Extracts from Nicholas Bohm's Response
to the DTI Consultation Paper
Licensing of Trusted Third Parties for the Provision of Encryption Services
This Comment was published on 11 July 1997.
Citation: Bohm N, 'Response to the DTI Consultation Paper', Comment, 1997 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/Consult/ukcryp/bohm.htm>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/bohm/>
The entire submission is available from Mr Nicholas Bohm by e-mail at firstname.lastname@example.org .
I make my comments on the basis of 25 years’ experience as a practising commercial lawyer in a major City of London firm of solicitors. I include my curriculum vitae as an Appendix to show the range of my relevant experience. It includes major international transactions, work involving computers and intellectual property, and banking and insolvency work. An additional example of relevant experience was a detailed review of the contractual terms in use by a London clearing bank for its electronic banking services.
2 In major transactions, and particularly in the case of international ones, lawyers are often required to give formal opinions on the validity of agreements and security documentation. This requires a close analysis of who relies upon whom for what in the transaction, and a detailed articulation of the underlying assumptions. This analysis is rarely undertaken by anyone outside the legal teams, and I believe that this gives practising lawyers with the necessary experience a particularly clear view of the issues relating to authentication which are of central relevance to the consultation paper.
Just as communication by telex and later fax arrived to supplement communication by ordinary post, so communication by forms of electronic mail is now coming to supplement post and fax (telex use having greatly declined). Each new technology has brought advantages, together with some drawbacks, and commercial law and practice have required adaptation to meet the new circumstances. If a scheme of regulation is to be applied to electronic communications when no similar scheme has been thought necessary for earlier methods of communications, it must be justified on the basis of a commercial analysis of the features that are new to electronic communications.
4 The particular advantage of electronic mail is that it conveys text (and spreadsheets and other files) in its original form, so that the recipient can process it directly in his computer system. A document created by the sender in his word processing application can be sent by electronic mail and thereby enable the recipient to make amendments to the identical text in his own word processing application, for example.
5 Electronic mail can operate between computers in a network within a building, or between two machines (or two networks) connected by the public telephone network or by dedicated telephone lines. It can also be sent over the growing informal network known as the Internet.
6 All transactions conducted remotely are vulnerable to interception and forgery. The post is generally regarded as relatively secure from interception, telephones (and the faxes sent by telephone line) somewhat less so. The Government can always intercept both (within the limits laid down by law). Letters and documents are significantly more difficult to forge than their fax equivalents, which are in essence fairly poor quality photocopies.
7 Electronic mail within a private network is probably more difficult to intercept than over the public telephone network, but electronic mail over the public telephone network is as easy or difficult to intercept as fax or voice communications. Electronic mail sent over the Internet is notoriously insecure and vulnerable to interception. It is also highly vulnerable to forgery, since an electronic message has inevitably lost many of the characteristics of letters and even faxes that aid the detection of alterations or wholly bogus imitations.
8 The solution to this problem has been found in developments in public key cryptography which took place in the 1970s and 1980s. The result has been the widespread availability of simple and inexpensive means of doing two things:
(1) encrypting electronic messages with a very high degree of security from decipherment by anyone other than the holder of the public key used by the sender, and
(2) marking them so that the recipient can be certain that they have not been altered in transmission and that they originate from the holder of a particular public key.
9 A brief description of the system is necessary (in which the details are considerably simplified at some expense in accuracy but not in result): (1) A user generates a key pair, one being his public key and freely publishable, the other being his private key and kept strictly secret. The keys are associated mathematically, but the private key cannot practicably be derived from the public key.
(2) A message encrypted with the public key cannot be decrypted by that key, but only by the corresponding private key.
(3) A message encrypted by the private key can be decrypted by anyone with the corresponding public key; but the fact that it can be decrypted by that public key proves that it must have originated with the holder of the corresponding private key, as no other key could render it decryptable by that public key.
(4) X sends B a message encrypted both by B’s public key and X’s private key. B (and only B) can decrypt it, using B’s private key. He finds that X’s public key is also required to decrypt it, from which it follows that X’s private key must have been used to encrypt it, and that it could not have been altered since X encrypted it.
(5) The message was secure from interception, and it must have been received from X unaltered.
A slightly fuller explanation of one implementation of this procedure, taken from the PGP user guide, is set out for interest as an Appendix.
