not be an appropriate way for you to identify me. But often the TTP's word will be good enough for you to use... after all, you probably use BT's Directory Enquiries without taking paranoid steps to check it really is the local pizza shop that you are giving your credit card number to!
It seem strange to me that the consultation paper is concerned about compulsory licensing for identity services in the encryption arena, but is happy to let very similar schemes for combining identities and contact details remain unlicensed. In particular, I was not aware that the telephone directory was subject to a regulatory regime, and the DTI positively vetted everyone concerned with it to ensure that they were upstanding people. Perhaps this is a loophole in the current arrangements by which people trust providers of telecoms services ?
You do need to trust a signer, but only for some purposes. The government will be a good ultimate guarantor for many practical day-to-day uses of cryptography in a business world. But it is very important to note that true trust is nothing to do with identity, and everything to do with contracts, letters of credit, and the banking system. No-one is going to sell you jewellery on credit just because you have an encryption key signed by W.C.C.Ltd.
However, in another milieu, the government may not be seen as a suitable guarantor at all. If you have correspondence of a sensitive nature, with a shop-steward, with Walworth Road, Smith Square, or indeed you wish to write a whistle-blowing letter to the Editor of the Guardian, you might feel that you needed to be slightly more sure of where the text was going than just that W.C.C.Ltd listed the key in their directory service.
The bottom line is that licensed identity services are going to be extremely useful in helping people develop confidence in encryption and in developing the marketplace. But they are not a panacea.
What of the time stamp service ? Which you will recall is an essential part of an electronic signature system.
A commercial service might wish to be licensed for similar reasons as were given for identity services. If you had a choice between a licensed and an unlicensed service then you might pick the higher quality one - feeling that some government inspectors might be checking they are reliable.
Interestingly, there is no need for this! To use a time stamp service you send a cryptographic hash of your document (an MD5 fingerprint works well) to the stamper. They send back a signed document containing the hash and the last ten hash values and the email addresses they were stamped for.
The only way for a wicked time stamp server to forge a timestamp would involve them in suborning the last ten (or whatever) people who used the service. As an extra guarantee, to allow the records to be relied on many years in the future, the weekly hash values of their records is published somewhere like the Sunday Times, or Washington Post, where it is effectively unchangeable.
When reading the consultation paper, the thought sometimes springs to mind that licensing is being required for political rather than technical reasons, or perhaps it was just written to cater solely for non-public-key systems. There seems to be no understanding of the elegant protocols (such as the time stamp one) which public key crypto has allowed to be designed. It is possible to do a lot of things in the open, where fraud is instantly detectable, without compromising the privacy or integrity of the systems.
What of the key server, perhaps that needs to be run by a licensed accountable body ? Well it helps confidence, that's undeniable, but the beauty of public keys as we currently know them, is that provided one makes some end to end checks when first using a key, you don't have to trust the key servers at all! Even if the key server is run by the bad guys, the only harm they can do is to stop you talking by turning the service off.
They cannot substitute another key because they will not be able to forge the signature from W.C.C.Ltd which says that it is authentic. They might substitute another key in the hope that you might be surprised to find that it was not signed, but would use it anyway. Even then, if you take some elementary precautions they cannot listen in to anything other than the first message between private individuals "I think this is your key, tell me something only you and I know and I'll believe it is correct".
There's more scope for fraud if commercial transactions are intercepted by the issuing of fake keys, but unlawful gain is extremely unlikely because in business one makes bank enquiries before trusting another company. Knowing their address and identity is not what makes you trust them. Essentially, this is not really all that much different than the situation in the physical world. There are no radically new dangers in cyberspace, except the possibility that people are seduced by the technology into believing that it changes the nature of "trust" and "identity", which, at heart, it does not.
Key servers and key signing, licensed or not, are a bit like the phone book... this is mainly accurate and this is mainly trusted, but only a fool will blurt out their deepest secrets or the password for their phone banking account before checking that the person who picked up the receiver is actually the intended recipient.
Public key cryptography works by having a transformation of the message which is one-way. The algorithm for this transformation and the key which makes it unique are publicly available. The reverse transformation algorithm is also publicly available, but the key for this is kept secret. It is not practical (this side of the heat death of the universe) to deduce the secret "private key" value from the "public key". There are several schemes for public key cryptography using several different areas of mathematics. The most famous is RSA - which is the one traditional PGP uses.
