1 July 1998
Source: http://www.fsk.dk/fsk/div/hearing/report.html

Thanks to Theodor Schlickman

| Ministry of Research and Information Technology | EU-commission | Hearing |

Draft (Version 2)

Report of Day 1 of the European Expert Hearing on Digital Signatures and Encryption (Copenhagen, April 23, 1998)

The first day of the Copenhagen Hearing was dedicated to the global market trends in cryptography, the business use of cryptographic techniques, the development of the European cryptographic industry and the problems of law enforcement with the wide-spread use of cryptography. This report summarises the presentations and discussions of these subjects during the hearing.

It is the common view of almost all experts that the market for products using cryptographic techniques will face a large growth within the next years. Driving force of this growth is the Internet where cryptographic techniques are used for secure authentication, secure communication, digital signatures and to provide secure payment systems. These techniques will provide the basis that allow reliable electronic commerce, which is in most forecasts one of the fastest growing business areas in the near future. It will create new business opportunities but will also produce new technical and political challenges. So cryptographic techniques are a key feature that allow us to use the business opportunities of an electronic world in a secured way. They are already a standard feature of today’s Web browsers and will be part of much more applications in the near future.

It is also the common view of the experts that the overall amount of this growth and the share European industry will take in this market depends not only on technical but also on political regulations with respect to the export, import and use of cryptographic techniques. Such regulations should reflect the business needs as well as the technical progress to serve as enabling, not disabling factors for the deployment of cryptographic techniques as supporting elements for new business areas like electronic commerce.

Although cryptographic algorithms in general are well known and simple implementations are widely available, the market volume for those products in Europe is not as large as one would expect. Several factors have been identified that have been prohibitive for a large scale deployment in the past:

• The cryptographic products available on the market today either serve a single specific application in a specific business sector (e. g., in the banking sector) or are rather simple products for applications like signing and encrypting Email or files. Interoperability between different products was almost non-existent and the models for the management of the cryptographic keys needed were very simple and did not always reflect the needs of the business.
• Except for Internet browsers cryptographic techniques are not an integral part for a number of applications. Most add-on type products that provide a user with some basic cryptographic functions have the problem that they are neither easy to use or manage nor do they provide the level of interoperability required for large-scale deployment.
• Standards for communication protocols with integrated cryptographic functions providing authentication capabilities as well as integrity and confidentiality protection have been developed in the last years but are in many cases too young to be integrated into a large number of products. Except for SSL those standards are not yet used widely.
• Current practices and standards for the management of cryptographic keys, regardless if they are applied for authentication and digital signatures or for encryption, are not very well adapted to the business needs and the requirements arising from the security policy of commercial organisations.
• An infrastructure of Certification Authorities is needed to certify public keys used for digital signatures and the exchange of keys used for encryption services. Establishing such an infrastructure requires clear procedures for technical interoperability as well as the interoperability of the security policies and methods to obtain trust to Certification Authorities. But this is necessary for mutual recognition of certificates issued by different Certification Authorities in different European countries. While the technical issues are addressed by emerging standards no solution has been proposed to date that is able to ensure a comparable level of trust for different Certification Authorities. Clear guidance on this issue is required on a European basis.
• The existing or emerging laws and regulations regarding the use of cryptographic techniques in Europe are not harmonised and not provide a consistent framework as needed by companies operating on an international basis. Throughout Europe several domestic laws exist or are under development which intend to regulate the use of digital signatures, but they provide considerably different frameworks for the operation of a Public Key Infrastructure. In addition some countries regulate the use of cryptography for confidentiality while others do not. This results in significantly different requirements for the functionality of cryptographic products and the necessary infrastructure which make the development of a common framework for the use of cryptographic services within Europe extremely difficult.
• Export regulations are also treated different in the various countries and present an additional barrier for the deployment of cryptographic techniques. As a result companies that want to sell their cryptographic products globally face different problems with export approvals depending on their home country.
• Because of the problems mentioned above the use of certificates for digital signatures as well as for the exchange of cryptographic keys is still low and there is currently no real business model for the operation of a Certification Authority unless the certificates are used for a specific added value service like electronic payment.

