9 November 1998
Thanks to SK
SK: The following mail was forwarded to me by a member of the German-based 'Electronic Commerce Forum'. ______________________________________________________________________________ Statement of Microsoft on UK Department of Trade and Industry Proposals for Encryption on Digital Signatures October 1998 Microsoft welcomes this opportunity to respond to recent DTI proposals on encryption and digital signatures. As a leading developer of business software applications, on-line tools and operating systems, Microsoft strongly supports the growth of electronic commerce in Europe. 1. UK legislation should eliminate all key escrow and key recovery requirements. The UK should not make the use of encryption subject to mandatory key escrow. The DTI's Secure Electronic Commerce Statement of April 1998 contemplates authorising law enforcement to obtain access to private encryption keys on request. This could effectively require users or encryption service providers to "escrow" their private keys, which would depart from the Statement's rejection of mandatory key escrow and make the use of encryption more costly and burdensome. Many users would also view the obligation to store copies of their private keys as compromising the security of their on-line messages, thus deterring them from fully exploiting electronic commerce. Mandatory key escrow does not serve any legitimate law enforcement goals. Key escrow serves no legitimate law enforcement goals because criminals and terrorists are unlikely to store their private keys or provide them to police on request. Law enforcement's needs in this area could be fully met by requiring users to produce the plain text of any message to which police require access. 2. The proposed legislation should extend legal recognition to all digital signatures. Legal recognition should extend to all electronic signatures, not just those issued by licensed certification authorities (CAs). The secure Electronic Commerce Statement would limit legal recognition to certificates issued by licensed CAs. Because virtually all users will want to rely on the legal validity of their electronic signatures, this would effectively require the use of licensed CAs. Such a rule would impose unnecessary costs on electronic commerce and would place UK law in conflict with the proposed EU Electronic Signatures Directive, which extends legal recognition to both licensed and unlicensed electronic signatures. UK law should extend legal recognition to closed-system and limited-use certificates and affirm parties' freedom of contract. Electronic signatures are used in a variety of closed systems and for a broad range of specific uses, such as on-line banking and credit card systems. Because closed-system and limited-use certificates will play a crucial role in the development of on-line applications, the law should expressly extend legal recognition to such certificates. UK legislation should also treat electronic and paper transactions the same in terms of freedom of contract, so that private parties have the same flexibility to structure their electronic transactions as they do for traditional forms of commerce. The proposed legislation should not require licensed CAs to escrow encryption keys. Many users of electronic signatures will refuse to allow their private encryption keys to be escrowed, and will therefore refuse to use licensed CAs if they must also hand over their private encryption keys. Such a result would undermine the use of electronic signatures and would threaten the development of electronic commerce in the UK. Thus, UK law should allow licensed CAs to provide encryption services without maintaining a key escrow or key recovery system. 3. DTI should abandon plans to extend existing export controls to "intangible" transfers. Applying existing export controls to intangible transfers of encryption is unworkable and impractical. In its recent white paper on Strategic Export Controls (July 1998), DTI announced plans to extend existing export controls to intangible transfers. However, strong encryption is widely available on the Internet from servers located outside the UK. Thus, the proposed restrictions would not prevent criminals from using strong encryption, but would impose added costs and burdens on lawful manufacturers and distributors of encryption products. The proposed export controls will harm UK firms. UK businesses already face a competitive disadvantage to foreign competitors due to restrictions on exporting encryption in tangible form. To extend this to intangible transfers will make it even more difficult for UK firms to compete globally. The UK should loosen, rather than tighten, existing export controls on encryption. Export restrictions on encryption make it much more expensive for UK firms to compete globally, without having any real impact on crime. Rather than act unilaterally on this issue, the UK should adhere to the European-wide standards set forth in the EU Regulation on Dual-Use Goods. Mit freundlichem Gruß Harald A. Summa + + + + eco - Electronic Commerce Forum e. V. c/o Harald A. Summa Grasweg 2 D-50769 Köln Fon: +49 (0) 221 9702 407 Fax: +49 (0) 221 9702 408 E-Mail: info@eco.de http://www.eco.de pgp on request + + + +