RSA uses a pair of very large prime numbers, and uses the fact that factorising large numbers into primes is a very laborious operation. Key generation involves selecting a suitable pair of numbers and usually involves using some random events to generate some candidate values which are then tested to see if they appear (to all practical purposes) to be prime.
This key generation is done in the privacy of your own home for obvious security reasons. It is not a matter for TTPs, except that in principle they could sell you some guaranteed random numbers, or ones with allegedly specially good properties.
But of course, there are other types of cryptography besides public key cryptography, and the consultation paper must have these in mind when proposing to license key generation - for in the public key arena as we know it today, the proposal is nonsense, there will be no-one offering a service to license.
The advent of licensed TTPs is in a lot of ways a Good Thing. W.C.C.Ltd gets the validation they need to run a key signing business. There will be the chance to use key servers without being incredibly paranoid.
But, there is no necessity to make the provision of services by non-licensed organisations illegal. In the areas where being trusted by the government helps, the unlicensed services will fail to be used. In other areas, the provision of unlicensed (and probably free) services will keep the TTP price list honest.
If using a TTP is going to require you to hand over your private keys (see separate discussion) then a lot of very sensible people are going to stay well away from TTPs. If there are no unlicensed services then this is going to stop many people from using cryptography. So, taking the proposals as a whole, although it is true that the proposals do not disallow private encryption between 'consenting partners' (some would say "not yet"), the effect of the compulsory licensing is to make it quite significantly harder and more expensive to use than it is at present.
The consultation paper envisages a scheme of compulsory "key escrow" for encryption keys. It seems to be a requirement for TTPs which handle an encryption key that they should insist that the private keys are handed over.
The paper manages to confuse the issue of "key escrow" with that of "key recovery". It is seldom necessary to recover keys - what is of interest to most people is "data recovery". People are naturally concerned that encrypted material may be lost in the event of hardware failures, death or dismissal of passphrase holders, or merely that the security officer has gone on an extended vacation.
This data recovery can be done by many other much safer methods than key recovery. Some people suggest escrowing copies of the session key under the public key of a company or a third party such as a TTP, though this does of course put all your eggs in a single basket. This issue will probably become moot, as better designed software systems can use totally different secure storage schemes, rather than relying on holding a literal copy of the outgoing message.
Leaving aside the specific issue of data recovery, the argument against compulsory key escrow is somewhat complex. The particular points I wish to cover are:
The only reason for requiring key escrow is to allow the Interception of Communications (that's phone tapping to you and me). However, if this is done "in the middle" of an encrypted conversation, and not at the end points, then a serious problem arises.
It is in the nature of public key encryption that outgoing messages from a suspect will only be readable if the private keys for the receiving person are available. Thus, if a suspect writes to many innocent people, all of their private keys will have to be made available to the investigating team. But it is in the nature of such private keys that once one has them, one can read all correspondence, both past and future. What's more, the keys are no longer as "safe" as they are inside the TTPs, but are in the hands of individual law enforcement officers. There is then a greatly increased risk that these keys will leak, entirely undetectably, to people who should not have them.
I believe that obtaining of private keys under warrant is a very different ability than that given by the standard sort of wiretap envisaged in the Interception of Communications legislation. It allows the decryption of all past traffic, and, until knowledge of the keys is destroyed, all future traffic as well. In my opinion it is far too sweeping a power to make available because it infringes the civil liberties and endangers the economic livelihood of far too many innocent people. It would be far better to develop schemes where only sessions keys became available, or just plain text left the TTPs, instead of the private keys.
In public key cryptography, a message is encrypted by the sender by combining it with the receiver's public key. When it arrives, the private key is used to decrypt the message. People without the private key cannot read the message - leastways, not (if the keys are long enough) without spending millions of years in trying.
There are people (quite serious and sober people) who honestly believe that it is the right, even duty, of the State, to be able to know everything which its citizens say or do. Naturally, these people say, they would not exercise this right lightly. To these sort of people it makes perfect sense that the private keys of all of a State's citizens should be available from a central repository and, when necessary, their correspondence should be examined for serious criminal or terrorist behaviour.
I personally reject this view of the role of government, but it is important to understand that this is not a technical issue but a philosophical one. People with a particular world view say "yes of course - the State must be allowed to look at anything", others say "of course not - my privacy is sacrosanct". This sort of dichotomy of views is never going to be settled by rational argument.