10 It should be noted that X never needs to use his own public key. He uses other parties’ public keys to encrypt messages to them; and he uses his own private key (a) to authenticate his own messages to others and (b) to decrypt others’ messages to him. It is possible for a user to maintain two separate key pairs, reserving one for authenticating messages (changing it rarely) and another for encryption (changing it more often for added security). Users with satisfactorily secure arrangements for the protection of their private keys may not need two key pairs, and can use the same pair for both purposes.
11 This leaves two problems, one for the parties to the message and one for the Government.
12 The parties’ problem is how to know which public key (or which public authentication key) belongs to which person. The problem is easily solved if they know each other and meet and exchange keys before using them, or if they can be introduced by a third party known to both. It is in cases where the parties are unknown to one another, and no introduction is available, and yet certainty of their identity is important, that a system of certifying authorities is required to vouch for the identity of holders of public authentication keys. (It is not necessary for encryption only public keys to be similarly certified: if encrypted text is sent to the wrong person, i.e. a person who does not hold the corresponding private key, the text will be unreadable.) Certifying authorities are the trusted third parties referred to by the DTI.
13The Government’s problem is that encryption could prevent it from reading messages lawfully intercepted for law enforcement purposes, or delay its ability to do so, or compel it to rely on burdensomely expensive methods for obtaining access to such messages, or methods which would tend to reveal its interception.
14 To solve the parties’ problem, so far as it is one, certifying authorities need do no more than vouch for the fact that a particular public key belongs to a named person and has not been revoked. The certifying authority need know nothing of any party’s private key for this purpose. The DTI do not propose that certifying authorities who certify a public key for use for authentication should hold the corresponding private key.
The legislative scheme proposed is fundamentally misconceived. The arguments presented in its favour have greatly exaggerated not only the need for it, but also its utility either to the public and the business community or to law enforcement authorities. Controversy about law enforcement access and the impracticability of the scheme will in fact hinder the development in the marketplace of widely accepted interoperable standards and the extension of security in electronic communications. In exposing private encryption keys to unnecessary risks it poses an unacceptable threat to privacy (and in some cases a risk of electronic fraud) without adequate countervailing advantages. It creates new and unnecessary criminal offences without adequate justification. The whole scheme should be withdrawn entirely.
80 Even if the scheme is so weakened in its requirements for private key deposit as to present little threat to privacy, it is objectionable as laying the foundations for the introduction of stronger requirements at a later stage once the obvious weaknesses emerge.
81 I respond to the DTI questions as follows:
Paragraph 50 Whether the suggested scope of an exclusion from licensing for intra company TTPs is appropriate in this context.As the licensing scheme is inappropriate, no comment can be offered on the exclusions.
Paragraph 54 Whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of rebuttable presumption for the recognition of signed electronic documents.Presumptions are unnecessary, but legislative recognition that the concept of signature, like those of document or record, extend to things in electronic form, would be helpful.
Paragraph 60 The appropriateness of the proposed arrangements for the licensing and regulation of TTPs.The proposed arrangements are wholly inappropriate.
Paragraph 65 Where views are sought on the proposed conditions.The conditions are inappropriate because they form part of an inappropriate scheme.
Paragraph 70 What, if any, specific exemptions for particular organisations offering encryption services would be appropriate depending on the nature of services offered?There should be no licensing scheme and no need for exemptions.
Paragraph 71 Whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK?No.
Paragraph 81 Should secure electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP be introduced?All handling of private keys should be done by the most secure possible means.
Paragraph 82 Does the legislation specifically need to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy?Where a court has an existing power to order disclosure of records, it undoubtedly has the power to order them to be disclosed in intelligible form. No case has been made for an additional specific power relating to cryptographic keys.
Paragraph 84 Should deliberate (and perhaps wilfully negligent) disclosure of a client's private encryption key be a specific criminal offence, or would existing civil and criminal sanctions suffice?No case has been made for any new offence.
Paragraph 89 Whether the principle of strict liability (as described) is appropriate in these circumstances?Yes; but the point is irrelevant because schemes involving the deposit of private keys are not acceptable. It is notable, in a paper basing itself on consumer protection, that no similar principle is proposed in relation to errors by a certifying authority in issuing an incorrect certificate. However, since certifying authorities would in practice have to publish their terms of business, the extent of their acceptance of liability would be part of the ordinary law of contract, and there is no reason for imposing any special regime for this purpose.
Paragraph 91 Whether, in principle, an independent appeals body (such as a Tribunal, separate from that referred to below) should be created ?No, because the licensing scheme is inappropriate.
Paragraph 93 Whether the proposed duties of an independent Tribunal are appropriate.No, for the same reason.