House of Commons - Trade and Industry

Select Committee on Trade and Industry Seventh Report

VI LICENSING OF TRUSTED SERVICE PROVIDERS

59. The Government has proposed a voluntary licensing regime for firms and organisations offering cryptographic services "to generate confidence and thereby promote the market by ensuring that minimum standards of quality and service are met".[160] It is proposed that OFTEL will be the initial licensing authority but "the Government does not rule out delegation of some or all of the licensing functions to an industry body in future".[161] A number of licensing criteria are proposed to be applied to all TSPs which seek a licence. These are that:[162]

the owners and directors be fit and proper people to provide cryptographic services
the TSP has a registered UK office
there exist adequate procedures for vetting employees
the TSP is financially viable and can present a plan to outline its business strategy
details of any agents used to carry out cryptographic services are known
a quality management system is in place, perhaps in line with ISO 9000
the TSP has at least sought accreditation under BS 7799 for its information security management
the TSP can meet any liability obligations placed on it
the TSP can act in conformity with the provisions of the Data Protection Act 1998
the ability to generate key pairs for signature and confidentiality services can be demonstrated.

60. In addition, licensed CAs must meet the following criteria:[163]

evidence must be provided, where appropriate, that the systems used for generating key pairs and storing the organisation's own private key have been independently assessed from a security perspective
certificates issued must contain a range of information including the identity of the service provider, the name of the holder, specific attributes of the holder (eg address), valid period of the certificate, a unique certificate number, an unambiguous statement that the certificate must not be used to validate a key being used to secure the confidentiality of information and any specific limitations on the use of the certificate
details must be provided of how key-pairs are generated and, where necessary, distributed; how private signature keys are made known to the user; how users are authenticated; and how certificates can be revoked
information on approved signature devices must be supplied to users.

61. Different additional licensing criteria apply to TTPs. These must be able to:[164]

demonstrate the security of key storage systems
make arrangements, both technical and procedural, to be able to produce any appropriate information which it has in its possession in response to a validated written authorisation within a certain period
demonstrate its procedures for authenticating requests for access to keys or other relevant information.

Finally, those TTPs which offer a key-recovery service must demonstrate that they can make available key-recovery information when it is requested and authenticate requests for such information.[165]

Necessity of a Statutory Licensing Regime

62. Some witnesses questioned the need for a statutory voluntary licensing regime for TSPs, proposing a Government-backed accreditation scheme or industry self-regulation as possible alternatives.[166] The Federation of the Electronics Industry argued that electronic commerce "rules and standards must be industry-led and market-driven" and suggested that a Government licensing scheme "is likely to inhibit exploitation of new technologies, and thus new products and services".[167] The Association of British Insurers stated that "the provision of trusted third party services should be left to market forces rather than be regulated", a point echoed by SAP (UK) Ltd.[168] The Institute for the Management of Information Systems warned of the danger of "licensing regimes becoming a barrier to entry".[169] Baltimore stated that "the imposition of additional licensing constraints on TTPs should reflect identified business needs...The imposition of new and possibly arbitrary constraints will inhibit the competitiveness of UK suppliers without achieving any positive benefit".[170] Interforum told us that "we cannot see the reason for the introduction of licensing for certification authorities" and urged instead the establishment of a "voluntary code of conduct...reinforced by a 'kite mark'".[171] A point frequently made in response to the DTI's consultation document was that the Government's proposal for a voluntary licensing scheme was an oxymoron that amounted to nothing more than an accreditation process unnecessarily operated by the Government.[172] APACS told DTI that "'voluntary licensing' is more akin to an accreditation scheme than to a regulatory framework, and we suggest that the name be changed to reflect the reality of the proposal".[173]