Interestingly, the consultation paper does not attempt to argue at this fundamental level, where one can only agree to disagree. Instead it gives some rather more specific reasons for access to encrypted traffic, and so these reasons can be weighed for their merit.
The reason that the paper puts forward for access to private keys is that it is necessary to allow Interception of Communications, so that "criminals" and "terrorists" can be monitored by "law enforcement". Law enforcement is just a cuddly term which makes you think of judges and police sergeants, but it is probably just as likely to mean men in grey suits from the Security Services.
Terrorists are, of course, extremely wicked people whom the State should clearly be targeting, which is undoubtedly why this crime is mentioned explicitly. It's not just critics like myself who stoop to emotive language to get a point across!
However, I believe that tracking down all the criminals and terrorists by monitoring all of their communications will stop us from having the same sort of society that we have today. As more and more traffic becomes electronic, the ability (and the temptation) is available to log and record it all. This is not in society's interests, and not in our individual interests either. I do not wish to have to think about every view I express lest I end up on on a list of potential subversives. I have no doubt that in some peoples eyes, writing this document makes me an Enemy of the State, and therefore a suitable target for future surveillance. If so, should anyone consider acting upon this, then that's not a free society any more.
Cryptographic keys are valuable things. If I send my credit card number across the net to make a purchase by secure means, I am obviously trusting the vendor not to abuse the knowledge of my details which I have given them.
However, rather more subtly, I am also trusting the vendor that their security system works. If someone else apart from the vendor knows their crypto secrets then they can watch my traffic to the vendor. Unlike someone stealing cheques from the vendors postroom, this theft is hard to detect.
If the vendor has handed over their private keys to a TTP then not only are they trusting the TTP, but I have to as well.
Arguably, the authors of the consultation paper understand this because the proposals mean that only really really really trustable people can become TTPs. But I don't think that, even in 1997, you can build systems involving computer software and humans which can be trusted to that extent. It is moot whether the software or the humans are more likely to fail - both will eventually.
If the single vendor I dealt with has poor security then my credit card details will leak. There will be a pattern to the information compromised (everyone stung was a customer of Joe's Bookshop) and the security flaw should get fixed eventually.
If a TTP has poor security then my credit card details could leak from any transaction with many many vendors. Any non-greedy (or non-automated) villain is unlikely to create a pattern in their thefts...
A swift calculation on the potential income from compromising a TTP should show you that you can afford to offer the employees (or the writers of the software used) a reasonably serious amount of money...
There's nothing really wrong with key escrow provided that relatively few people take it up (so there is not much to steal), and the locks on the TTP doors are strong. The problem which arises if "key escrow" becomes mandatory is that there would be so much value in the TTPs that no lock would or could ever be that secure.
Compulsory pooling of private keys in TTPs is a new and totally unnecessary risk. All the evidence we have from similar schemes like the DVLC in Swansea, the Police National Computer and, indeed, ex-directory telephone numbers is that personal data always leaks from large organisations. You've probably seen one of the expos‚s on the television where bank records and medical files can be obtained for just a few hundred quid. This information is meant to be secret! that's why the reality that it is not can still, just about, be made into prime-time television. It is embarrassing sometimes to see how little money has been needed to bribe the people with access to this information.
Cryptographic keys are of course currently held safe within organisations like banks and within the government itself. The record of how successful this has been is said to be good, but it is poorly documented so it is hard to judge objectively. Experience up to now has been mainly concerned with military or economic secrets where the holders of the keys see their national pride, their freedom, or their livelihood to be tied in with the preservation of secrets. Our society expects cypher clerks to die under torture rather than betray their colleagues.
In a world of TTPs, low level employees will be guarding private keys for companies and people they have never heard of. When someone buys them a new fridge or points a gun at their kids then a fair number of them are going to hand the secrets over, and in the latter case, they are going to think that it was morally the right thing to do... Bank managers are currently told to hand over the keys to the safe because "it's only money" and "we want you back alive". Why will TTP managers be any different ?
The trouble is, if the current proposals are implemented, the TTPs won't just have a few keys to hand over, a few safes full of money, but millions. All those little fish add up. The TTPs are going to be a big fat juicy target.
