Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
02-07-1998 UK: CONNECTED - SIGNS OF INSECURITY IN CYBERSPACE - ANALYSIS.
Cryptography legislation is on the way, but a number of key issues still
have to be resolved, says Wendy Grossman.
Cryptography legislation has been a long time coming. Shortly before last
year's general election, the Department of Trade and Industry announced
proposals for creating a network of "trusted third parties" to provide
authentication services and enable electronic commerce.
Now, a year later, the DTI has released details of the 260 comments it
received on those proposals, along with a promise (or threat) of
legislation to be introduced in the next session of Parliament. The DTI's
spokesman, Nigel Hickson, says the legislation is expected to include
voluntary licensing for providers of cryptographic services; freedom of
choice regarding specific products or technologies; legal recognition of
electronic signatures; and legal access for law enforcement agencies with
the appropriate warrant. Some of these are a big improvement on last
year's proposals, which made licensing mandatory.
Because the Internet was designed to allow people to share information
rather than protect it, it is inherently insecure. Cryptography, the art
of scrambling data so it can't be read by unauthorised interceptors, is a
core technology for protecting the confidentiality of data and
authenticating its integrity via digital signatures. As we move towards
electronic commerce, digital signatures that are as legally binding as
handwritten ones are a necessity. In such a world, certification
authorities will act as guarantors in much the way that notaries public do
now.
The fly in the ointment has been law enforcement's desire for access to
the contents of encrypted communications lest the Net turn into a
free-for-all for drug dealers, terrorists, paedophiles and organised crime
(a quartet sometimes called the "Four Horsemen of the Infocalypse").
Privacy advocates, cryptography fans, civil libertarians and businesses
have all argued against this, on the grounds that restricting the use of
strong cryptography is like requiring everyone to send all their personal
mail on postcards.
It's a step forward, therefore, that this year's proposals have separated
signing keys (the scrap of data that proves the communication came from
you) from confidentiality keys (the key used to encrypt data so only you
can read it). Under last year's proposals, it was conceivable that law
enforcement officers might be allowed access to signing keys, a violation
of every basic precept of good security. Under this year's revisions, it
looks likely that signing keys will be exempt from law enforcement access
requirements.
But there is a lot still to be concerned about; in fact, the outlined
intentions raise more questions than they answer. For example, we don't
know who would issue licences or under what conditions; whether the same
service provider could offer both licensed and unlicensed services; what
liability service providers would have; the relationship to other laws,
particularly the Data Protection Act; or how uses other than signatures
and confidentiality fit in. Those other uses aren't trivial, either, as
they include such things as digital watermarking schemes to protect
intellectual property.
At the same time, the European Commission is looking at international
issues that are also important: how and whether the export of strong
cryptography should be restricted; how to ensure that national
infrastructures will be interoperable; and, again, what the liability of
service providers should be. "The most important principle," said Richard
Schlechter for the EC's DGXIII at a recent conference on cryptography in
London, "is to be sure that if you're doing business over the Internet you
have a legal signature at the end."
Everyone sounds so reasonable that you would never guess the political
battle over the availability of cryptography has been one of the fiercest
of recent times. Four years ago, as Hickson says, no one imagined the
Government would ever need a cryptography policy because no one except
governments had cryptography. The advent of cheap computing power and the
development of public data networks, along with the release on the Net of
the free program PGP (for Pretty Good Privacy), changed that. Across the
Internet, I can now read papers that 10 years ago would have been
classified out of reach and use software of a grade formerly available
only to the military.
At the same time, however, I take far greater risks by sending my personal
correspondence across Internet links than I ever did sealing it into an
envelope and entrusting it to the Post Office. So, without hesitation, I
can say: yes, we need a framework for electronic signatures, and yes,
there probably is a market for voluntarily licensed certification
authorities of one type or another. But we need to think very carefully
before we hand law enforcement agencies the right to our private keys, and
we need to think hard about what the answers should be to those unanswered
questions.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Jul 6 08:16:23 1998