[No date; retrieved November 12, 1996]
1. The INFOSEC Business Advisory Group (IBAG) views with concern the slow progress being made towards agreement on controls on cryptography that permit international business to operate securely and efficiently.
2. IBAG members are increasingly exploiting global communications and distributed systems not just to benefit their own business, but also to do business electronically with other companies. Products and services are being made available, many of which conform to open standards, that enable such activities to be carried out securely. However, this security is usually achieved by use of cryptographic techniques, and is thus subject to national government control. Most nations control export of such technology, and many also control import and use.
3. IBAG is concerned that current trends appear to be to tighten up on such controls, notwithstanding the increasingly widespread availability in many countries of implementations in hardware and in software of the common algorithms, such as DES and RSA. Further, the ability of national authorities to police effectively the movement of such technologies across national boundaries, either as product or as components, is demonstrably limited.
4. IBAG recognises the legitimate needs of national authorities to be able to enforce the rule of law, and to maintain national security, but industry has an equal right to protection of know-how and information and of personal data under the same stringent safeguards from Government misuse as already exist for paper communications, telephony and the like. A proper balance between statuary and self regulation needs to be established through a dialogue between national authorities and industry. This is already a clearly understood principle in, for example, the financial services industry where regulatory reporting requirements to combat money laundering are well established.
5. While IBAG would prefer no controls on the use of commercial cryptography, it is recognised that some form of control will probably be imposed. In these circumstances IBAG is strongly in favour of a solution that combines processes accredited by national authorities, or their agents, with voluntary conformance by law-abiding users. We suggest that this solution be based on Trusted Third Parties (TTPs), similar to the key Certification Authorities already being set up to certify public keys, but with additional responsibilities. They could be accredited to have access to user's master keys and algorithms via agreed secure procedures and, under appropriate legal controls, provide those keys to national authorities or law enforcement agencies. Such TTPs would be appropriately regulated and trusted commercial operations, and users could select which TTP to use based on commercial decisions. Alternatively, large organisations or industry service organisations (such as SWIFT for financial services) could become accredited TTPs for their own business or industry. While use of such TTPs would be voluntary, it could be encouraged by relaxation of controls on the use of cryptographic technologies where such facilities were used.
6. It would be necessary for nations to develop mutual arrangements for TTPs in different countries to exchange key information, again under suitable legal controls, to allow for the situation where communication is taking place across national boundaries. Industry would prefer that the master keys for a business, or trading relationship between businesses, be accessed only via one TTP. While in theory such keys could be lodged in a TTP in each nation involved, this would become very difficult to administer where companies operate across a majority of the world's nations. Where the organisation, or industry service, is also the TTP this international dimension would be much simplified.
7. This solution is, in the view of IBAG, the most cost-effective of a range of solutions based on the idea of TTPs. The attached Figure [not with document] shows this range graphically and they are explained briefly below. The pros and cons of each are listed in Paragraph 8 below.
8. IBAG prefers no controls, but would support Method A for the following reasons:
9. IBAG recognises the different sensitivities of the use of encryption techniques for integrity (including authentication, electronic signature, non-repudiation, etc) and for confidentiality. A phased approach where an international scheme to address the need for integrity was introduced initially, followed by confidentiality mechanisms once the basics of operating accredited trusted third parties had become established could be considered.
10. IBAG calls upon national Governments in Europe, and Institutions of the European Community, to work together with Industry and users to develop a comprehensive policy on control of encryption and advanced telecommunications technology. IBAG commends the approach described in Paragraph 5 above as a practical starting point for such discussions, and urges SOGIS and the European Commission to provide the focus for these discussions, including co-operation with nations outside Europe. IBAG is ready to play its part in these discussions.
See earlier IBAG statement.
See related OECD press release.