To overcome some of the technological problems that prohibit the wide-scale deployment of cryptographic techniques some encouraging trends can be determined which will provide the basis for the forecasted growth of the market.

• The large scale deployment of Smart Cards with integrated functions for authentication and digital signatures will be a significant step forward in the use of cryptographic techniques. Smart Cards provide a person with ability to carry his keys with him/her and nevertheless have them protected from unauthorised access. This allows the person to initiate secure transactions from a large range of systems all over the world. This is assisted by globally accepted standards for public key certificates and their management.
• While currently most cryptographic products are software based a movement to integrate those functions more and more into specific hardware components can be identified. Decreasing prices for hardware make those solutions competitive to software solutions. The advantages of hardware components like Smart Cards or PCMCIA Cards are their portability and their significantly higher level of security.
• Certification authorities will be established but in the near future mainly either internally within a company or for specific applications in the sector or electronic commerce. Currently a market for certificates not bound to a specific application like credit card or banking transactions is not seen by most experts. But for those closed application areas the existing and emerging laws and regulations regarding digital signatures are regarded as unnecessary.
• Standardised interfaces are under development that will allow to use a single set of cryptographic services from a wide variety of applications. This will open the path to make those services an integral part of almost all applications and will on the other hand provide an easy way to allow for the selection between different implementations of the basic cryptographic services. A user of those services may then decide whether to employ hardware based cryptography providing a high level of assurance against fraud and misuse or if a low cost software solution is sufficient. He may even use different types of implementations for different purposes (e. g., a software based solution for signing and encrypting his Email and a hardware based solution for electronic commerce transactions). The standardised interfaces will provide the interoperability between the different solutions.
• The protection of Intellectual Property Rights with electronic documents is one area where cryptographic techniques will be applied in the future. While the encryption of TV channels is already a standard application research has started to use cryptographic techniques also for the protection of Intellectual Property Rights for information stored and distributed in unencrypted form.

There is the fear that the wide-spread use of encryption services will significantly reduce the ability of law enforcement to combat criminal activities. This has lead to several proposals within Europe and other countries throughout the world to set up a scheme which would enable law enforcement agencies to have access to the keys used for encryption under defined circumstances. The basis for those proposals are methods integrated into the key management scheme used, which provide the ability for a third party to access the key. Two technical methods are discussed in this context: Key Escrow and Key Recovery. The discussion on the subject revealed a set of problems with the use of those techniques:

• There is no technical solution known today that is able to prohibit the use of encryption techniques that do not provide a scheme for Key Escrow or Key Recovery. Due to the wide spread availability of software implementing encryption services criminals will always have easy access to strong encryption that does not provide emergency access to keys by law enforcement agencies. The proposed schemes can therefore be expected to be efficient only in closed systems (e. g., conventional telephony) where it is hard to exchange the underlying encryption services or to integrate an additional level of encryption. With the wide usage of multimedia services the technological trends will more and more remove today’s technical barriers between the different types of communication services making such schemes far law enforcement access very easy to overcome.
• Almost none of the proposed schemes for Key Escrow or Key Recovery has been tested or implementedto the extent that statements about their operational behaviour, performance overhead and requirements for infrastructure can be made. Especially for encryption services used within lower layer communication protocols it is extremely hard to imagine how law enforcement agencies will ever be able to efficiently use those schemes. Any regulation based on these techniques is therefore on thin ice unless a technical solution that satisfies the requirements of such a regulation has been tested on a large scale basis.
• Small scale pilot projects with Key Recovery and Key Escrow schemes have identified significant interoperability problems with existing or emerging solutions and standards. From an industrial point of view interoperability is one of the key factors for the large scale use of cryptographic services. Unsolved interoperability problems will delay the deployment of encryption services leading to significant disadvantages for European enterprises on the global market.
• While there is a business requirement for emergency access to encryption keys used for stored data - which may be solved by some kind of Key Escrow or Key Recovery scheme- there is almost no such requirement from business for encryption keys used within communication services. This is only one area where the requirements from law enforcement and business regarding emergency access to keys are significantly different. Also with respect to the location and management of the necessary Trusted Third Parties the requirements of both sides are not harmonised.

