This is a summary of the problems with the DTI proposals. For further argument and discussion please return to the main page and follow the links there.
The bulk of this discussion relates to public key cryptosystems. These are not the only form of encryption, and some of the DTI proposals may be suitable for other schemes. However, they seem to be unsuitable when applied to the current, quite successful planet-wide usage of public key systems.
The DTIs proposals are unclear as to exactly what activities will necessitate being licensed as a TTP. It is possible to read them in such a way that employers would not be able to certify their employees public keys to indicate their relationship.
Public key protocols for the usage of keys mean that you can be remarkably open about activities which you might naively expect to have to keep secret. This openness allows the community as a whole to decide whether vendors of cryptographic services are to be trusted. There are real advantages to using a licensed TTP where the State plays a role in establishing that trust. The careful (and of course the paranoid) will still wish to take their own steps to establish the appropriate level of trust, but for many people, the use of a licensed TTP will be the obvious course of action.
Since there are advantages to being licensed, it seems strange that the DTI wish to ban all non-licensed activities, and indeed to go so far as to envisage prohibiting foreign vendors of services from advertising in the United Kingdom. Education in the benefits of using TTPs should ensure that untrustworthy vendors will be rapidly driven from the marketplace, but where sufficient trust can be established by the community as a whole in unlicensed activities I can see no policy reason why these should not continue to run just as they do at the moment. In particular, the running of key servers, the provision of time stamping services, and the signing of keys should be allowed outside the licensing system.
Encryption services for the masses are so new that it will be several years before appropriate levels of service and appropriate pricing levels settle down. Legislation to force all such services within the expensive umbrella of a licensing system will distort the growth of this industry, and will inevitably lead to excessive charges, thereby delaying mass takeup of encryption. Worse, arbitrary decision points between which services are licensed (when exactly does publishing a key differ from "key storage"?) will make the law appear complex and arbitrary.
It may be that legislation is not in fact necessary to produce the licensing regime which best fits our needs, or if new laws are required, then they should be tied in with the establishment of a proper framework for "electronic signatures" rather than with the current blanket approach to regulating the entire fledgling industry.
The consultation paper is incredibly unclear on its proposals for key escrow. It indicates that if private keys are held by TTPs then they should be available in suitable circumstances under warrant. The document fails to tackle whether the holding of private keys is or is not to be compulsory.
In my view, compulsory key escrow would be a major error of policy. Within a few years, we all expect the volume of business transacted electronically to be simply enormous. In such a world, the possession of large numbers of private keys will enable you to read documents containing information worth substantial amounts of money. If private keys for "electronic signatures" are also available to you, then you will be able to forge peoples identity in an impossible to detect manner.
The existence of huge caches of private keys within the TTPs will make them major economic targets, of the sort of scale we currently associate with gold reserves or the banking system as a whole - indeed they will be, to all intents and purposes, the interface between the banking system and the rest of the economy. As such, there will be substantial risks that computer and systems failure within the TTPs, or the presence at trusted levels of corrupt personnel, will enable enormous frauds to be carried out.
There is always the risk of fraud when society trusts institutions. However, this risk is increased enormously if private keys are compulsorily placed into the new institution of TTPs. Public key systems mean that there are no technical reasons for taking the totally unnecessary risk of moving from a distributed model of key holding, where each individual and company guards their own keys. The risks of disclosure are higher in the distributed model, but the cost of each security failure is far lower.
I do not believe that we yet know how to build the human-computer systems needed to protect TTPs holding the enormous numbers of keys which compulsory key escrow would imply. I don't believe this is an area in which to try it and learn from the inevitable mistakes.
The only reason the DTI seem to have for compulsory key escrow is that they hope to catch a few, incredibly stupid, criminals. In chasing this chimera, they are greating a huge magnet for the very very clever criminals (or indeed just those who are good at working out who to bribe and who to threaten with a machine pistol).