63. Support for the proposed licensing regime was offered by the Internet Service Providers' Association and Racal Telecom.[174] The Federation of Small Businesses urged the Government to establish a mandatory licensing scheme for TSPs "to increase public and business acceptance of the security of e-commerce".[175] The British Chambers of Commerce warned of the "dangers implicit in relying on an unlicensed certificate".[176] Consumers' Association recognised that "the proposals for licensed encryption services could help to increase the confidence of some consumers about transactions on the internet" but expressed concerns that the licensing regime might prove unduly burdensome on SMEs.[177]

64. We acknowledge the need for some form of accreditation scheme relating to TSPs to persuade firms and individuals "standing on the edge of the e-commerce lake wondering whether it is really safe to dive in" that electronic commerce is as safe and reliable as traditional forms of commerce.[178] In particular:

consumers and SMEs may be persuaded to use the services of TSPs, and thus more fully engage in electronic commerce, if TSPs are accredited because it will be perceived that such organisations are well managed, financially viable and technically competent.[179] Nevertheless, if some consumers and firms wish to use non-accredited providers, including overseas TSPs, we see no reason why they should not be able to do so
we perceive a danger that, without an accreditation scheme, the TSPs market might be dominated by firms whose brand names are already well-established with consumers, at the expense of potential new entrants and small firms.[180] Accreditation can create a level playing field to the benefit of all TSPs who seek a licence and their customers.

65. An outstanding, and familiar, question is the extent to which the Government should be involved with the accreditation process and whether statutory backing for accreditation is necessary. Whereas it could be argued that Government establishment and oversight of a licensing regime increases consumer confidence and ensures that all commercial interests involved in the market, large or small, can be treated even-handedly, a statutory licensing regime might be slow to set-up, inflexible and unduly bureaucratic, particularly in relation to a new, swiftly-developing industry. In such circumstances, it would not be unusual for the Government to allow industry to develop a non-statutory accreditation scheme, open to enforcement by public authorities such as the Office of Fair Trading, with the possibility of a statutory licensing regime being introduced at a later date if self-regulation was seen to fail consumers or unduly benefit certain sections of the market.[181] With regard to TSPs, we see merit in DTI sponsoring a voluntary, non-statutory accreditation scheme, perhaps with the assistance of the British Standards Institute, drawing on the results of the recent consultation exercise about possible licensing conditions for TSPs. Such a scheme could be established much more quickly than a statutory regime reliant upon primary and secondary legislation and would be able to adapt more quickly to technological and other changes. It would also be in accordance with the approach to regulation recently outlined to us by the Secretary of State.[182] We recommend that the Government sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and service providers but which is not grounded in legislation. We think it prudent that the Government take powers to establish a statutorily-backed scheme but recommend that these powers are held in reserve unused unless and until it is demonstrated that a voluntary scheme fails to protect the interests of all consumers and service providers.

All or Nothing Licensing Approach

66. DTI indicated during autumn 1998 that TSPs seeking a licence for one cryptography service would also need to be licensed for any other cryptography service they wished to offer — the so-called "all or nothing" approach.[183] Witnesses were almost unanimous in their rejection of this approach.[184] They argued that it was inflexible and restrictive;[185] and that, by linking the licensing of cryptographic services to the legal status of electronic signatures, it represented an attempt to introduce mandatory key escrow by the back door.[186] We were pleased to find that DTI has withdrawn its support for the "all or nothing" approach.[187] DTI remain concerned, however, that "there could be a danger of confusion for consumers of these services if a single company comes forward and says, 'I am doing some of what I do on a licensed basis and some of what I do on an unlicensed basis'".[188] We acknowledge that this could be a concern, especially in situations where the same key pair is used both to generate an electronic signature and for encryption. Nevertheless, it is important not to burden an immature and rapidly developing market with regulatory restrictions based on theoretical problems. Some respondents to DTI suggested a kite mark or seal be used to distinguish licensed from unlicensed services.[189] Others emphasised that legislation already exists to tackle situations in which firms mislead consumers about whether or not they are licensed to carry out a particular function.[190] It is not unusual for firms in the financial services sector, for example, to carry out activities some of which are licensed by different bodies, and some of which require no licence. We see no reason why existing means of distinguishing licensed or accredited services from unlicensed or non-accredited services cannot be applied successfully to TSPs.

