From: Robert Hettinga <rah@shipwright.com>
Date: Tue, 12 Aug 1997 00:25:54 +0800
To: cypherpunks@toad.com
Subject: [Fwd: fwd: Digital Signature Amendment in US House Today]
Message-ID: <v03110736b014ddf6741b@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


MIME-Version: 1.0
Date:         Thu, 7 Aug 1997 14:03:23 -0400
Reply-To:     Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
Sender:       Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
From:         Dan Greenwood <dan@CIVICS.COM>
Subject:      [Fwd: fwd: Digital Signature Amendment in US House Today]
To:           DIGSIG@VM.TEMPLE.EDU

FYI

Received: from mailhub.state.ma.us (mailhub.state.ma.us [146.243.12.156]) by
 maildeliver0.tiac.net (8.8.0/8.8) with ESMTP id NAA19610 for <dan@civics.com>;
 Thu, 7 Aug 1997 13:51:57 -0400 (EDT)
Received: from vinesgw1.state.ma.us by mailhub.state.ma.us; Thu, 7 Aug 1997
 13:57:05 -0400
Received: by vinesgw1.state.ma.us; Thu, 7 Aug 97 13:51:10 EDT
Date: Thu, 7 Aug 97 12:44:41 EDT
Message-ID: <vines.KW59+shTunA@vinesgw1.state.ma.us>
X-Priority: 3 (Normal)
To: <digsig@lists.state.tx.us>
Cc: "Gutierrez-ANF, Louis" <Louis.Gutierrez@state.ma.us> (louis gutierrez)
From: "Greenwood-ITD, Dan" <Dan.Greenwood@state.ma.us> (dan greenwood)
Subject: fwd: Digital Signature Amendment in US House Today
MIME-Version: 1.0
Content-type: text/plain;
               charset=US-ASCII

Hello,

Below, please find a NIST legislative effort to set national PKI standards
- including CA and digital signature standards ("The Panel shall develop .
 .  standards to ensure consistency among jurisdictions that license
certification authorities").  To the credit of the drafters of this
amendment, they do seek some participation by state gov. and other
stockholders to inform the process.  Also to their credit, they are seeking
ways to develop national uniformity in this area generally.

Questions: why is this focused on the license of CAs and not on the more
desirable "accreditation" standards that must be developed?  Perhaps it is
for the good that accreditation of CAs remain primarily a private sector
activity (outside the scope of Federal government direct control and
regulation) - but this NIST language seems to assume multi-jurisdictional
license of CAs (what other requirements will the federal government seek to
impose through license - key escrow?  pricing? particular technological
implementations?  pre-conceived business models?)  What will be the market
impacts of such license requirements?

This raises some interesting questions about where to strike the optimal
balance between top-down federal government's national consistent standards
versus working with private sector leadership/self-governance organizations
to develop national standards (hence allowing more innovation,
responsiveness to change and (I believe) better standards for this very
dynamic and young area).  Can this be done through "license" - perhaps so.
Assuming we create the right license criteria - such as: "you are deemed to
be licensed if you have been accredited by XXX") - then we just need to
make sure that accreditation (or some level of accred) is minimally
adequate for the interests that would have been served by license.

For that matter, the question should be asked "licensed to do what?"  If
the federal government has a particular federal agency that needs to accept
outside certificates to authenticate a citizen or business, then I can see
them requiring that the issuing CA be licensed.  Beyond such a scenario,
why should the federal government require CAs to be licensed just to do
business?  If license is voluntary and not mandatory - what government
benefits or harms would follow from being licensed or not? Will export
control be used to force compliance with license requirements?

The federal government can lend a helpful hand in the process of designing
appropriate license criteria for federal programs, and that criteria could
be useful at the state gov. and private sector levels as well.  However, it
seems to me that it would be unwelcome and unwise at this point in time for
the federal government to arrogate to itself the power and jurisdiction to
regulate this industry in a complete way through license (it has been said
that the power to tax is the power to destroy - that goes double for the
power to license).  In the future, if there develops a demonstrable problem
with consistent CA practices evolved by market based solutions  (as
facilitated by accreditation), then I think a credible case could be made
at that time for the federal government to step in with some standards in
the interests of inter-state commerce.  At that time, any standards should
be narrowly tailored to actual market failures and specific non-uniformity
issues.  Until then, we should use the considerable resources envisioned by
the amendment (see below) to encourage private sector leadership and
innovation in this area.

Of course, through purchase power, the public sector has the right and the
obligation to apply pressure through aggregation of demand as a way to get
interoperable products.  Any such pressure should be exerted in a manner
that is consistent with current private sector electronic commerce
practices and needs.  It is relevant to point to the NASIRE CA
accreditation initiative in this regard, is an important effort to work
with the private sector to create voluntary standards for the use of
digital signature technology.

Regards,
Dan
-------------
Original Text
From: Adam White Scoville <adville@cdt.org>, on 7/28/97 5:56 PM:
To: ""Greenwood-ITD

Hello -
I'm glad we touched base at the NIST conference - I still would like to ask
you a couple questions on the pre-emption issue. But first, the point of
_this_ message is that I though you would be interested to know that the
Technology Subcommittee of the House Committee on Science added about an
hour ago this amendment (among others) to HR 1903, the NIST "Computer
Security Enhancement Act of 1997."


(a) National Policy Panel - The Under Secretary of Commerce for Technology
shall establish a National Policy Panel for Digital Signatures, composed of
nongovernment and government technical and legal experts on the
implementation of digital signature technologies, individuals from
companies offerring digital signature products and services, State
officials, including officials from States which have enacted statutes
establishing digital signature infrastructures, and representative
individuals from the interested public.
(b) Responsibilities - The Panel shall serve as a forum for exploring all
relevant factors associated with the development of a national digital
signature infrastructure based on uniform standards that will enable the
widespread availability and use of digital signature systems. The Panel
shall develop -
(1) Model practices and procedures for certification authorities to ensure
accuracy, reliability, and security of operations associated with issuing
and managing certificates;
(2) standards to ensure consistency among jurisdictions that license
certification authorities; and
(3) audit standards for certification authorities.


Adam White Scoville
Center for Democracy & Technology


Adam White Scoville
adville@cdt.org
adam.scoville@bc.edu

If you wish to send me a secure message, encrypt it with PGP, using my
public key available at <http://www2.bc.edu/~scovilad/pgp.txt>. For more
information about PGP and encryption, visit <http://www.pgp.com>. A free
version of PGP (for  MacOS and Windows) is available at
<http://web.mit.edu/network/pgp.html>. A free version of the popular Eudora
mail program (also for both MacOS and Windows) which incorporates PGP is
available at <http://www.eudora.com/export>.

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/