The State believes that it has the right, in serious cases of unlawful activity, to infringe the rights of individuals in pursuit of the good of the whole of society. In particular, the Interception of Communications Act allows the State to "listen in" on various forms of communications between those who are suspected of wrongdoing.
It is envisaged that these powers are to be extended to being able to intercept and read encrypted material, by allowing the State to have surreptitious access to any private keys which may be held in TTPs.
At the same time, the DTI propose that UK citizens may be freely allowed to use any crytographic system they wish.
This just does not make any sense. The bad guys who are clued up enough to encrypt their traffic are not going to slip up at the last moment and use an escrowed key. Even if they do use escrowed keys, there are techniques involving multiple encryption or steganography which will allow them to hide secure traffic alongside readable information.
The nature of the sort of encryption programs and standards which currently exist mean that unless the State has knowledge of exactly whose private keys have been escrowed they will unaware what traffic they could read if they asked for the keys under warrant. Of course, if compulsory key escrow was in place, then this would become a simpler task. They would still be unaware what was inside the encrypted traffic, but a universal monitoring scheme would allow them to start treating the use of non-escrowed keys as in some sense subversive in itself.
Many people have fears, which I have a lot of sympathy with, that the current proposals are only stage one, and that a future piece of legislation will just "tidy up" by banning non-standard encryption, perhaps in the emotional wake of some outrage committed by terrorists who had enough sense not to use escrowed keys. Thereafter, we will be living in an ultimate Big Brother state where there is no privacy any more.
Whilst accepting that there is a need to monitor extreme anti-societal behaviour, there are other methods than interception of encrypted traffic in the middle of two-way conversations. In particular is possible to monitor one end of the conversation using non-invasive techniques. Few criminals have access to equipment which has been hardened against radiating exactly what is on the screen to nearby detector vans.
But there is a more serious problem with traffic interception if it is done in the middle and not by monitoring the suspect. It is in the nature of public key encryption that outgoing messages from a suspect will only be readable if the private keys for the receiving person are available. Thus, if a suspect writes to many innocent people, all of their private keys will have to be made available to the investigating team, in order that their innocence can be established. But it is in the nature of such private keys that once one has them, one can read all correspondence, both past and future. What's more, the keys are no longer as "safe" as they are inside the TTPs, but are in the hands of individual law enforcement officers. There is then a greatly increased risk that these keys will leak, entirely undetectably, to people who should not have them.
Obtaining of private keys under warrant is a very different ability than that given by the standard sort of wiretap envisaged in the Interception of Communications legislation. In my opinion it is far too sweeping a power to make available because it infringes the civil liberties and endangers the economic livelihood of far too many innocent people.
As a final note on this subject, the DTI propose that warrants should be obtainable in secret and executed in secret, yet if a key leaks, a Tribunal will report in public. This is just weird.
The DTI propose that TTPs should be strictly liable if private keys leak. In public key cryptosystems, the owner of the public key must have the private key in their possession in order to be able to read messages or to read incoming encrypted material. In such a world, the TTP may be fraudently made liable for the leak of private keys. If strict liability exists, this will dissuade TTPs from entering the industry.
An important role for TTPs will be as Certificating Authorities for key certificates. For electronic communication to work, we require authentication and authorisation, viz: we need to know that people are who they say they are, and we need to rely upon their word. In the physical world, business is used to handling folding money, cheque guarantee cards, bank references or indeed bankers drafts. All have special properties and guarantees, not all of which are the same.
Similar sorts of promises are needed for electronic transactions. They will not be absolute promises, in just the same way as their physical counterparts are not absolute promises.
A common form of such promises will be signatures by Certificating Authorities applied to public keys. Since the community as a whole will come to rely upon these signatures, without perhaps any direct contractual connection with the Certificating Authority, there is need for a legal framework to make the Certificating Authority liable for their actions. Such liability would of course be limited, but without any liability their role will become almost worthless, to the detriment of electronic trade.
HTML problems? mailto: webmaster@happyday.demon.co.uk