The Role of OFTEL

67. The Government has proposed that the "power to issue and modify licences and monitor compliance against the licensing conditions" will be conferred on the Secretary of State for Trade and Industry, who will be able to delegate those powers to another body, which will itself be able to contract out some of its functions. It has decided to "designate OFTEL as the initial licensing authority", but "may decide to retain some aspects of licensing within DTI".[191] OFTEL has indicated that it would wish to contract out some of the functions associated with its proposed licensing role.[192] It told us that "we would not ourselves be vetting the companies in vast detail; we see that there are already bodies better skilled in the forensics of what is necessary to carry out this role who would report back to us and to government generally about the suitability of people to be accredited at whatever standards are agreed".[193] There is a danger that TSPs and their customers will be confused by the multi-layered design of the proposed statutory licensing regime. We would welcome early clarification by DTI and OFTEL of how the proposed licensing regime will work in practice, were it to be introduced.

68. OFTEL told us that it was the appropriate body to act as licensing authority because:[194]

it already regulates other advanced services using telecommunications networks, some of which share characteristics in common with cryptographic services
it works closely with Home Office and DTI on security matters
in other areas it contracts out specific functions related to licensing, for instance its role in approving metering systems for Public Telecommunications Operators, where the British Approval Board for Telecoms vets the system on OFTEL's behalf.

OFTEL envisages an "active supervisory role" in relation to licensed providers. It informed us that this role would include initial vetting and accreditation of TSPs; on-going supervision on a regular or spot-check basis; investigation of complaints; and enforcement of standards where required.[195] OFTEL may also be given some responsibilities in respect of unlicensed TSPs, including in cases where such TSPs claim either to be licensed or to meet the licence criteria.[196]

69. Some witnesses contended that OFTEL was not best placed to act as the licensing authority for TSPs.[197] The Institute for the Management of Information Systems argued that licensing of TSPs should be geared towards consumer protection rather than the regulation of cryptography and that the licensing authority should be the Office of Fair Trading or the Financial Services Authority.[198] British Telecommunications, calling for a "fresh approach" to be taken to the licensing of TSPs, indicated that it did not believe OFTEL was competent to be sole regulator of all the issues concerned with cryptography.[199] APACS told DTI of its doubts about OFTEL's ability to handle electronic commerce issues and urged that a new regulatory body by established.[200] The Federation of the Electronics Industry, arguing that the licensing scheme should be dropped altogether, put forward the EMERITUS project, of which it is a co-sponsor, as a suitable vehicle for the promotion of a self-regulatory approach.[201]

70. Some respondents did back OFTEL's selection as licensing authority for CAs.[202] One influence on the Government's choice of OFTEL as licensing authority was that "there is no established industry body with procedures to undertake the licensing function yet".[203] The delegation of "some or all of the licensing functions to an industry body in future" has not been ruled out by DTI.[204] We recommend that, if DTI intends to establish a statutory licensing scheme, it spell out which licensing functions it would be prepared to delegate to an industry body in future and which it would prefer a public sector body to perform; and that it set out the criteria an industry body must meet in order for it to be considered as the licensing authority for TSPs.

Licensing Conditions

71. Respondents to DTI's most recent consultation exercise were critical of several aspects of the detailed licensing conditions proposed to be applied to TSPs, suggesting that they were:[205]