Generally spoken most experts view the technology for Key Escrow and Key Recovery as not mature enough to propose them for large scale deployment. In addition the requirements from government and business regarding encryption services in general and emergency access to encryption keys in particular need to be discussed and harmonised on a European basis. Different national regulations will result in significant interoperability problems which would lead to a major disadvantage of European industry in the effort to take over a leading role in the development of cryptographic services within a global information infrastructure.

The position of the European industry on the global market for cryptographic services is characterised by the following statements:

• Europe is the world leader in Smart Card technology, which has been identified as one of the key technologies for the large scale deployment of cryptographic techniques. But the growth for the Smart Card market depends on the integration of cryptographic functions into standard applications and the establishment of a suitable management infrastructure for cryptographic keys. But this part of the market is currently clearly dominated by U.S. industry.
• The current U.S. export regulations can provide a chance for European companies to enter the market for cryptographic products. Nevertheless this would require a concentrated effort of European industry and governments to prepare the basis for this market.
• Many small and medium sized European enterprises are not prepared yet to operate on a global market. They are from their tradition focused on a more local market. But the electronic commerce business will be on a global basis which will force any provider of supporting technology for this business to operate also on a global basis. European enterprises operating in this market therefore will need to change their way of doing business accordingly.
• Unlike almost all other commercial goods encryption technology even today can not be freely traded within the countries of the European Union. The need to apply for export licenses as well as the different and sometimes not very clear regulations regarding the export and use of products with cryptographic functions impose significant barriers for the European cryptographic industry even when trading within the boundaries of the European Union. This situation does not only increase the overhead in trading with such products, it is also a prohibitive factor for commercial enterprises in the decision to use cryptographic products. Those self-imposed barriers prohibit the development of a strong European market for cryptographic products.
• As a result the situation of the European industry regarding cryptographic products shows quite different aspects. While the presence and standing in the Smart Card market is very good and can be expected to remain so in the near future, the market for other cryptographic products depends heavily on commercial and regulatory decisions made in the near future. Europe has the chance to play a major role in this market but European industry needs to operate more globally and the regulatory barriers within Europe need to be removed soon.

Report on legal issues – Copenhagen Hearing

Introduction:

On April 23-24, 1998, a European expert hearing on digital signatures and encryption took place in Copenhagen. The following discussions on the first day related to: global market trends on cryptography (session 1), business use of cryptography (session 2), the European cryptography industry (session 3) and law enforcement and cryptography (session 4). The second day of the hearing dealt with electronic authentication and digital signatures.

As for the deliberations for the first day of the hearing, the discussions on the second day were based on a theme paper in which a number of questions were identified within the following session headlines:

• Session 5 – common minimum requirements (the market for certification in a regulatory prospective, minimum requirements for certification procedures and minimum requirements for digital signature products).
• Session 6 – legal recognition (evidence rules, and formal requirements).
• Session 7 – liability.

Recapitulating the discussions within these three sessions, three general problem areas were dealt with which face governments, industry and private users who face the challenge of providing (at least) the same security for digital signatures as applicable for paper based signatures:

1. The nature and extent of minimum standards which should be established for Certification Authorities (CAs) in order for certificates and the signatures to which they relate to be accepted and recognized by public administrations, courts and commercial parties as reliable;
2. Whether and how states should amend current legislation in order to provide for the legal recognition of electronic counterparts of paper-based forms requirements, balancing certainty of recognition and flexibility; and
3. How CAs should manage their risks, whether governments should regulate liability of CAs, and, where CAs attempt to limit their liability by contract or by notice, whether states should restrict CAs in such attempts for public policy reasons (i.e. consumer protection).

