[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Schon gesehen?



Planete scheint down zu sein, schade!

Aber hier:

For several months French authorities have quietly begun to build the
world's first "key recovery" encryption scheme, scheduled to take
effect early in 1997. But a leaked letter sent to the official
security agency, the SCSSI, reveals that the so-called "trust" has
some limitations in the draft project.

The proposal, called a "decret d'application," is a prime ministerial
decree scheduled to be issued after the Telecommunications Reform Act
of July 27, 1996
(http://www.telecom.gouv.fr/francais/activ/telecom/lrt96.htm). In
France, a law takes effect only after the government signs it as a
decree.

The decree will define the business conditions of future "trusted
third party" (TTP) systems -- in French referred to as "tiers de
confidentialite," or a "privacy third party" -- and stresses the
difference between the two basic encryption applications: digital
signature and privacy. These agents will have the role of electronic
notaries, keeping crypto keys in custody for law enforcement or
national intelligence purposes.

Lambda Bulletin has also learned that French authorities won't impose
the "key recovery" scheme as a "mandatory" one. Yet it seems clear
that a company will not be able to do business as usual if its
encryption systems aren't certified by TTPs.

Is this good news for individual users? It's not certain: The law says
that crypto is legal *only* if keys are kept in custody. It won't be
mandatory -- however if you get caught using PGP, it could be
considered as a criminal offense.

The letter obtained by the press is signed by Jean-Claude Jouas,
president of the computer security think tank CLUSIF, and addressed to
General Jean-Louis Desvignes, head of the SCSSI. The CLUSIF represents
security-related executives from large French companies (some of which
are state-owned, such as Bull and Thomson) and also from private
consultancies.  The SCSSI decided, after intense lobbying, to meet the
industry think tank -- which highly suggests that the CLUSIF saw the
close-doors draft decree.

* Point 1: The letter emphasizes the lack of resolution for important
  questions such as "international exchanges." The letter says: "It
  shall be possible for [future TTPs] to search partners in foreign
  countries in order to make these international exchanges a reality,
  if these partners are ready to respect French national
  legislation...."  The letter goes on to say: "section 5 [of the
  draft decree] presents a 'franco-francais' project," which could
  undermine the basic purposes of TTPs. This national approach could
  create a blow for the OECD initiatives to reach a worldwide
  consensus for encryption policies (as described in previous
  bulletins).

  Stephane Bortzmeyer, speaking for the French Internet Users
  Association, says: "We'll need more than these suggestions for
  allowing a reasonable use of crypto. For instance, the international
  exchanges case is simple: either PGP or SSH use are legal, or people
  [in France] won't be able to subscribe to CERT mailing lists." This
  is because CERT urges its participants to encrypt their
  communications (for integrity reasons).

* Point 2: The so-called "certification" procedures. The CLUSIF says
  "concerning the users' point of view, the most critical point [is]
  the certification of encryption means and technologies which will be
  offered by the [TTP], especially concerning the trust level the
  users will have to afford. [Evaluation and certification] is the key
  point to establish a trusted relationship, and we consider it as
  fundamental to include [this point] in the decree".

  In terms of certification, people can understand that this will
  protect the user from possible illegal duplication of encryption
  private keys, thus helping to prevent illegal interception of
  communications. If these certification procedures are not scheduled
  in the draft, people could consider it as a reason for an additional
  lack of trust.

* Point 3: The think tank severely notes that "there is nothing
  scheduled in the draft in the case of legal disputes ... between the
  user and the third party." The litigation could erupt if the TTP
  gives up a users' private keys to unauthorized parties (i.e., a
  competitor or a curious, wiretapping official...).

Epilogue: The SCSSI says the final decree could be published by the
end of this month. Lambda personal bet: It might be published on
Friday, December 27th. (The previous crypto legislation, in 1990, was
passed as law on December 29 -- and the decrees for it were officially
signed in 1992, on December 28.)

P.S.: The whole CLUSIF letter will be published in the French version
of this bulletin (check the Web site: http://www.freenix.fr/netizen)


* * * * *
Short Notes
* * * * *

* OECD update: The OECD draft guidelines of the crypto expert group
have been revealed in Austria. Check:
ftp://ftp.netsphere.co.at/Public/OECD/oecd.doc This is the document
that was amended during the September 26-27 meeting in Paris, thus
there have been changes since then.

* EPIC conference proceedings: It's a long after the event, but you
can read the English version of a report on the crypto conference EPIC
organized in Paris on Sept. 25, on the eve of the OECD meeting.  Check
the Planete Internet Web site (English translation by K. N. Cukier):
http://194.51.213.12:80/interface/SendPage.exe?ID=389

* EF-Sverige: One Lambda subscriber advises people interesting in
cyber-rights in Sweden to check EF Sverige, independent from the
US-based organization (although, as for EF France and others, the EFF
has given them the right to use the name EF-Sverige. Check their web
page at: http://connectum.skurup.se/~annami/ EF-Sveridge was founded
by two journalists: Anna-Mi Wendel <annami@connectum.skurup.se>, the
chairman, and Peppe Arninge <journalist@peppe.pp.se>, a member of the
board.