next up previous
Next: Conclusion Up: No Title Previous: Trustworthiness of Third Parties

Odds and ends

A number of other points are raised by the DTI document:

  1. The fact that PGP keys are used for both decryption and signature means that it would not be feasible to escrow simply the decryption key. But PGP has become the de facto standard for secure email (largely because government export controls prevent any competitor getting a wide enough user base) and this means we have to use it when consulting for overseas organisations such as Microsoft and Intel. Without these consultancy relationships (that contribute of themselves to the balance of payments) we would not make the contacts that lead in due course to much more substantial research funding. If legislation prevented our using PGP, or forced keys to be escrowed, then it would have an immediate and negative effect on my own income as well as a longer-term and greater negative effect on the income of the University of Cambridge.

  2. At Cambridge University Computer Laboratory, we already certify the PGP keys of our students and faculty at their request. The investment involved has been minimal (zero in financial terms) and the service is perceived to be modestly useful. The DTI proposals would stop us offering this service. Yet since the Laboratory built the first stored program digital computer in 1948, there has only been once instance in which our assistance has been sought by police investigating a crime that may have involved the use of the Laboratory's facilities. In our particular case, the economic loss would outweigh any conceivable law enforcement gain. No case has been made that that a different state of affairs would pertain anywhere else in the economy.

  3. It is not true that it is hard to create a signature scheme that cannot be `abused' for encryption. Take Fiat-Shamir with a modulus whose factorisation is known to no-one; let each user choose a secret vector at random; and let the square of the vector be certified as the public key. (Of course, such a scheme can be used to sign a public encryption key using another mechanism, or to authenticate a Diffie Hellman exchange, but so can any digital signature mechanism.)

  4. On paragraph 54: my understanding has always been that the essence of a signature is the will of the signer rather than the nature of the signature. Thus even an ascii name typed at the end of a cleartext email is a signature, and I understand has been held to be such in a libel case.

    If a separate rebuttable presumption were brought in, perhaps along the lines of the proposed German digital signature law, then legislators should avoid the mistakes in the German draft (it does not allow for role as opposed to identity certificates, it insists that certification chains have a length of precisely one, it renders invalid all signatures whose public keys are not certified by a licensed TTP, and would appear to render invalid all signatures made in accordance with current UK government proposals). Many of these mistakes stem from an attempt to tie up the digital signature issue with the crypto control issue. This is a bad idea, especially when the advisers to the drafters of legislation are not particularly au fait with the technical issues involved in non-military cryptography.

  5. On paragraph 60, 70 and 71: the licensing of TTPs is in my view completely inappropriate and should not be undertaken whether by the DTI or anybody else. If fact, if there were any demand for TTPs at all, then surely the market would by now have called them into existence; commercial cryptography has been around for long enough.

  6. On paragraph 65: attempting to force trust management facilities to be compatible with each other is an unwarranted interference in the market and is not likely to achieve anything. There is simply no call for my mobile phone to have anything to do with my ATM card -- and the mechanisms in use are too different for interworking to be in prospect.

  7. On paragraph 81: it would be highly imprudent for anyone in possession of key material to release it without evidence of compulsion. This should take the form of a paper warrant or subpoena. Electronic means of presentation would be too open to abuse by GCHQ and by foreign intelligence services, especially if the `CASM' mechanisms for escrowed electronic mail remain the standard in government.

  8. On paragraph 82: given that the Labour party was elected on a platform of categorical opposition to key escrow and a majority of 179, the issue of such legislation does not arise.

  9. On paragraph 84, 91 and 93: this is an aspect of the current lamentable state of affairs under which the middle classes are effectively excluded from seeking legal redress for amounts in excess of the small claims limit from large defendants by the rules on legal costs. Assuming that keys were mismanaged by a bank, the experience of people litigating in the ATM cases indicates that there would be little hope of effective redress.

    This is yet another reason why the centralisation of trust into organisations such as banks is unacceptable. Simply creating a new criminal offence of releasing key material without a warrant would not suffice; the police are notoriously unwilling to prosecute large organisations such as banks and failed to do so on more than one occasion during the ATM litigation despite compelling evidence of conspiracy to defraud (which, as remarked above, included a televised confession of the conspiracy).

    By contrast, if the current more distributed trust structures are allowed to be incorporated into the electronic world in the normal course of events, then for many purposes it will be possible for users to use trust services provided whether implicitly or explicitly by people against whom they have some effective redress, such as a GP (who can be reported to the GMC for misconduct) or a local businessman (with a reputation in the community that could be lost).

    A long term solution to these problems would involve changing British procedural law to make it more closely resemble American law. While I believe that to be desirable, it is not imminent and legislative provision in other areas must reflect reality.

next up previous
Next: Conclusion Up: No Title Previous: Trustworthiness of Third Parties

Ross Anderson
Tue Oct 21 11:00:05 BST 1997