unduly burdensome or prescriptive[206]
biased towards UK firms, for instance because of the reference to BS7799 and the requirement for TSPs to have a registered office in the UK[207]
biased against non-EU firms. Several witnesses stressed the importance of the rapid establishment of an international scheme for the mutual recognition of certificates issued in different countries, especially as the two largest CAs presently in existence are based outside the EU.[208] Baltimore told DTI that its consultation document "does not take into account the current trend towards international standards for inter-operability between security products" and that its proposed licensing scheme might therefore be "ineffectual".[209] There is a danger that the EU directive will facilitate the creation of a European certification regime which will act as a barrier against those CAs operating outside of the EU[210]
unduly influenced by the discredited key escrow policy. Dr. Michael Roe of Cambridge University told DTI that the requirement for a certificate to contain an "ambiguous statement that the certificate must not be used to validate a key being used to secure the confidentiality of information" was ambiguous, unjustified and intended only to prevent a customer from simultaneously using a licensed CA and unlicensed TSP in order to avoid key escrow[211]. Hewlett Packard thought the condition "raises quite unfounded suspicions as to the Government's intent".[212] The European Electronic Signatures Working Group and European Encryption Working Group suggested that the proposed condition on TTPs to demonstrate the security of their key storage systems could be interpreted as requiring licensees to offer key escrow[213]
impracticable. The Post Office described the requirements of the EU Electronic Signatures Directive, reflected in the Government's proposals, for substantial and specific information to be included on certificates as "impracticable", particularly if signatures and certificates were to be lodged on smart cards[214]
not technology neutral. Respondents suggested that the criteria presumed TSPs generated key pairs, although key pairs could, and maybe should, be generated by the user. It was argued that the requirement for CAs to "submit details of how an asymmetric key-pair is generated" should be placed on the supplier of the "approved signature generation product" mentioned in the consultation document[215]
imposed one particular model on the TSPs market.[216] It was argued that it should be allowed for certificates to be issued to specific roles (eg "the managing director") rather than to named individuals;[217] and that revocation of certificates might not be appropriate in such cases.[218] It was suggested that different criteria might be necessary for certification of signatures used for low-value transactions[219]
ambiguous. Respondents questioned whether "prior physical identification by the CA" of an applicant for a certificate would be necessary for every certificate requested over time, and how this would be possible for overseas CAs selling services in the UK;[220] noted the absence of a time limit within which law enforcement access to private encryption keys or other relevant information would be required;[221] and criticised the requirement that TTPs have procedures for authenticating requests for law enforcement access when it was not yet known what material might be requested and what form such a request might take.[222]

72. Respondents also suggested some alternative criteria to be applied to TSPs, including that:

there should be a requirement on CAs not to reveal a user's private key, if they know it[223]
the material supplied by TSPs to the licensing authority should be made publicly available.[224] Zeneca suggested an audit procedure for CAs[225]
reasonable time limits should be set for key services, including the revocation of certificates[226]
mechanisms should be in place to detect when CAs' procedures have failed in some way[227]
NCIS argued that the licensing condition on key generation should prevent TSPs using the same key for signature and confidentiality purposes; it also advocated, in relation to TTPs, "the inclusion of a licensing condition that required licensed confidentiality service providers to use products that had a key recovery or key escrow facility included, whilst not actually requiring that it must be used" and suggested that "applicants for a licence must lodge a copy of their software prior to its general release or such generic information to adequately describe a series of products if they are similar".[228]

73. A comparison of the 1997 and 1999 DTI consultation documents would suggest that little effort has been devoted over the last two years to considering the detailed licensing criteria to be applied to TSPs, or the effect of such criteria on the market. The responses to the most recent consultation document suggest that much work needs to be done before the criteria are set out in law, by statutory instrument.[229] ICL recommended that the licensing scheme be redesigned from first principles now that key escrow has been dropped as a licensing criteria.[230] The importance of getting the criteria right cannot be underestimated. The Post Office warned us that "the UK may lose business and jobs to jurisdictions such as Ireland and Canada with relatively commerce-friendly licensing schemes" if DTI establishes a restrictive scheme.[231] The licensing criteria for TSPs recently set out by DTI are not fit to be written into law. Unless they are improved, then the licensing system will be a damaging and embarrassing failure. We invite the Government to inform Parliament how it intends to work with electronic commerce providers and users to design more suitable criteria.