Minimum Requirements:

Minimum requirements for digital signatures have already been set forth in a number of digital signature laws in order to provide for trust in digital signatures. However, on an international scale, the Copenhagen hearing made it clear that it is still an open question whether such requirements should be put into legislation or left to the market. Whereas market forces might be an effective way to develop such requirements, there is a risk that requirements will be established which do not provide for interoperability. To address this question, the theme paper had raised a number of questions as to the need to regulate the interoperability question, the need to develop minimum requirements for certification procedures and the need to develop rules for digital signature products.

Strong arguments were made that states should promote the development of generally accepted practices before taking the step of amending their laws that would permit acceptance of electronic information in satisfaction of statutory obligations and would allow the use of electronic media as a means of communication between private parties. Such practices might more effectively serve as a wide basis for trust in electronic documents and signatures. At the time of the hearing, some states are specifically considering the establishment of minimum requirements in relation to the use and management of digital signature keys and to the issue of certificates by Certification Authorities. There was no consensus that this approach should be adopted on a global scale.

It was generally felt, however, that minimum requirements set by states must be reasonable and flexible to accommodate the variety of contexts, purposes and transactions in which electronic documents and signatures will be used. Reference in legislation to specific technologies should not have the effect of restricting the use or development of other technologies or preventing the use of other technologies that may be suitable for legal purposes. Also, the risk that every state may create its own, preferred set of requirements as a prerequisite to legal recognition in that state, may aggravate discrepancies among states and create barriers to cross-border recognition. This concern prompted recommendations for the development of common minimum requirements - or one set of standards - that could be acceptable and apply to all member states.

According to the draft European Union Directive, the main contents of which were reported at the hearing, there is no prohibition against the provision of electronic authentication services. CAs may provide services without being regulated or without meeting the minimum requirements set out in the EU Directive. However, only those electronic signatures based on a qualified certificate issued by a CA which comply with minimum requirements set out in the EU Directive will be granted automatic recognition for the purposes of admissibility as evidence and of private or civil law requirements of a signature. Legal recognition of other electronic signatures or associated with CAs that do not satisfy the minimum requirements will have to be obtained by proving the reliability or trustworthiness of the signature method and related procedures. In answering concerns that the Directive would entrench the use of digital signatures only, it was emphasized that the Directive is technology-neutral and that electronic signature is defined in an objective manner that would encompass other technologies.

According to the draft Directive, member states will be permitted to use voluntary accreditation schemes to evaluate CAs. CAs will have the choice to be accredited voluntarily or to compete in the market, proving the reliability of its certificate. Although minimum requirements are set out in the Directive for the authentication activities of CAs, for their products and for certificates, no requirements have been proposed to regulate the conduct of users and users’ products.

Legal Recognition

According to some digital signature laws, minimum requirements for CA-services and digital signature products serve as a prerequisite to legal recognition of digital signatures in place of conventional signatures. Different concepts in each state underlying signatures and formal requirements make it difficult to establish common requirements that can permit recognition in other states. States are also faced with the problem of interpreting or revising their current laws to accommodate the use of technologies and to determine the extent to which laws require revision. The decision to establish minimum requirements as a prerequisite to recognition may have a bearing on the nature and extent of revision to a state’s legal framework. Apart from the decision to establish minimum requirements, however, a state must consider how to organize and encourage its government in the revision of its legal framework.

To address these issues, the nature of legal recognition was first discussed. It was agreed that "legal recognition" of electronic documents and signatures manifested itself in European member states in a number of areas: evidence in civil litigation; in the form of electronic contracts and signed documents between contracting parties; and by public administrations, to the extent that they are computerized to accept electronic form.

Second, the ways of achieving legal recognition were considered. It was pointed out that there are two ways to achieve legal recognition: through interpretation of current statutes, without statutory reform; or through statutory reform, either through the revision of current statutes or by means of new legislation. It was suggested that existing statutes may not require amendment if they could be interpreted flexibly to accommodate or to recognize electronic equivalents to conventional documents. If statutes cannot be flexibly interpreted, only minor adjustments may be effective to provide for electronic equivalent to formal requirements, without affecting the substance of the statute. If new legislation is specifically needed to accommodate the use of information technology, the legislation should be technology-neutral and should not re-invent legal substance. If not, legislators may realize that technology-specific amendments to existing legislation may have to be revised within the near future.