The keys are to be recoverable by "law enforcement", and far too quickly - one hour may not allow any time for proper checks to be made when a warrant covers a large number of recipients of a single target's outgoing traffic. This means that there will be no special systems design needed for extraction by the bad guys - they just have to circumvent the checks, hide the audit trail, or forge or coerce disclosure.
One certainly hopes that a TTP would have, and the licensing authority would insist upon, complex systems to prevent this sort of thing... but if one could access the keys for half the economy by suborning the employees of a TTP, and be able to decrypt traffic thereafter in an undetectable way... that's a big prize for a criminal group or a foreign government with the capital to spend on the suborning.
The consultation paper recognises the risk of loss from TTPs (there are several paragraphs saying how naughty the TTP would be, and [in effect] how it must be financially strong enough to stand the damages when successfully sued). The proposals clearly also see that this loss could be a major calamity, and so the banks will be allowed to stay outside the TTP system!
The ONLY justification given in the paper for access to private keys is that this will allow criminals and terrorists to be monitored. Not only is this just a pious hope with little foundation in reality, but making "key escrow" compulsory so that all the UK's private keys end up inside TTPs is a major risk to the British economy.
At the end of the day, encrypting most peoples data is not earthshatteringly important. It is nice to think, in a non-electronic world, that when you put such information in the pillar box no-one steams it open. Crypto gives you the warm feeling that your missive will not be read even if someone opened the letter by mistake because it was delivered next door. But if someone does manage to read your mail, all that happens is they learn something about you that you wish was private. Your cheeks are red for a while, but you'll get over it.
BUT... besides encryption, public key crypto has the other, elegant, feature of providing crypto signatures which allow you to sign electronic documents, time stamp them, send electronic cash around, and provide all sorts of other endorsements. These all, crucially, depend on your private keys staying private.
If you hand over the private keys to your public key signature identity to a TTP it will become worthless because you cannot know if it has been compromised, so you will never be in a position to stand behind that identity.
Whether TTPs exist or not, your electronic signature is open to repudiation... "Oh calamity, I just published my private key on Usenet, ignore everything I apparently say." but the reverse statement "I really am sure that my word is my bond" cannot be sensibly said in a future where a bureaucracy holds your private keys and may or may not have been handing them out to police forces (and less accountable bodies) up and down the land, and overseas as well...
In principle, you could set up one public key for encryption and another for electronic signatures. The spooks (or whoever) could then decrypt stuff when the politicians said they could, and your signature keys could be kept private...
The problem with this dual key scenario is that the way that public key crypto systems currently work means that their keys are identical in form and function. There would be nothing to stop the wicked from using the signature key to send you things that the 'spooks' couldn't read.
I do not detect a movement in mass market software towards distinguishing the two types of key. Explaining encryption to end users is hard enough without cluttering up the software with multiple keys, public and private, and different purposes for both. Simple to understand systems, which is a prerequisite for commercial success, will tend to avoid dual keys if they possibly can.
If you read the proposals carefully you will see that para 46 suggests that the state does not "intend" to access privacy keys under the "key escrow" schemes. This is presumably driven by the OECD proposals which discuss integrity keys. I think that the UK would have some problems if their proposals did not treat them specially. That's why in Annex E (which is demonstrating how the UK proposals fit in with the OECD material) para 10 specially indicates that the UK legal framework will not give the authorities the ability to fabricate evidence...
If I publish my signing key then you can check my signature. However, you can also send me something which has been encrypted using that key. Watchers will not be able to read it, even if my "official" privacy key is escrowed with a TTP. Unless I am remarkably honest and refuse to read what has been sent me using the "wrong" key, there is a secure private channel set up between us.
If I, extremely foolishly, have placed the private key for my signature key into a TTP then I presume that it is subject to warranted access. The logical conclusion would be that it should be unlawful to escrow a signature key, because otherwise a malicious "terrorist" can use the key for encryption, shop himself to the authorities and having hinted at the existence of insiders, so that wiretaps were appropriate, thus cause the key to become compromised by warranted access to it.
Although it is not necessary, some people will want to use "key escrow" for their private keys. What they probably want is data recovery - but one way of achieving this is to keep your private keys safely off-site. However, key recovery is not always necessary. It may be sufficient to have some mechanism such as multiple encryption, i.e. the message is encrypted with other keys as well as the recipients.
