--- begin forwarded text MIME-Version: 1.0 Date: Thu, 7 Aug 1997 14:03:23 -0400 Reply-To: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU> Sender: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU> From: Dan Greenwood <dan@CIVICS.COM> Subject: [Fwd: fwd: Digital Signature Amendment in US House Today] To: DIGSIG@VM.TEMPLE.EDU FYI Received: from mailhub.state.ma.us (mailhub.state.ma.us [146.243.12.156]) by maildeliver0.tiac.net (8.8.0/8.8) with ESMTP id NAA19610 for <dan@civics.com>; Thu, 7 Aug 1997 13:51:57 -0400 (EDT) Received: from vinesgw1.state.ma.us by mailhub.state.ma.us; Thu, 7 Aug 1997 13:57:05 -0400 Received: by vinesgw1.state.ma.us; Thu, 7 Aug 97 13:51:10 EDT Date: Thu, 7 Aug 97 12:44:41 EDT Message-ID: <vines.KW59+shTunA@vinesgw1.state.ma.us> X-Priority: 3 (Normal) To: <digsig@lists.state.tx.us> Cc: "Gutierrez-ANF, Louis" <Louis.Gutierrez@state.ma.us> (louis gutierrez) From: "Greenwood-ITD, Dan" <Dan.Greenwood@state.ma.us> (dan greenwood) Subject: fwd: Digital Signature Amendment in US House Today MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Hello, Below, please find a NIST legislative effort to set national PKI standards - including CA and digital signature standards ("The Panel shall develop . . standards to ensure consistency among jurisdictions that license certification authorities"). To the credit of the drafters of this amendment, they do seek some participation by state gov. and other stockholders to inform the process. Also to their credit, they are seeking ways to develop national uniformity in this area generally. Questions: why is this focused on the license of CAs and not on the more desirable "accreditation" standards that must be developed? Perhaps it is for the good that accreditation of CAs remain primarily a private sector activity (outside the scope of Federal government direct control and regulation) - but this NIST language seems to assume multi-jurisdictional license of CAs (what other requirements will the federal government seek to impose through license - key escrow? pricing? particular technological implementations? pre-conceived business models?) What will be the market impacts of such license requirements? This raises some interesting questions about where to strike the optimal balance between top-down federal government's national consistent standards versus working with private sector leadership/self-governance organizations to develop national standards (hence allowing more innovation, responsiveness to change and (I believe) better standards for this very dynamic and young area). Can this be done through "license" - perhaps so. Assuming we create the right license criteria - such as: "you are deemed to be licensed if you have been accredited by XXX") - then we just need to make sure that accreditation (or some level of accred) is minimally adequate for the interests that would have been served by license. For that matter, the question should be asked "licensed to do what?" If the federal government has a particular federal agency that needs to accept outside certificates to authenticate a citizen or business, then I can see them requiring that the issuing CA be licensed. Beyond such a scenario, why should the federal government require CAs to be licensed just to do business? If license is voluntary and not mandatory - what government benefits or harms would follow from being licensed or not? Will export control be used to force compliance with license requirements? The federal government can lend a helpful hand in the process of designing appropriate license criteria for federal programs, and that criteria could be useful at the state gov. and private sector levels as well. However, it seems to me that it would be unwelcome and unwise at this point in time for the federal government to arrogate to itself the power and jurisdiction to regulate this industry in a complete way through license (it has been said that the power to tax is the power to destroy - that goes double for the power to license). In the future, if there develops a demonstrable problem with consistent CA practices evolved by market based solutions (as facilitated by accreditation), then I think a credible case could be made at that time for the federal government to step in with some standards in the interests of inter-state commerce. At that time, any standards should be narrowly tailored to actual market failures and specific non-uniformity issues. Until then, we should use the considerable resources envisioned by the amendment (see below) to encourage private sector leadership and innovation in this area. Of course, through purchase power, the public sector has the right and the obligation to apply pressure through aggregation of demand as a way to get interoperable products. Any such pressure should be exerted in a manner that is consistent with current private sector electronic commerce practices and needs. It is relevant to point to the NASIRE CA accreditation initiative in this regard, is an important effort to work with the private sector to create voluntary standards for the use of digital signature technology. Regards, Dan ------------- Original Text From: Adam White Scoville <adville@cdt.org>, on 7/28/97 5:56 PM: To: ""Greenwood-ITD Hello - I'm glad we touched base at the NIST conference - I still would like to ask you a couple questions on the pre-emption issue. But first, the point of _this_ message is that I though you would be interested to know that the Technology Subcommittee of the House Committee on Science added about an hour ago this amendment (among others) to HR 1903, the NIST "Computer Security Enhancement Act of 1997." (a) National Policy Panel - The Under Secretary of Commerce for Technology shall establish a National Policy Panel for Digital Signatures, composed of nongovernment and government technical and legal experts on the implementation of digital signature technologies, individuals from companies offerring digital signature products and services, State officials, including officials from States which have enacted statutes establishing digital signature infrastructures, and representative individuals from the interested public. (b) Responsibilities - The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards that will enable the widespread availability and use of digital signature systems. The Panel shall develop - (1) Model practices and procedures for certification authorities to ensure accuracy, reliability, and security of operations associated with issuing and managing certificates; (2) standards to ensure consistency among jurisdictions that license certification authorities; and (3) audit standards for certification authorities. Adam White Scoville Center for Democracy & Technology Adam White Scoville adville@cdt.org adam.scoville@bc.edu If you wish to send me a secure message, encrypt it with PGP, using my public key available at <http://www2.bc.edu/~scovilad/pgp.txt>. For more information about PGP and encryption, visit <http://www.pgp.com>. A free version of PGP (for MacOS and Windows) is available at <http://web.mit.edu/network/pgp.html>. A free version of the popular Eudora mail program (also for both MacOS and Windows) which incorporates PGP is available at <http://www.eudora.com/export>. --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/