There seemed to be widespread consensus that the primary purpose of interpretation of statutes or revisions to statutes is to ensure that an electronic signature will not be rejected simply because of its electronic form. In order to accomplish revisions to statutes, governments must look behind the actual form of the signatures, and look instead to the function and use of the signature.

The role of minimum requirements and their relationship to legal recognition was explained. The purpose of the minimum requirements to be established in legislation is to introduce a high standard which may be followed, but which is not required to be followed. In return for following the standard, legal recognition would be granted. It was emphasized that the introduction of a standard by legislation should not eliminate the recognition of electronic documents that had been signed by means other than digital signatures. Rather, adherence to minimum requirements or standards provide the basis for automatic recognition without exhaustive proof. In order to avoid the proliferation of national standards throughout Europe, however, a recommendation was made that only one standard should be established for the European Union. It was also stated that this standard should be limited to the use of digital signature technique for the purpose of producing a "legal signature and if the standard is followed, then the signature would be recognized as "legal" in other member states. No indication was given, however, of how this general standard should be produced.

Third, a method was described by which governments could organize their departments to review and revise their statutes in order to accommodate the recognition of electronic documents and signatures. A general review of statutes to assess the volume of form requirements was carried out. The specific form requirements must be reviewed in order to evaluate whether digital signatures could be accepted for the particular requirement of the signature. By the opt-out or exception model, departments would start from the premise that digital and conventional signatures would be on an equal footing unless the department specifically opted out. The alternative approach, the opt-in or inclusion model, would permit departments to review each statutory and regulatory provision and specifically opt-in to the equivalence principle. The advantages and disadvantages of the opt-in and opt-out models were described.

Liability

The discussions on liability raised two questions: Liability for the CA (e.g. for flaws in the issuing of certificates or the identification of key holders), and the liability of users (for not taking proper care of signature devices so that false signatures are issued). The discussions on this issue which in the theme paper is stated as "the single most important problem when creating a framework for digital signatures" proved that these two questions should be discussed separately, since different concerns come into play.

Regarding the liability for CAs, the discussions made it quite clear that there is a relationship between the willingness of CAs to accept liability for damages which might arise from their electronic authentication activities and the willingness of governments, courts and commercial parties to recognize digital signatures and certificates associated with that CA. In order to manage their risk, CAs will have to limit their liability through contractual networks or by means of notice clauses in certificates or practice statements.

The presentations and discussion centered on two major fields:

1. The role of government in defining liability rules and in limiting the tendency of CAs to transfer risk to the relying party.
2. The use by CAs of contracts and insurance to manage risk and to protect its assets from risk of third party damage, subject to limits to protect consumers. Insurance is becoming available to underwrite their risks, and subscribers and relying parties are aware of contractual or notice clauses on limitation of liability and certificate uses.

As to the role of government, it was generally felt to be premature to legislate specific liability rules relating to electronic authentication activities. Government liability rules as a global solution would not be a useful because they would increase uncertainty. Moreover, it would be difficult to formulate a global framework on liability.

The use of contracts as a method to establish a scheme for obligations and liabilities of parties was generally felt to be acceptable. However, it was pointed out that the use of contracts might not be accepted as a global solution to establishing a liability regime that would apply to all parties, especially where there is no contract between a CA and a relying party or where there are consumer protection laws. The group considered the possibility of establishing default rules which could apply in the absence of contractual liability scheme, but this option was not fully explored.

On one hand, it was suggested that government should legislate minimum standards for CAs to define their responsibilities and to allow them to limit their liabilities using a CPS. On the other hand, however, concern was expressed that a statutory regime on digital signatures and CA activities might be interpreted in a manner that would override contractual schemes or notices established by a CA for closed system.