Since public key schemes are slow, it is usual to use another scheme (classic PGP uses a scheme called IDEA) to encrypt the message and to just hide the "session key" for the IDEA within the public key encrypted part. In such a scheme, session keys could be mailed off to a TTP for them to store against some future need to decrypt the correspondence.
As discussed above, the presence of private keys for signature keys within these TTPs will make those signatures worthless. These keys are subject to official access by "law enforcement" and unofficial access by the Bad Guys - using bribes or force majeure as they see fit. It will therefore be necessary for all the documentation for mass market products to explain to the public that TTPs are unsafe places for signature keys, and strongly advise against escrowing them under any circumstances.
Many people who currently use encryption will not endorse the TTP scheme specifically because of its "compulsory key escrow". ie the existing user community for cryptography will not "sign-up" to the new scheme but will bad mouth it from the sidelines. The "experts" will have to concede that there is a risk, and the subtlety of their explanations, and the fact that in the end they have to just say "trust us", will go down poorly. The whole scenario will be one of confusion and doubt, and will seriously damage the TTP industry.
In such an eventuality, I predict that the mass market will pass TTPs by, and it will become a neglected technology, used only by multinationals and people operating in particular technology areas like, say, defence contractors. In fact it will end up completely irrelevant to most peoples lives - like a fair number of the other DTI technology initiatives of the past few decades. Who remembers Nexos now ?
The consultation paper says that it is necessary to be able to break encryption because terrorists and criminals will use it. However, it is also intended to permit everyone who wishes to continue to use strong encryption in Closed User Groups.
This is logical nonsense - when the messages between the suspected Bad Guys turn out to be unbreakable (because they have more common sense than to use keys which have been "escrowed") the watchers find that they learn nothing...
There seems to be a touching faith by the authors of the document in the stupidity of the criminal classes "criminals will often make use of the technology available to them" (annex F). I expect that they also believe that the IRA makes bomb warning phone calls from their living rooms and will be caught by Caller Line Identification technology.
Perhaps the authors want to monitor traffic between "criminals" and reputable members of society. If so, why wiretap ? The reputable people will surely be glad to cooperate with the law enforcement agencies.
The sensible solution to this logical flaw is to not waste effort and considerable expense on enforcing "escrow" because it will not work. The likely solution - and the paranoid leap at this one - is that the government will legislate in a "stage two" to outlaw Closed User Groups, or failing this drastic step, will start to monitor traffic and deem the use of unescrowed keys as de facto evidence of criminal intent.
In fact, this won't work either - see below.
It is not just documents which can be encrypted. Personal computers are now fast enough to encrypt voice in real-time. The "scrambler" telephone no longer needs to be a box full of hardware.
Telephone conversations are a little different from email. There is a real-time end to end link and that allows some other encryption to be used which will make eavesdropping far far harder.
By coincidence, the patents on Diffie-Hellman key exchange expired just a month ago (on 27th April). Diffie-Hellman allows for a simple exchange of keys in such a way that both ends can decrypt the conversation, but it is not practical to listen in.
The problem with Diffie-Hellman is that there is no authentication, and a man-in-the-middle can spoof both ends into thinking he is not there... However, combined with public key authentication of the end-points, using signature keys, you can establish that there is no-one in the middle.
Of course, if you have, foolishly, handed over the private keys to your signature to the TTP (or you consider it appropriate to use encryption keys for authenticating the end-points of the conversation), then the authentication is compromised and the man-in-the-middle can still operate. But, if he does not have your keys to hand (or fails to use them to get in the middle) then his recording of your conversation will be useless, even if he later fetches your private keys from the TTP, or even if you voluntarily hand over the private keys. What is needed to "listen in" is the session key for the conversation and there is no technical reason to preserve this, and I would not expect mass market software to bother to do so.
You can do a similar trick with email - it just takes an extra to-and-from at the start of a relationship. ie: knowing the private keys is not the entire story in being able to read encrypted communications.
It would not surprise me if mass-market software used these sorts of encryption schemes to provide secure conversations, and made a marketing point of having done this. Once this has happened, the key escrow scheme becomes a white elephant.
The proposals envisage the Bad Guys using TTPs because they are convenient. There is a feeling that there is a "quid pro quo" between the wonderful services of TTPs, and the small price of escrowing your keys.
