[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: EU Rejects GAK
> ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION
Sorry, I got the URLs wrong, and for some reasons the interesting
parts of the summary got cut off.
http://www.ispo.cec.be/eif/policy/97503exec.html
ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION
Towards A European Framework for Digital Signatures And Encryption
EXECUTIVE SUMMARY
Introduction
Open electronic networks such as the Internet are increasingly being
used as a platform for communication in our society. They have the
capacity to create new businesses, new channels of distribution and
new methods of reaching the customer. They also open up opportunities
to re-engineer business conduct itself. It is now largely expected
that electronic commerce will be one of the key drivers for the
development of the global information society. Electronic Commerce
presents the European Union with an excellent opportunity to advance
its economic integration by means of a "virtual" economic area.
However, the realisation of such developments are hampered by the
noticed insecurities typical to open networks: messages can be
intercepted and manipulated, the validity of documents can be denied,
personal data can be illicitly collected. As a result, the
attractiveness and advantage of electronic commerce and communication
cannot be fully exploited.
In order to make good use of the commercial opportunities offered by
electronic communication via open networks, a more secure environment
needs to be established. Cryptographic technologies are widely
recognised as essential tools for security and trust on open networks.
Two important applications of cryptography are digital signatures and
encryption.
Several Member States announced their intentions to introduce specific
regulation on cryptography and some already have done so. For
instance, Germany and Italy already moved ahead with digital signature
laws. In other Member States internal discussions are taking place,
and some tend to refrain, at least for the moment, from any specific
regulation at all.
Divergent and restrictive practices with regard to cryptography can be
detrimental to the free circulation of goods and services within the
Internal Market and hinder the development of electronic commerce. The
European Union simply cannot afford a divided regulatory landscape in
a field so vital for the economy and society.
The main objectives of this Communication are to develop a European
policy in particular with a view to establishing a common framework
for digital signatures, ensuring the functioning of the Internal
Market for cryptographic services and products, stimulating a European
industry for cryptographic services and products and stimulating and
enabling users in all economical sectors to benefit from the
opportunities of the global information society. As far as timing is
concerned, the Commission considers that appropriate measures ought to
be in place throughout the Union by the year 2000 at the latest. As a
consequence, the Commission intends to come forward with detailed
proposals in 1998 after the assessment of comments on this
Communication.
This is in line with the April 1997 adopted Communication on
Electronic Commerce, where the Commission announced the intention to
prepare a policy aiming at guaranteeing the free movement of
encryption technologies and products, as well as to propose a specific
initiative on digital signatures.
Digital Signatures
Some Member States are in the process of introducing voluntary
schemes, others of mandatory licensing schemes to build trust in
Certification Authorities (CAs) and to encourage legal recognition of
digital signatures. Whilst the development of a clear framework is
welcomed, different national regulatory approaches and the lack of
mutual recognition of each others regulatory requirements may easily
lead, due to the inherent cross-border nature of digital signatures,
to a fragmentation of the Internal Market for electronic commerce and
on-line services throughout the Union.
In order to stimulate electronic commerce and the competitiveness of
the European industry as well as to facilitate the use of digital
signatures across national borders, a common legal framework at
Community level is urgently needed. Any regulation in the field of
digital signatures must meet two main requirements: create a clear
framework to build trust in digital signatures on one side and be
flexible enough to react to new technical developments on the other
side.
Encryption
Stimulated by the rapid expansion of the Internet encryption will
become an integral part of personal and business computing. Electronic
commerce as well as many other applications of the information society
will only receive acceptance and will only unfold their economic and
social benefits if confidentiality can be assured in a user-friendly
and cost-efficient way. In open networks, encryption of data is very
often the only effective and cost-efficient way of protecting
confidentiality of data and communications.
Law enforcement authorities and national security agencies are
concerned that wide-spread use of encrypted communication will
diminish their capability to fight against crime or prevent criminal
and terrorist activities. For this reason, there are reflections in
several Member States to establish regulation on cryptography, in
addition to controls on export and intra-Community shipments. This has
led to a discussion about the need, technical possibilities,
effectiveness, proportionality and privacy implications of such
regulations.
