A response to

Licensing of Trusted Third Parties for the Provision of Encryption Services

Melanie Dymond Harper
Herald Information Systems

30th May 1997

1. Introduction

The Department of Trade and Industry is proposing to license Trusted Third Parties to provide encryption services to businesses and other organisations wishing to use cryptography. These proposals are set out in the DTI's consultation paper [1] to which this letter is a response.

This letter will initially be sent by email to the address given in [1] for comments, ttp.comments@ciid.dti.gov.uk, due to the tight timescale; a printed copy will be sent as confirmation.

This letter is being written on behalf of Herald Information Systems by Melanie Dymond Harper, and should be construed as the official opinion of both parties on this matter. Herald Information Systems is also the UK agent for Thawte Consulting cc, a Certification Authority based in South Africa, but this letter should not be taken as the official opinion of Thawte Consulting cc.

2. Licensed TTPs -- good or bad?

The concept of licensing Trusted Third Parties to provide cryptography services seems appealing at first glance, but has serious flaws when examined more closely. In our view, the major flaws are as follows:

These flaws will be discussed in the remainder of this letter.

3. The services which TTPs will be expected to provide

Much of the paper, with the exception of a single sentence in paragraph 64, appears to be based on the principle that every TTP will wish to provide a 'full range' of cryptography-related services. This is very unlikely to be the case. For instance, certification authorities currently in existence might not wish to expand their operation to include time-stamping of legal documents, and someone wishing to provide identity services for individuals (perhaps a lawyer or a doctor) might not wish to provide similar services to businesses. However, the conditions under which they must operate would be the same no matter what cryptography-related service they might be providing.

This is also evident from the list of issues, in paragraph 62 of [1], that will be considered when licences for TTPs are to be issued. As listed at the moment, it will be extremely difficult for anyone except larger organisations to meet all of the criteria given.

For some of the cryptography-related services mentioned, for instance key certification, the resources of a large organisation are simply not necessary. The only point where a smaller organisation might have difficulty would be with the timescales required for the release of keys under warrants issued by law enforcement, and this will be discussed in section 4.

4. The timescales within which TTPs will be expected to provide these services

The timescales given within the consultation paper [1] are, frankly, unrealistic in the extreme. The suggestion in paragraph 78 that keys should be available from a TTP within an hour of the presentation of a warrant is bordering on the absurd. The time suggested allows neither any challenge by the TTP to such a warrant, nor checking with any appropriate authorities that the warrant was not forged, nor does it allow for any problems associated with obtaining information from overseas if necessary.

Charles Lindsey's annotated guide to the DTI paper [2] discusses this point in more detail, and also notes that recommended practice for key recovery is to partition the secret key among a number of independent parties so that a specified number of those parties must cooperate to recover the key. We observe that it is not likely that the DTI were unaware of this point, since it is known that academics from Royal Holloway, University of London, have been working with the DTI, and that Royal Holloway has been involved [3] in substantial research into secret sharing schemes which allow such recovery to be accomplished.

5. The perceived necessity for key escrow

The DTI paper appears to confuse the notions of key escrow and key recovery. Key recovery is useful for businesses who may have to deal with the absence, leaving or death of key employees with knowledge of the secret keys securing data vital to the business. However, as noted in section 4, such businesses may well not just hand over their secret key to a single TTP; they may divide it among more than one, or they may keep part of it themselves and the rest with one or more TTPs.

The assumption underlying the paragraphs discussing warrants and legal access to keys appears to assume that TTPs must be holding the secret keys for their clients. Only a small minority of the services envisaged require the TTPs to know any part of their clients' secret keys. Certainly services such as key certification, time-stamping and the like do not, and should not, require this knowledge.

If a TTP has to keep large numbers of secret keys, it immediately becomes a far more attractive target for thieves, fraudsters and the suborning of staff, and here again the point raised in section 3 with regard to the types of organisations who may expect to become licensed is relevant. The liabilities for the TTP are vastly increased due to a requirement which may not be seen as a benefit by their clients.

We recommend that TTPs not be expected to store private keys. Should law enforcement need to obtain these keys, then they should obtain a warrant to obtain them from the keys' owners, not from the TTP.

6. The compulsory nature of licensing

The DTI has clarified that the intention of the proposals is not to criminalise the private individual who signs her friend's PGP key and publishes a certificate referring to that transaction. However the paper is not at all clear on which groups are likely to be exempt from licencing, and this is an area in need of more attention.

Similarly, the paper states in paragraph 72 that the offering of encryption services to the UK public by an unlicensed TTP outside the UK will be prohibited. This is a fascinating statement, because:

7. Summary

It is our opinion that the proposals as they stand are not capable of producing a useful and workable structure for licencing Trusted Third Parties. The licensing regulations are too strict, their compulsory nature inappropriate, and the implications that key escrow must be a part of using a TTP are unacceptable. We hope that the DTI will take these views into consideration and either rework their proposals substantially or drop them completely. We further hope that the change of Government, and therefore of policy (inasmuch as the Labour Party's declared policy in this area does not fit well with this document) will cause the ideas within the paper to be rethought.

8. References

[1] Licensing of Trusted Third Parties for the Provision of Encryption Services, DTI Consultation Paper, March 1997.

[2] Critique of DTI proposals for the Licensing of Trusted Third Parties, Charles Lindsey. http://www.cs.man.ac.uk/~chl/dti.critique.html

[3] Author's personal experience as a postgraduate student in Department of Mathematics, Royal Holloway and Bedford New College (now Royal Holloway, University of London), 1989 - 1992.

9. About the author

Melanie Dymond Harper has an MA in mathematics and computation from Pembroke College, Oxford, and a PhD in discrete mathematics from Royal Holloway and Bedford New College, University of London.

Herald Information Systems is an Internet and security consultancy business based in New Malden, Surrey. For the last two years they have been advising businesses about use of the Internet for commercial purposes, including setting up secure servers for customer ordering.

© Melanie Dymond Harper 1997. No part of this document may be reproduced elsewhere without prior permission.