As discussed, Diffie-Hellman allows you to have a secure conversation but no authentication. However, unless you are worried about a man-in-the-middle, you may not need cryptographic authentication - you may recognise your fellow criminal's voice or passphrase. Nevertheless, I expect to see mass market applications (easy to use by both Bad and Good Guys) which use the signature keys from TTPs to give extra assurance that the end points are correct - perhaps especially when talking to answering machines or faxes.
You can of course generate an encryption key and not put it into the TTP system. This makes it less valuable... except that you can sign it with the signature key which you have placed inside the TTP system. There is then a trivial "web of trust" which gives you reliable encryption keys which are never escrowed. I would expect that most "experts", "enthusiasts" and mass market software would go down this road. This will help the Good Guys (you only have to pay the TTP to hold and endorse one key and you don't have to mess with escrow) and will of course help the Bad Guys.
ie: the non-escrowing of signature keys, leads immediately to several trivial ways to use the TTP system without the "quid pro quo" of escrowing anything.
There are other sorts of criminals besides terrorists. The Revenue are extremely keen on being able to follow paper trails in order to detect organisations which are intentionally avoiding paying over their tithe (a bit more than 10% in most cases) to the State... Inside organisations, records are mainly computerised and hence deliberate forgery can be hard to detect.
At present, investigators can still track the paper which flows in and out as orders and payments. When this too becomes electronic and, thanks to strong cryptography, unreadable then their ability to measure what is going on will be much reduced.
This needs to be tackled (unless anyone is advocating reducing tax rates on business to zero). However, it does not actually require that private keys are handed over by everyone automatically - merely that provision is made for them to be made available to investigators upon demand. The law may perhaps make that compulsory at the present... but tidying this up to make it clear would surely do no harm, and it is strange that the consultation paper makes no firm proposals in this area, but is only interested in clandestine surveillance.
Official 'New Labour' party policy seems to be along these lines, explicitly rejecting invisible decrypting of material, but looking towards judicial warrants to compel the decryption of material when this is necessary.
The bottom line is that you cannot beat the mathematics.
The presence of private keys for signature keys within TTPs will tend to make those signatures worthless. Placing public signature keys into the TTPs will ensure that the Bad Guys can use them to support reliable, untappable, encryption. So we either have signatures or concede that we will only be able to listen in to the Bad Guys at the ends of their conversations and not in the middle. Of these alternatives we should keep signatures.
The State has, for the past few decades, had unrivalled access to communications between its citizens. The arrival of cheap computing power and the invention of public key cryptography has brought that era to an end. If the State wants to hold back the tide then it can do so, but the price we will pay is that we will not get secure electronic communications, the State will be monitoring everything we do in cyberspace, and we will not be able to rely upon digital signatures. In the next century where these technologies are going to vital, it is not going to be possible to use them with confidence in the UK.
The existence of huge caches of private keys within the TTPs will make them major economic targets, of the sort of scale we currently associate with gold reserves or the banking system as a whole - indeed they will be, to all intents and purposes, the interface between the banking system and the rest of the economy. As such, there will be substantial risks that computer and systems failure within the TTPs, or the presence at trusted levels of corrupt personnel, will enable enormous frauds to be carried out.
There is always the risk of fraud when society trusts institutions. However, this risk will be significantly increased if private keys are compulsorily placed into the new institution of TTPs. Public key systems mean that there are no technical reasons for taking the totally unnecessary risk of moving from a distributed model of key holding, where each individual and company guards their own keys. The risks of disclosure are higher in the distributed model, but the cost of each security failure is far lower.
I do not believe that we yet know how to build the human/computer systems needed to protect TTPs holding the enormous numbers of keys which compulsory key escrow would imply. I don't believe this is an area in which to try out such systems and learn from the inevitable mistakes.
The only reason the consultation paper puts forward for compulsory key escrow is that there is hope of catching a few, incredibly stupid, criminals. In chasing this chimera, a huge magnet is being created for other criminals (particularly those who are good at working out who to bribe and who to threaten with a machine pistol).
The consultation paper proposes that TTPs should be strictly liable if private keys leak. In public key cryptosystems, the owner of the public key must have the private key in their possession in order to be able to sign messages or to read incoming encrypted material. But the TTP is going to have a copy as well under the "compulsory key escrow" arrangements. If the keys leak it may be impossible to tell where the leak was from. If strict liability exists - the balance of proof swings against the TTP and this will dissuade companies from entering the industry.