However, nobody can be effectively prevented from encrypting data
(criminals or terrorists also can use encryption for their
activities), e.g. by simply downloading strong encryption software
from the Internet. As a result restricting the use of encryption could
well prevent law-abiding companies and citizens from protecting
themselves against criminal attacks. It would not however prevent
totally criminals from using these technologies.
Proposals for regulation of encryption have generated considerable
controversy. Industry expresses major concerns about encryption
regulation, including key escrow and key recovery schemes. Although
there is a lack of experience, as electronic communication and
commerce have just begun to penetrate economy and society, this
Communication makes some assessments to build a common European
understanding of the subject.
Policy actions in the area of digital signatures
The at European level urgently needed framework should include common
legal requirements for CAs (in particular common requirements for the
establishment and operation of CAs) allowing certificates to be
recognised in all Member States.
In addition, the Commission will monitor the legal developments in
Member States introducing new legislation with the aim to respect
Internal Market principles and will encourage Member States to rapidly
implement appropriate measures to build trust in digital signatures.
In order to achieve as wide as possible acceptance of digital
signatures Member States should co-ordinate activities to ensure legal
recognition of digital signatures at the latest by the year 2000. The
Commission will evaluate the necessity to provide for the legal
recognition of digital signatures at Community level by harmonising
different national regulation (e.g. form requirements, evidence
rules).
The Community and Member States should take part in or initiate a
dialogue with international organisations, such as the OECD, the
United Nations and the WTO, notably to establish common technical
standards and mutual recognition of regulations.
Policy actions in the area of encryption
The EC Treaty and the Treaty on the European Union fully respect the
competence of Member States with regard to national security and law
enforcement.
To ensure that the development of electronic commerce in the Internal
Market is not hindered and to facilitate the free circulation and use
of encryption products and services the Commission calls upon Member
States to avoid disproportionate restrictions. Moreover the Commission
will examine whether restrictions are totally or partially justified,
notably with respect to:
* the free circulation provisions of the Treaty, in particular
Articles 30, 36, 52, 56 and 59,
* the principle of proportionality,
* the Council Directive 83/189/EEC of 28.3.1993 laying down a
procedure for the provision of information in the field of
technical standards and regulations and
* the EU Directive 95/46/EC of 24.10.95 on the protection of
personal data.
The Commission also believes that it will be important for Member
States to distinguish "digital signature services" from "encryption
services", because different rules and different goals separate these
two aspects.
Additional measures:
* Adapting the Dual Use Regulation (CE) 3381/94 in view of the
requirements for the cryptographic products market;
* Improving the co-operation of police forces on a European and
international level;
* Working towards international agreements between the Community and
other countries because of the global dimension of electronic
communications and commerce.
Accompanying measures
* Encouraging industry and international standards organisations to
develop interoperable technical and infrastructure standards for
digital signatures and encryption to ensure secure and trustworthy
use of networks.
* Proposal of a Council and Parliament Decision for an INFOSEC II
programme building on the INFOSEC programme carried out from 1992
until 1994. Such a programme would aim at developing overall
strategies for the security of electronic communications, in
particular with a view to provide the user with appropriate
protection systems.
* Continuing of the current projects in the field of digital
signatures and encryption within the 4th framework programme for
Community activities in the field of research and technological
development (1994 - 1998) and launching of new projects within the
5th framework programme (1998 - 2002).
* Support of the use of digital signatures and encryption in EU
services and government administrations.
* Setting up of an European Internet-Forum in 1997 as a means to
inform and exchange information on the regulatory and use aspects
of digital signatures and encryption.
* Organisation of an international hearing on "digital signature and
encryption" beginning of 1998.
Timeframe
4.Q./1997: European Internet-Forum
4.Q./1997: Commission proposal to amend the Dual-Use Regulation
1.Q./1998: International hearing
1.Q./1998: Assessment of the comments on the Communication, the
results of the Internet-Forum and the international hearing
2.Q./1998: Proposal for further action (e.g. Directive on digital
signatures)
2.Q./1998: Proposal for an Infosec II programme
1998-2002: Projects within the 5th framework programme
by 2000: Common framework on cryptography put in place throughout the
Union