IP: Europe Plans to Resist "Unworkable" US Cryptography

[David Farber <farber () cis upenn edu>]

Date: Sat, 20 Sep 1997 16:06:38 +0900
To: farber () cis upenn edu
From: ajp () glocom ac jp (Adam Peake)


CommunicationsWeek International
19 September 1997 18:17:33 BST


Europe Plans to Resist "Unworkable" US Cryptography Policies


By Kenneth Cukier for CWI
EXCLUSIVE
Europe will use privacy and free trade laws to resist cryptography
policies promoted internationally by the US. And initial results
of European trials designed to test the practicability of storing
users' private encryption keys in so-called "trusted third party"
(TTP) databases suggest such systems may in any case be unworkable,
according to European Commission officials. The trials have cast
doubt on the systems' scalability, cost and legality writes
Kenneth Cukier for CommunicationsWeek International.


Full story at URL <http://www.totaltele.com/>


(as you are probably in a bit of a hurry, here's the full story,
please post as you think fit with regards copyright. Adam)




Europe Plans to Resist "Unworkable" US Cryptography Policies


By Kenneth Cukier for CWI


19-SEP-97


EXCLUSIVEEurope will use privacy and free trade laws to resist
cryptography policies promoted internationally by the US. And initial
results of European trials designed to test the practicability of
storing users' private encryption keys in so-called "trusted third
party" (TTP) databases suggest such systems may in any case be
unworkable, according to European Commission officials. The trials have
cast doubt on the systems' scalability, cost and legality writes
Kenneth Cukier for CommunicationsWeek International.


Ulrich Sandl, responsible for cryptography policy at the German
Ministry of Economics, said that the use of trusted third party systems
may be illegal in Germany or Europe as a whole. "There is a real
prospect that [products based on] the US policy is a violation of our
privacy laws, with severe consequences," he told a conference of
European officials, cryptographers and industry executives in Brussels.


This combination of legal and technological factors, said an EC
official, will mean the EC will "not endorse" key recovery in a report
to be distributed at a Council of Commissioners meeting on 1 October by
commissioners Martin Bangemann and Mario Monti, the heads of
Directorate General XIII for telecoms matters and DG XV for internal
market and data protection respectively.


The official, like seven others interviewed for this article, asked not
to be named, citing the controversial nature of the issue. "I am under
terrible internal pressure here," said one source.


The report's existence is public knowledge. Detlef Eckert, an adviser
at DG XIII, said at the conference that it will recommend policies be
transparent, free of bureaucratic burdens for users, and promote the
free-flow of products within Europe, but he declined to discuss whether
the matter of key recovery is treated.


The report, an EC "communication," is expected to call on Europe to
develop cryptography policies that are driven by consumer choice rather
than law enforcement concerns, according to people from national
governments, industry, and the EC who are familiar with the document.
It will also urge EC nations to develop uniform legal recognition for
digital signatures.


Significantly, the EC's paper does not oppose key recovery (likely to
be referred to as "key escrow" in the final draft) outright, since
France is pursuing such a policy and the UK is undecided over the
matter. Instead, it calls for "effective and proportionate" policies,
diplomatic wording meant to underscore that a key recovery policy is
neither, said an EC official.


The communication would represent the most concrete sign that Europe
intends to resist US policy designed to create a system of
international accords on key recovery for law enforcement. It comes
alongside the US' unexpected lurch towards heavy domestic and
international encryption controls by Congress and the Federal Bureau of
Investigation.


Although a communication is a low-level policy paper, it is often used
as the first step towards developing formal policies. Officials say it
is meant to rally Europe to resist key recovery policies. And they say
that France's cryptography laws, if enacted, pose free-trade concerns
since they stipulate only French-controlled entities can run national
TTPs, which may force a showdown at the EC.


The paper is also significant because it diverges dramatically from an
unpublished EC report, due in September 1996, that was said to lean
heavily in favor of crypto restrictions. And it completely contradicts
a Council of Europe declaration in September 1995 that sought to outlaw
cryptography without law enforcement access (CWI, 18 September 1995).
The Council of Europe, an intergovernmental organization separate from
the EU, has no powers to enforce recommendations.


The EC's reluctance to support key recovery is partly motivated by the
results of tests involving TTPs (CWI, 17 February).


Four separate projects have proven TTPs are technical, commercial and
legal failures, said an EC official. The X.509-style directory system
has a hierarchical rather than network structure, making it difficult
to deploy on a mass basis. The TTPs' expenses have also encountered
cost overruns from initial projections.


Matt Blaze, one of the world's leading cryptographers and a researcher
at AT&T in Murray Hill, New Jersey, concurs with the EC's findings. "On
a large scale, they [key recovery systems] break-down completely. Some
key recovery policies don't even work on a small scale," he said.


The only publicly-available TTP operating in the US today uses
technology from Trusted Information Systems Inc. and is run by Oakland,
California-based SourceFile, a subsidiary of FileSafe Corp. SourceFile
president Tom Morehouse acknowledges that his system has yet to be
stretched to the point where any scalability problems would become
apparent: "We are getting ready to test [the system] with a large
number of customers, but we feedback


Information : info () total emap com
URL: http://www.totaltele.com