It is a defence under the strict liability provisions if the TTP can show that the end user leaked the keys. Since this is likely to be the first port of call for any TTP under these circumstances, one imagines that as soon at the TTP is notified of a claim, they will turn up on the doorstep with an Anton Pillar order to seize machines to check for Trojan programs (sending keys out across the Net without the owners knowledge), or for evidence of other sloppy procedures.
It must surely be against public policy to bring forward legislation which will effectively force reasonable TTPs to act unreasonably, with draconian procedures, just to protect their interests.
The public's experience with cash cards and the banks, where it is commonly accepted by everyone except the banks that phantom withdrawals occur, does not raise one's hopes in this area that the TTPs will just pay up.
If the Court finds that the keys have got out then there will be an automatic referral to a Tribunal which will check if there was access to the keys under warrant... if the Tribunal finds that the leak is from the law enforcement agencies then they have to cough up, not the TTP.
In a very strange proposal, quite out of character, the consultation paper envisages that the Tribunal findings will be published. This makes rather a nonsense of the secrecy which otherwise surrounds provision of private keys under warrant. One merely has to leak keys undetectably and one can, in due course, determine if warranted access has occurred!
Liability above the minimum level will be subject to contract between the TTP and the client. This is an appropriate point to ask how much compensation does one need ? It's rather tricky to see what the cost of the divulging of private keys might be. There are companies in numerous areas which would be seriously damaged if people could not trust their products. Would you put your money into Northshire Building Society ? Their keys got stolen in that raid last week! At present companies in this position go to extraordinary lengths to protect their keys.
If there was some sort of raid made on a TTP, and keys were divulged, then the cost of all their customers changing their keys would be substantial... and it need not be a raid. Any potential security problem would mean that there was a risk of compromise. We're all used to changing our locks when we drop our keyring in the street, or stopping all our credit cards if our wallet disappears. The same assumptions that lost equates to in-use-by-the-bad-guys applies to encryption keys.
My current company changes keys for infrastructure on a semi-regular basis, with a fair amount of automation - so we've some idea how complex a task it is. I think that if we did it because our TTP slipped up we'd probably put in a bill for a thousand or so in wage bills alone...
If a TTP had a 100,000 customers that's ten million pounds to pay out for admitting to having a magnetic tape which cannot be accounted for...
Then, besides these costs involved in just "changing the locks", one can consider the actual damage caused by the loss of privacy. One could lose a contract because one's bid price was known. Insider dealing is all about knowing things one should not, and how can one measure in money the invasion of one's privacy if all one's billets doux are being read by bored hackers...
The "strict liability" proposal has an upper limit on the amount payable. This does make it less attractive, but clearly no-one will want to be a TTP if the upper limit is infinite. The keys will leak, because these are human/computer systems we're talking of, and no-one who is expert in this field believes that they are going to totally safe. However, unless you've been especially clued up and have negotiated a special contract, the TTP's financial liability is going to be limited.
So, in the end, one can only judge this proposal by knowing what the upper limit is. If it is one million then that's pretty realistic for the sort of real damage that the loss of keys would cause to a medium size company. If it is 100 pounds then that's totally laughable. The consultation paper does not even hint what sort of figure is being considered.
As we've seen, "strict liability" is a real problem for the TTP, because the potential damages are enormous, and keys may leak in bulk, not just one by one. Their only real defence (ignoring special events such as when warrants have been signed by the Secretary of State) is that the user leaked the keys. How can they possibly prove that ? If the private keys are published on Usenet, posted through an anonymous server then, as far as I can see, the TTP pays. You don't even have to invest in some brown paper envelopes to bribe a TTP employee - just make sure you don't get caught when you publish your own private keys and claim damages. The TTPs will have their suspicions that fraud has been committed, but they're stuck with strict liability. Who wants to be a TTP now ?
The proposals for access to escrowed keys envisage that there should be interworking with other jurisdictions. Now you might believe the assurance of our Secretary of State (perhaps more or less either side of an election) when you're told that only reliable people, perhaps on the South Bank, will have access to your private keys ... but are you prepared to trust the people in Langley or Paris or Bonn or Rome or Buenos Aires....
Under the proposals, I am pleased to see that you don't have to worry. You merely have to demonstrate that your key has escaped and you get compensation in the UK... the Tribunal will then tell you whether the TTP pays or someone else has to cough up. You get paid in sterling, even if someone somewhere pays in escudos.
