26 February 1997
Interview with David Herson - SOGIS
The following is an edited transcript of an interview with David Herson - Head of SOGIS, Senior Officers' Group on Information Security (EU).
The interview took place in Paris, September 25, 1996, and was conducted by Kurt Westh Nielsen - Engineering Weekly, Denmark and Jérôme Thorel, Planéte Internet, France. First question concerns the experiments at the moment with european key management infrastructure:
Will the call for tenders be a long process - which kind of decision will you have at the beginning of 1997 ?
- The decision is separate from the preparatory action. My feeling is, that neither the commission nor the council are in any hurry to take a decision on cryptography for the reasons you've heard today. This is, you know....
the OECD guidelines in my view are a useful stepping stone. What we need are a few marker posts out there - reference points. If the only reference point is the French Law or what ever - it's not good enough. You need a bit more balanced than that.
The politics of cryptography has been the big change in my life. There was no crypto-politics in 1970. Non existing - now it's a big subject. But unfortunately you cannot really understand the politics unless you understand the technical underpinnings and that's the problem. Quite often you can separate the two - in this subject you can't.
When is the European infrastructure in place ?
- I think it's going to emerge bottom up. My original theory was that we would have a meet in the middle attack as it were. We'd have a high level policy approach and a lot of individual activities going on, you know practical needs as it were. Either stimulated by the Commission or resulting from market requirements and the two events would sort of converge - and I think it's still the best model. But the timing may not be perfect. As I just said I think the amount of interest in this preparatory action of the ETS has shown that there's an tremendous amount of latent Interest and energy out there waiting to get this show on the road. So let's hope that the momentum the project generates will spread the interest in the technology. It's my belief, quite clearly, that the TTP approach is the right approach for both sets of interests. I mean, if you decategorize people into just two camps I'm sure that it is the right way to meet the right compromise. To get there. You got to have all the right safeguards, I'm well aware of these arguments about regimes becoming totalitarian and abusing the facilities. But we got to make first step - otherwise we're not going to get the wide use cryptography that we're after. I presume that this is what the majority of people in the room are interested in - a much more extended use of cryptography. And good crypto as well - that's important.
Is the EU going to take the first step or going to wait for the OECD recommendations ?
-My recommendation to my management is, that if we're successful in getting a consensus in OECD then that's a good launch point for a more detailed policy. Remember the OECD policy is only guidelines, and it's going to be weak, it's not going to be a strong statement. What I wanted was a fairly high level policy statement- getting down, I been I've been beating the drum about the principles now for more than year in my various public addresses. And frankly the present document does not look very differently from what I was putting out over a year ago. I think if you can get those basic principles down and sort of sense of balance there - I think the balance is right at the moment... You've seen the guidelines ? have you ? No, No it's not public.
If we can get a reasonable statement of the balance between trusting crypto. Or get the right balance between all these different principles *including* Law and enforcement, I mean it's naive if anybody thinks that they can somehow institutionalize the use of crypto without taking account of it. The point is getting it right in a sort - in the order of things - the right position in the spectrum, and let's hope that the debate in the OECD will achieve that. Because if it doesn't, we're left with the old regime of cryptograph is use controls via export control. The French position is special but in fact the French position is not so untypical of the rest of the world. Although other countries only have export regulations - in practice export control means use control. There is an indirect mechanism, which means that ... If you take the old paradigm that exportability means exploitability - the only cryptography, that is available to the business and private user is exploitable cryptography .. I you want to get away from that to a state where business can have good cryptography, and I don't think business will use the GII and all these good things without good cryptography - I mean, we're not talking about buying a theater ticket over the Internet or something, we're talking about routine transactions of billions of dollars all the time. To do that you got to have confidence in the system - it's not corruptible and all these good things. So you got to have strong cryptography , to relax the code controls on strong crypto, you got to institutionalize an arrangement which protects the National security and enforcement....
Via TTP's ?
-TTP's are just a practical mechanism for getting there - I appreciate it can be abused - I listened to the people here today - heard it many times before - but anything can be... Guns are abused. I don't approve of, let's say my government, whatever that might be, going off and using nuclear weapons or something.. You know.. but they do it , I mean, people use what there is. Similarly I think Intelligence agencies whether it's law enforcement or national security will use whatever mechanism is built. It's all very well, Zimmermann sitting there saying' PGP is secure, it's open for public inspection and so on, but he is not actually in control of how people use PGP. He's not intercepting encrypted messages - with all the stupid things that people might do. You can be damn sure, that if there's some way of misusing PGP - they're doing it out there. The fact that the algorithm might be good - in principle- does not guarantee a secure cryptography. I don't think that in a business environment you could ever comfortably use PGP. You would always have doubts that you're usingsomething which is not authenticated. You've got a version of PGP on your PC ? I'm sure you have, so have I, but where did you get it from - what's the quality of the source. Are you competent to inspect the code you have.... So who are you trusting for the code to be good ....
It's not a good basis on which to put trust in transactions. A lot of business activity is based on the trust the parties have...
What will happen to the call for tenders ?
