As remarked above, the DTI declared last June that the keys of individuals and of small-to-medium sized enterprised should be managed by TTPs who would typically be clearing banks or phone companies.
This proposal is unlikely to command public confidence; the immediate reaction of a GP of my acquaintance was that `so BCCI is trusted to manage its own keys, but I have to get my keys managed by someone such as BCCI'. The DTI must consider the reality that underlies the public perception that many large companies are untrustworthy.
During 1992-3, I conducted a study of the failure modes of the cryptographic systems used by banks to protect the PINs and associated keys used to protect their automatic teller machines. This was initially done in the context of a class action in which large numbers of people sued thirteen banks for money debited to their accounts in `phantom withdrawals'. The results of this study were published; they are appended and are hereby included.
The banks initially claimed that their systems were infallible, in the sense that no ATM debit could even conceivably be made to a customer's account unless the relevant card and associated PIN were used. I demonstrated on `Newsnight' in May 1992 that this was not the case, and that a card issued to one BBC journalist could be altered in order to take money from another journalist's account. The pretence of infallibility cracked under a stream of criminal cases in which villains were convicted and imprisoned for ATM fraud (I acted as an expert for the prosecution in some of these cases, and for the defence in others). By October 1993 a spokesman for APACS admitted on television that banks routinely misled both their customers and the police about the security of their ATM systems; he claimed that this was an unfortunate necessity of doing business as otherwise the banks would be inundated with false claims.
In view of the banks' well documented incompetence and publicly admitted mendacity in the matter of managing cryptography, it is not reasonable for the DTI to expect that the public, the professions and the small business sector will be happy with the plans to force us to buy in key management services from them. (Similar comments could be made about the other bodies proposed as TTPs such as phone companies and satellite TV operators.)
If it is the intention of the DTI to give the British banking sector some kind of head start in the world of electronic commerce, then I would rather suggest the adoption of electronic banking legislation along US lines, under which the onus of proof in disputed transactions is squarely on the bank rather than the customer. Given a free choice, I as a customer will clearly favour to do my transactions through (say) Citibank, who will refund me if something goes wrong, rather than a UK clearer that will claim it to be my own fault and will hide behind a legal system that excludes the middle classes from pursuing claims of any size. In passing I will remark that the comfortable immunity of British banks from consumer litigation may damage them severely once the Internet forces them to compete on level terms with their American rivals.