The difficulty here is that if your private key appears on Usenet then you will know that it has been compromised. It might take a little longer, possibly years, for you to become aware if people are able to read your incoming mail or bug your phone conversations without your knowledge. Knowing that someone is liable and will pay, may not, in the end, feel like suitable recompense.
There is a great deal of discussion in the consultation paper on the liability of TTPs for the disclosure of private keys. There is no discussion whatsoever of the liability which TTPs may have for their other services.
We all expect that a major role of the TTPs will be acting as a certificating authority. viz: we expect them to be vouching for identity. If they fail to fulfil this role in an adequate manner, a proper legal framework is needed.
If Alice misleads a TTP into signing her key and then uses this fake identity to steal goods from Bob, then surely Bob should be able to proceed against the TTP for damages, attempting (presumably) to demonstrate that the TTP was negligent in checking Alice's identity. Yet there is no contract between Bob and the TTP so how can Bob manage this ?
Perhaps the expectation is that keys signed by a TTP will only be worth something if they are obtained direct from the TTP ? This does not fit in well with existing trust models, but might make some legal sense. The consultation paper is silent in this crucial area.
What it comes down to is that the government is proposing to force you to place your private keys inside a TTP, yet no matter how valuable they may be, they propose to limit your compensation when they leak - unless you make a special contract. This is far from ideal for the consumer.
It is even less attractive to the TTP because they are open to fraud.
There seems little reason to interfere with market forces. Assuming a free market - viz that key escrow is not compulsory - the level of compensation should be entirely set by contract between user and the TTP.
The issues of liability for other TTP services are notable by their absence from the proposals. Since some TTP services are offered to the community as a whole, there ought to be explicit ways in which the TTP should be liable to that community.
My answers to the explicit questions are:
Paragraph 50 - Whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate in this context.
I reject compulsory licensing. The question is inapplicable.
Paragraph 54 - Whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of rebuttable presumption for the recognition of signed electronic documents.
Legislation on electronic signatures would be useful. However, in the real world with imperfect key handling systems I suspect that this may be a very complex business and it will be some time before the real issues become clear. The less that is done beyond enabling their recognition the better.
Paragraph 60 - The appropriateness of the proposed arrangements for the licensing and regulation of TTPs.
The licensing and regulation assumes compulsory key escrow. I do not consider any form of licensing or regulation capable of ensuring this works safely.
Paragraph 65 - Where views are sought on the proposed conditions. [of licensing]
The conditions are such as to prevent smaller companies providing limited services within a licensed regime. They should be made more flexible.
Paragraph 70 - What, if any, specific exemptions for particular organisations offering encryption services would be appropriate depending on the nature of services offered?
I reject compulsory licensing.
Paragraph 71 - Whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK?
I reject all nationalistic approaches to a global marketplace.
Paragraph 81 - Should secure electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP be introduced?
If material is moved out the TTP then it should be done securely. Only a fool, in my opinion, would place such material in there in the first place.
Paragraph 82 - Does the legislation specifically need to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy?
I am not a lawyer, and offer no opinion.
Paragraph 84 - Should deliberate (and perhaps wilfully negligent) disclosure of a client's private encryption key be a specific criminal offence, or would existing civil and criminal sanctions suffice?
Divulging other peoples secrets when you have specifically contracted to keep them should clearly be an offence. There would be practical advantages to individuals proceeding against large companies if this were to be made a criminal matter, so I would be in favour of legislation. It should be far more wide-ranging than just the field of cryptographic services.
Paragraph 89 - Whether the principle of strict liability (as described) is appropriate in these circumstances?
I am not in favour of strict liability. See section 4 above.
Paragraph 91 - Whether, in principle, an independent appeals body (such as a Tribunal, separate from that referred to below) should be created ?
I am not a lawyer, and offer no opinion.
Paragraph 93 - Whether the proposed duties of an independent Tribunal are appropriate.
I am not a lawyer, and offer no opinion.
Annex C - Would mandatory ITSEC formal evaluation be appropriate?
This type of evaluation is far too poorly understood by the marketplace. It seems like overkill.
This submission will be published in full on the Internet. I have no problem with it being quoted, in suitable context, in any summary of comments.
Richard Clayton Dorking, Surrey 30th May 1997
HTML problems? mailto: webmaster@happyday.demon.co.uk