-At the beginning of October we shall be evaluating the tenders. Selecting those, that we want to go forward with. Next week we have a panel meeting with independent expect from various countries. They will evaluate the proposals, select the best ones, five- six, we'll have to see how much money we have - how good the proposals are. And then we will go to SOGIS and get their blessing. Then we will have to get the formal approvals through the commission machinery to engage in the contracts. So about the 1st. Of January these people will start work.. So this is quite independent of the Council decision - quite independent.
So the aim is to better understand... ?
-We need to understand better and to explore/experiment to discover the problems with international use of TTP's. We think we know what the problems are but until you actually do the communications and you see whether this meets national requirements...
Will the work lead to recommendations for the council to choose specific companies as providers ?
- No, the model is, to maintain the sovereignty issue, licensing should occur nationally. What I would like to be able to do at the end of this action is to recommend the minimum rules - rules for accreditation.. We have to avoid - it's simple really - you can not trust a guy who works in a garage on weekends - anybody offering ttp services has got to offer very high standard of trust - physical protection of the key-database. Procedural control.
And physically in the same country ?
-That's the French law at the moment, but I don't believe any other country will impose that requirement. Certainly the Commision will have to think hard about whether it would be acceptable to constrain a single market in that way. I don't think most countries will accept that . And I don't think France will eventually. The problem in France is that since they are the first and only country in the world that has introduced any new law concerning TTP's there are no basis for comparison, they must insist that the keys are being escrowed in France. If the international infrastructure works properly then they will relax that condition.
What do you think about the fact that the crypto debate focuses on privacy versus Law Enforcement ?
- Law Enforcement is a protective shield for all the other governmental activities . You should use the right word - we're talking about foreign intelligence, that's what we're talking about - that's what all this is about. There is no question - that's what it is about. The Law enforcement is a smoke screen, because we all understand law enforcement, policemen, courts, this is something we see everyday in our life. And it's an important element, I'm not suggesting it's not relevant but it is a protective shield for what goes on behind that. Countries like France and the United States, as you well know, are active. So at the OECD meeting at least half the people round the table understand that - not everybody but half of them do. And no solution will be acceptable unless it keeps that in balance as well.
In principle we want the government to protect us from terrorism and drug dealers, paedophilia or whatever bothers you today. And I think you can put a package around those interets - some of which you understand - some of which you don't. But you can identify them as something which is the public good as against the private good, and all we're trying to do is keep the public and private interest in balance. That's the new concept - the new paradigm. The old methods of control did not recognize that. The old methods put the government, the public interets first. So there isn't a private interest. The Private citizen doesn't need crypto - that's been proved. Telephone calls or transactions across the Internet , these are private interests where security is important.
Something which doesn't show through in the OECD guidelines yet which is very important from the Commisions' point of view is the fact that cryptography has these two dimensions - the integrity of messages and the overwhelming business requirement for integrity. We should not let this political debate damage the real benefits that come to public and private communication through use of digital signature - that the magic bullet - the signature. It will benefit society a great deal. It will transform us to the information society.
Do you think it will help government to act on confidentiality, the fact that digital signatures are useful for everybody ?
-A good French approach to these affaires is to go in easy steps - we don't have to do everything at once. Many people have argued that we should have got rid of he digital signature problem. Have all that sorted out, before we moved on to the confidentiality problem. Regrettably it's too late in the day. The confidentiality problem is the one that has been raised as the big political issue.
Because of PGP ?
-..Partly, but it' sonly one of many elements.
What is the role of the commission in the OECD meetings - are the guidelines a small step or..?
-Well, the commission is equivocal about the OECD. It's not comfortable. But inthis particular case, because of the way the Commission has acted in this field in the last two or three years, I think our position is relatively significant. We're not a member state of the OECD, but I can speak collectively on behalf of the EU.
What is your impression of the points of view in the Scandinavian countries ?
- Many of the Scandinavian countries are coming to this problem for the first time. They are not very sophisticated in the underlying concepts. And it varies, I mean Norway and Denmark are members of NATO already, so they have significant experience of the secure communications, Sweden and Finland are advanced technically in the development of equipment, but perhaps less advanced in the development of policy concerning the balance between intelligence and privacy.
So that occurs because those countries don't have the experience and background ?
-It varies, you were not at the meeting, but flavor that will come through from several Scandinavian countries is that they are grappling with the issues for the first time. Trying to understand the balance and so on. Denmark made a clear statement at the last meeting - which was basically a clear statement that they would not seek to introduce new measures to gain access to Internet traffic. They are the only country who have been quite clear I think in their public statements so far. The have made it clear that they intend to introduce no new measures to gain access to secure communications traveling over the Internet in Denmark. Now, that comes from a spokesman for the Danish government . The Netherlands, if you see them as sort of a pseudo-Scandinavian country have come out with a similar position to Denmark. It's only two years since the tried to introduce through the back door a law on access which died. A journalist got the story and blew it up and the law got a real hammering. I think the minister resigned in the end. So you can make a mess of these things.
10/04/1996 - last revision 02/25/1997
Related articles (In Danish) from Ingeniøren/Engineering Weekly: