9 November 1998
Thanks to SK

SK: The following mail was forwarded to me by a member of the
German-based 'Electronic Commerce Forum'.


Statement of Microsoft on UK Department of Trade and Industry
Proposals for Encryption on Digital Signatures

October 1998

Microsoft welcomes this opportunity to respond to recent DTI proposals on
encryption and digital signatures.  As a leading developer of business
software applications, on-line tools and operating systems, Microsoft
strongly supports the growth of electronic commerce in Europe.

1. UK legislation should eliminate all key escrow and key recovery

The UK should not make the use of encryption subject to mandatory key
escrow.  The DTI's Secure Electronic Commerce Statement of April 1998
contemplates authorising law enforcement to obtain access to private
encryption keys on request. This could effectively require users or
encryption service providers to "escrow" their private keys, which would
depart from the Statement's rejection of mandatory key escrow and make the
use of encryption more costly and burdensome.  Many users would also view
the obligation to store copies of their private keys as compromising the
security of their on-line messages, thus deterring them from fully
exploiting electronic commerce.

Mandatory key escrow does not serve any legitimate law enforcement goals.
Key escrow serves no legitimate law enforcement goals because criminals and
terrorists are unlikely to store their private keys or provide them to
police on request.  Law enforcement's needs in this area could be fully met
by requiring users to produce the plain text of any message to which police
require access.

2. The proposed legislation should extend legal recognition to all digital

Legal recognition should extend to all electronic signatures, not just
those issued by licensed certification authorities (CAs).  The secure
Electronic Commerce Statement would limit legal recognition to certificates
issued by licensed CAs.  Because virtually all users will want to rely on
the legal validity of their electronic signatures, this would effectively
require the use of licensed CAs.  Such a rule would impose unnecessary
costs on electronic commerce and would place UK law in conflict with the
proposed EU Electronic Signatures Directive, which extends legal
recognition to both licensed and unlicensed electronic signatures.

UK law should extend legal recognition to closed-system and limited-use
certificates and affirm parties' freedom of contract.  Electronic
signatures are used in a variety of closed systems and for a broad range of
specific uses, such as on-line banking and credit card systems.  Because
closed-system and limited-use certificates will play a crucial role in the
development of on-line applications, the law should expressly extend legal
recognition to such certificates.  UK legislation should also treat
electronic and paper transactions the same in terms of freedom of contract,
so that private parties have the same flexibility to structure their
electronic transactions as they do for traditional forms of commerce.

The proposed legislation should not require licensed CAs to escrow
encryption keys.  Many users of electronic signatures will refuse to allow
their private encryption keys to be escrowed, and will therefore refuse to
use licensed CAs if they must also hand over their private encryption keys.
 Such a result would undermine the use of electronic signatures and would
threaten the development of electronic commerce in the UK.  Thus, UK law
should allow licensed CAs to provide encryption services without
maintaining a key escrow or key recovery system.

3. DTI should abandon plans to extend existing export controls to
"intangible" transfers.

Applying existing export controls to intangible transfers of encryption is
unworkable and impractical.  In its recent white paper on Strategic Export
Controls (July 1998), DTI announced plans to extend existing export
controls to intangible transfers.  However, strong encryption is widely
available on the Internet from servers located outside the UK.  Thus, the
proposed restrictions would not prevent criminals from using strong
encryption, but would impose added costs and burdens on lawful
manufacturers and distributors of encryption products.

The proposed export controls will harm UK firms.  UK businesses already
face a competitive disadvantage to foreign competitors due to restrictions
on exporting encryption in tangible form.  To extend this to intangible
transfers will make it even more difficult for UK firms to compete

The UK should loosen, rather than tighten, existing export controls on
encryption.  Export restrictions on encryption make it much more expensive
for UK firms to compete globally, without having any real impact on crime.
Rather than act unilaterally on this issue, the UK should adhere to the
European-wide standards set forth in the EU Regulation on Dual-Use Goods.

Mit freundlichem Gruß

Harald A. Summa

+  +  +  +

eco - Electronic Commerce Forum e. V.
c/o Harald A. Summa
Grasweg 2
D-50769 Köln
Fon: +49 (0) 221 9702 407
Fax: +49 (0) 221 9702 408
E-Mail: info@eco.de
pgp on request

+  +  +  +