• No results found

Licensing of Trusted Third Parties for the Provision of Encryption Services

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Licensing of Trusted Third Parties for the Provision of Encryption Services"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Licensing of Trusted Third

Parties for the Provision of

Encryption Services

Prof. Simon Rogerson

Director

srog@dmu.ac.uk

Dr. N Ben Fairweather

Research Fellow

nbf@dmu.ac.uk

This document should be read in conjunction with the DTI document ( !"$# %&(')!""*+"$, -$"*./

) of March 1997.

Introduction

We agree that it is vital everyone has the opportunity to benefit from the evolving information technologies and that this implies a need for secure electronic commerce facilities. The primary focus of the proposal appears to be sustaining the commercial supplier-client relationship in an IT-dependent world which might limit public acceptance and confidence in the TTP concept.

(2)

The proposals for government agency access appear quite lose. If the collection of intelligence is made too easy then there is a danger that agencies will invade the privacy of people going about their lawful but unconventional business when there is no grounds for suspicion other than being unconventional.

Comments Relating to Specific Paragraphs

Section II: Government Policy Framework

Paragraph 10 - In certain situations where repressive governments operate the use of encryption may well be essential in forming an effective political opposition.

Paragraph 14 - Personal data must be capable of transmission without interception by third parties who wish to abuse that data. There must also be consideration of the legitimacy of the transmission.

Paragraph 17 - The issue of trust is fundamental to these proposals. There are doubts about the degree of trust placed in TTPs if they enable security services to gain access to data that is highly sensitive. It could be argued that licensing is not primarily to establish trust but makes encryption illegal that cannot be breached by intelligence service. There is certainly a need to have a mechanism in place that independently monitors "legal" intervention.

There is a need to have clear definition of what is meant by fit for purpose. Consumers protection must encompass both direct and indirect consumers.

Section III: European Union & OECD Developments

Paragraph 24 - Global security will be as strong as the weakest national approach.

International agreement regarding TTPs is essential so that a minimum acceptable global standard is established in TTP protocol and data exchange. Key principles are an

(3)

Paragraph 25 - Individual privacy and national security concerns can be in significant conflict. There needs to be greater safeguards regarding key escrow and warrants if both are to be enabled.

Section V: Trusted Third Parties

Paragraph 39 - TTPs should have some degree of responsibility in ascertaining who is going to use their service and for what purpose.

Paragraph 42 - There is a need to define the criteria to be used to measuring trustworthiness

Section VI: Structure of the Proposals

Policy considerations.

Paragraph 43 - Consumers and the general public need to be made aware of the issues related to TTPs and encryption so that they can make value judgements about trust and acceptance. An awareness programme should be part of the final implementation of this proposal.

Paragraph 45 - The licensing of organisations outside the UK is fraught with difficulty given the existence of the Internet.

Whilst users will be at liberty to make alternative arrangements to TTPs this might present immediate and reasonable grounds for criminal suspicions under these proposals. Paragraph 46 - There will be growing concern regarding the access to private keys if warrants are easy to obtain by government agencies.

Paragraph 47 - The suggestion of possible legislation to cover obtaining encryption keys other than those held by licensed TTPs infers that the safeguard of being permitted to use encryption technology from non-licensed sources is short term and probably worthless. Paragraph 49 - It is difficult to see why certain services, in principle are different. If there should be absolute privacy in these cases why should there be less in others?

(4)

Paragraph 57 - Licence conditions should be open for public inspection. There should be a public directory of TTPs and their performance and standing.

Paragraph 59 - There should be a well defined review mechanism covering TTP performance.

Paragraph 60 - Positive and individual licensing can be expected to have a highly inhibitory effect on the development of this industry.

Paragraph 64 - Whilst co-operation under legal access conditions is recognised it must not be capitulation. TTPs have a legal duty to the public not to provide access to

authorities unless they are sure they are legally obliged to do so. TTPs must be protected from undue pressure in such situations.

Paragraph 68 - With the increasing use of outsourcing and contracting the distinction between an employer and its suppliers is becoming blurred. There are many cases now of colleagues working alongside each other where some are employed directly and others via an agency under contract. Thus the meaning of "cryptographic protection between its employees" needs to be clarified.

Paragraph 75 - TTPs should register its association with TTPs in other countries be they licensed or otherwise.

Paragraph 76 - What are the provisions for the delegations of warrant issuing powers? What are the safeguards against them being used in inappropriate circumstances?

Paragraph 77 - A central repository will be highly sensitive in terms of potential security breaches and the distribution of keys to inappropriate agencies.

Paragraph 78 - The deadline of one hour effectively prevents challenges to the validity of warrants. If there are to be serious safeguards against the abuse of systems, there must be time for challenging of the validity of warrants. There may well be grounds for

restricting access of encrypted data to a subset which relates specifically to the

investigation in hand. The provision of the keys under a warrant must account for this. In practice it may be extremely difficult to limit access in this way.

Paragraph 83 - Whilst the suggestion of inappropriate disclosure of encryption keys being a criminal offence is welcomed the central repository and one hour rule restricts the offence to non-government agency disclosures. This limits individual privacy protection and undermines public confidence.

Paragraph 87 - The amount of compensation, once liability is proven, should be at the discretion of the Court.

(5)

Paragraph 92 - An alternate method would be that TTPs are required and enabled to ascertain the validity of warrants themselves. They would have substantial commercial interest in making sure that keys were not released on invalid warrants.

References

Download now ( PDF - 5 Page - 61.17 KB )

Related documents

Entorhinal transformations in abstract frames of reference

This result is partially a consequence of lower confidence when rating the friend and canonical individual as well as smaller mean absolute distances between those two individuals

Category 2 List of Authorised Accomodation for visitors from permitted countries as at

Marie Laure Suites (Self Catering) Self Catering 14 Mr. Richard Naya Mahe Belombre 2516591 info@marielauresuites.com 61 Metcalfe Villas Self Catering 6 Ms Loulou Metcalfe

Langmans Medical Embryology test bank questions

The corona radiata consists of one or more layers of follicular cells that surround the zona pellucida, the polar body, and the secondary oocyte.. The corona radiata is dispersed

Chapter 14. Working Capital Policy

A policy in which all of the fixed assets of a firm are financed with long-term capital, but some of the firm’s permanent current assets are financed with short-term

Effect of Chemical treatment on Flexure Properties of Natural Fiber-reinforced Polyester Composite

Three-point bend tests showed that the alkali treatments of Alfa fibers have also a significant effect on flexural modulus. From the histogram in Fig.2b, It is clearly seen that

TECHNICAL AND VOCATIONAL EDUCATION AND TRAINING (TVET) SYSTEM\ IN INDIA FOR SUSTAINABLE DEVELOPMENT

National Conference on Technical Vocational Education, Training and Skills Development: A Roadmap for Empowerment (Dec. 2008): Ministry of Human Resource Development, Department

An interval type-2 fuzzy logic based system for improved instruction within intelligent e-learning platforms

First, based on the teachers the average error and standard d preferred output and the syste type-1 fuzzy logic systems (on we present only a sample of th show that the type-2

Insurance & Liability Breakout Session - TRB Symposium July 2015 Insuring Autonomous Vehicles Changes? Challenges? Opportunities?

Insurers often use the following characteristics in pricing: o Motor vehicle record (driver safety record).. o