Generally, it was agreed that, in the absence of a contractual framework, a CA must bring notice to a relying third party of limitations on the use of the certificate and of the CA’s liability. In this regard, it is worth noting the statement made in an earlier session, that the Draft European Union Directive requires limitations of certificates and on CA liability to be expressly set out in the certificate, not merely incorporated by reference to other documents.

In considering the nature of the CA’s liability, it was strongly felt that it would be premature to establish the CA’s liability for electronic authentication activities as strict in nature. Strict liability regimes were established for dangerous activities or where insurance and liabilities regimes have not produced fair results. There is no evidence at this time that errors or damages arising from electronic authentication activities will lead to unfair allocation or assessment of liability. There was a definite leaning towards establishing the CA’s liability as contractual in nature, based on its contracts, certification practice statements, and notices in certificates, subject to rules which protect consumers.

The availability of insurance is a recent trend. Several years ago, CAs claimed that insurance was not available to underwrite risks as it was not possible for insurance companies to assess the level of potential risk. CAs lobbied governments to recognize and uphold limits of liability and limitations of liability in contracts and notices to third parties. The availability of insurance may relieve governments from lobbying for this particular issue. However, governments retain an interest in consumer protection and may continue to monitor the CA industry to ensure that responsible practices are developed and that business is not conducted at the expense of the consumer.

Although governments have previously been lobbied to harmonize liability regimes for international commerce, no statement was made at the Copenhagen hearing that governments should take active steps to harmonize liability regimes internationally or even to legislate limitations of liability in favour of CAs. Instead, it was suggested that governments would not succeed in harmonizing liability schemes. With the increasing availability of insurance, it may be premature for governments to engage in liability harmonization initiatives.

At this time, there seems to be a trend not to regulate a liability scheme for CAs, but simply to let CAs manage their risks and compete in the marketplace, according to their willingness to accept liability, subject to current rules on contracts and consumer protection. The immediate concern of governments will be to monitor how CAs and insurance companies collaborate to manage the CA’s risk and to assess how CAs act towards consumers. The policy questions posed in the theme paper may then be reviewed in light of developing trends.

Summary

One of the first reactions of some governments to digital signature technology was to legislate all aspects of digital signatures and related activities. The aims of this legislation were to ensure a level of trust in the use of digital signature and in the conduct of CAs by setting minimum standards of both the digital signature and the CA itself; and to confer a benefit on CAs by recognizing limits to their liability, thereby encouraging CA activity. However, this legislation tended to be restrictive in scope and effect. Also, it is considered that legislation had the effect of discouraging CA activity. Also, the Copenhagen hearing brought to light the understanding that the term "digital signature legislation" is imprecise. Contrary to other kinds of legislation which deal with specific and discrete subject matters, such as traffic, taxation, sales legislation and crime, the scope and content of digital signature legislation may vary from government to government.

It was strongly suggested that digital signature legislation be introduced – when needed – to balance a number of objectives:

1. To provide a foundation for the acceptance and recognition of electronic signatures;
2. To establish minimum standards of conduct to protect users consumers
3. To justify the automatic recognition of electronic signatures, without eliminating the potential to justify the recognition of other forms of electronic signatures;
4. To ensure that legislation which establishes minimum requirements does not impose the use of digital signatures;
5. To ensure that legislation does not unnecessarily or unintentionally hamper the development or use of new technologies or the commercial activities of certification authorities; and
6. To recognize the use of clauses in contracts, CPS and certificates, where appropriate, to establish obligations and liabilities among CAs, subscribers and relying parties.

In particular, governments were cautioned to provide for legal recognition by making minor adjustments to the current statutory framework instead of building a new a new statutory framework on digital signatures to replace paper-based rules. Overall, the general message to governments is the following: if governments intend to create a set of common minimum requirements in order to achieve legal recognition on a harmonized basis, the potential to use other technologies and to prove their merit for the purpose of legal recognition must be preserved.