Skip to main content Skip to navigation

JILT 1998 (3) - Alistair Kelman

Just say 'non'

`Proposals for a European Parliament and a Council Directive on a Common Framework for Electronic Signatures´ (98/0191)

Alistair Kelman
LSE Computer Security Research Centre
akelman@cix.compulink.co.uk


This is a Commentary published on 30 October 1998.

Citation: Kelman A, 'Just say 'Non'', Commentary 1998 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/98-3/kelman.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1998_3/kelman/>



What are the words that every sensible government should fear? 'I'm from the European Commission and I am here to help you'. The most civilised reaction to any such a statement should be to bundle the speaker onto the next plane back to Brussels.

lilacbar2

"This document (which is available in nine official community languages) is full of platitudes..."

lilacbar2
Take, for example, Electronic Commerce. Those dutiful governments like the United Kingdom who have sat and waited for the European Commission to put forward their proposals in the field of Electronic Commerce were given their reward in May when the Commission presented its 'Proposals for a European Parliament and a Council Directive on a common framework for electronic signatures' (98/0191). This document (which is available in the nine official community languages) is full of platitudes repeating the obvious statement that 'Divergent rules concerning the legal effect attributed to electronic signature are particularly detrimental to the further development of electronic commerce and, for this reason, to economic growth and employment in the Community' but then fails to identify the rules and address the issues in a comprehensive manner. Instead the Commission has put forward a draft Directive which creates a whole new series of TLAs - Three Letter Acronyms - to be used to describe the operation of Public Key Cryptography.

In my view the new acronyms are confusing and misleading. Turn to any book on electronic commerce or public key cryptography and you will quickly understand what is meant by a 'private key' and a 'public key'. It can take a little longer to understand 'hashing' and the meaning to be ascribed to the term 'message digest'. But we all use the terms in the same way and around the world statutes have been drafted which reflect the ordinary well understood meanings of these terms.

Except for the European Commission. Under their draft directive I no longer have a private key for my digital signature. I have a SCD to my electronic signature. SCD is a Signature Creation Device. But although the definition talks of an SCD being a 'uniquely configured physical device' is also can mean in the definition 'unique data such as codes or private cryptographic keys'. So it means both a physical device and/or intangible data - which clearly are not the same thing.

Under the definitions in Article 2 of the draft Directive a 'signatory' means a person who creates an electronic signature. Earlier on the signatory is mentioned as being someone who had an electronic signature 'under his sole control'. So signatory would, on the face of it, appear to mean a human being. Yet some digital signatures will be used in electronic commerce as a type of corporate seal indicating, for example, that the Board of Directors of a company has approved a particular document. They will frequently belong to an Office, not to a person and the SCD will be an artefact used by company management to create non-repudiatable contractual relations. SCD belonging to offices rather than people is not clearly spelt out in the draft Directive.

I think, but I am not totally sure, that my public key is called a SVD or Signature Verification Device by the European Commission. This too is a 'uniquely configured physical device' But it also can mean 'unique data such as codes or public cryptographic keys'. Confused? I certainly am. By creating a new jargon which does not properly map onto the technology the Commission can only undermine any approval process for Certification Agencies - if the Directive is not clear how can we test against it?

Away from the Commission we are all familiar with the concept of the Trusted Third Party or TTP. Where the TTP is regulated under legislation such as a banking act or the like we call the TTP a Certification Authority or CA. This has been the practice in the USA and in the DTI. But not, apparently in the European Commission. In the draft Directive Certification Authorities are renamed CSPs, Certification Service Providers. Will the public confuse CSPs with Internet Service Providers or ISPs?

But not to worry since everything is meant to work by ESP. No this is not Extra Sensory Perception (although you need this to comprehend the rest of the draft Directive) - it is Electronic Signature Product. I am not quite sure if this is meant to be what conventional cryptographers might call a Message Digest. But it certainly does appear to be a complete and utter hash.

Even its use of the term 'electronic signatures' seems quite inappropriate. In conventional speech we talk about a signature as being the name, initials or mark of a person written by himself. A digitised signature is a scanned version of such a signature. A digital signature however is a means of authenticating a document by means of public key cryptography. But for no good reason the Commission does not refer to these as digital signatures but to 'electronic signatures'

As many will know in electrical and electronic engineering for over thirty years engineers have talked about electrical signature analysis or Electronic Signature Analysis (ESA). The terms are used interchangeably by engineers since they both effectively refer to the same thing; engineers working on bigger machines tend to talk of electrical signature analysis and those on smaller devices of electronic signature analysis. ESA is the powerful methodology for unobtrusively diagnosing the condition and operation of electrically driven machines and systems. Researchers have successfully applied ESA to the monitoring and diagnosis of numerous types of industrial equipment, including: axial, centrifugal, and reciprocating gas compressors; fluid pumps; ventilation fans; centrifugal separators; vacuum pumps; motor-operated valves; transformers; circuit breakers; generators; and electrolytic cells. The current and/or voltage signals are processed via specialised analogue and digital techniques to yield characteristic time- and frequency-domain signatures (waveforms and spectra) which can easily be identified for monitoring, control, and fault-detection purposes. The resultant data for mechanical systems are similar in form to information obtained via standard vibration-sensing techniques and can be analysed using essentially identical methods. Several of the signal-detection techniques - including amplitude, frequency, and phase demodulation of the line current; digital line-synchronous sampling; and noise-correlation analysis - have been patented. A whole literature has been built up around electronic signatures and electronic signature analysis. By calling digital signatures 'electronic signatures' and drafting everything in terms of devices the Commission has created sources of yet more confusion. Why call it an electronic signature when it might later on be encoded into optical or bioelectric devices. The term 'Digital signatures' at lease indicate that its existence arises from Number Theory in Mathematics.

Aside from the unnecessary jargon there is also a serious flaw in the Commission's thinking. Tucked away in the Annex II of the provisions are the 'Requirements for CSPs'. They include a provision which allows a CSP to offer to store and copy private cryptographic signature keys if asked to do so by the signatory. Think for just a moment - why would anyone want a CSP to have a copy of their private signature key? Having such a copy would mean that the CSP could perfectly and irrevocably forge the owner's signature. Only if European Commission approved CSPs were actually to be Mafia run fronts that at the right moment could use owners private keys to steal could such a permission be understood.

In a few days time in the Queen's Speech the Government will announce the 'Millennium Bug and Electronic Commerce' bill which will create a UK infrastructure for digital signatures. The DTI proposals are based around plain english and will not allow Certification Agencies to keep copies of owner's private keys since there is no legitimate reason why such a copy should be kept. The indications are that the DTI bill will be a balanced proposal which addresses many of the concerns of privacy advocates while establishing a safe and sane system for use by the City and British Business.

JILT logo and link to JILT home page