1996-12-05 - Leaked Letter Reveals French Key-Escrow Scheme

Header Data

From: “J. Thorel / Netpress” <jt@freenix.fr>
To: thorel@netpress.fr
Message Hash: fadc762f0fd2795284d7cad0303061d15676003355859331cd4d287c9e328d02
Message ID: <v0300780caecc59a53d1f@[194.51.213.140]>
Reply To: N/A
UTC Datetime: 1996-12-05 11:00:36 UTC
Raw Date: Thu, 5 Dec 1996 03:00:36 -0800 (PST)

Raw message

From: "J. Thorel / Netpress" <jt@freenix.fr>
Date: Thu, 5 Dec 1996 03:00:36 -0800 (PST)
To: thorel@netpress.fr
Subject: Leaked Letter Reveals French Key-Escrow Scheme
Message-ID: <v0300780caecc59a53d1f@[194.51.213.140]>
MIME-Version: 1.0
Content-Type: text/plain


lambda 2.12
* * * * *

For several months French authorities have quietly begun to build the
world's first "key recovery" encryption scheme, scheduled to take effect
early in 1997. But a leaked letter sent to the official security agency,
the SCSSI, reveals that the so-called "trust" has some limitation in the
draft project.

The proposal, called a "decret d'application," is a prime ministerial
decree scheduled to be issued after the Telecommunications Reform Act of
July 27, 1996
(http://www.telecom.gouv.fr/francais/activ/telecom/lrt96.htm). In France, a
law only takes effect after the government signs it as a decree.

The decree will define the business conditions of future "trusted third
party" (TTP) systems -- in French referred to as "tiers de
confidentialite," or a "privacy third party" -- and stresses the difference
between the two basic encryption applications: digital signature and
privacy. These agents will have the role of
electronic notaries, keeping crypto keys in custody for law enforcement or
national intelligence purposes.

Lambda Bulletin has also learned that French authorities won't impose the
"key recovery" scheme as a "mandatory" one. Yet it seems clear that a
company will not be able to do business-as-usual if its encryption systems
aren't certified by TTPs.

Is this good news for individual users? It's not certain: The law says that
crypto is legal *only* if keys are kept in custody. It won't be mandatory
-- however if you get caught using PGP, it could be considered as a
criminal offense.

The letter obtained by the press is signed by Jean-Claude Jouas, president
of the computer security think tank CLUSIF, and addressed to General
Jean-Louis Desvignes, head of the SCSSI. The CLUSIF represents
security-related executives from large French companies (some of which are
state-owned, such as Bull and Thomson) and also from private consultancies.
The SCSSI decided, after intense lobbying, to meet the industry think tank
-- which highly suggests that the CLUSIF saw the close-doors draft decree.

* Point 1: The letter emphasizes the lack of resolving important questions
such as "international exchanges." The letter says: "It shall be possible
for [future TTPs] to search partners in foreign countries in order to make
these international exchanges a reality, if these partners are ready to
respect French national legislation...." The letter goes on to say:
"section 5 [of the draft decree] presents a 'franco-francais' project,"
which could undermine the basic purposes of TTPs. This national approach
could create a blow for the OECD initiatives to reach a worldwide consensus
for encryption policies (as described in previous bulletins).

Stephane Bortzmeyer, speaking for the French Internet Users Association,
says: "We'll need more than these suggestions for allowing a reasonable use
of crypto. For instance, the international exchanges case is simple: either
PGP or SSH use are legal, or people [in France] won't be able to subscribe
to CERT mailing lists." This is because CERT urges its participants to
encrypt their communications (for integrity reasons).

* Point 2: The so-called "certification" procedures. The CLUSIF says
"concerning the users' point of view, the most critical point [is] the
certification of encryption means and technologies which will be offered by
the [TTP], especially concerning the trust level the users will have to
afford. [Evaluation and certification] is the key point to establish a
trusted relationship, and we consider it as fundamental to include [this
point] in the decree".

In terms of certification, people can understand that this will protect the
user from possible illegal duplication of encryption private keys, thus
helping to prevent illegal interception of communications. If these
certification procedures are not scheduled in the draft, people could
consider it as a reason for an additional lack of trust.

* Point 3: The think tank severely notes that "there is nothing scheduled
in the draft in the case of legal disputes ... between the user and the
third party." The litigation could erupt if the TTP gives up a users'
private keys to unauthorized parties (i.e., a competitor or a curious,
wiretapping official...).

Epilogue: The SCSSI says the final decree could be published by the end of
this month. Lambda personal bet: It might be published on Friday, December
27th. (The previous crypto legislation, in 1990, was passed as law on
December 29 -- and the decrees for it were officially signed in 1992, on
December 28.)

P.S.: The whole CLUSIF letter will be published in the French version of
this bulletin (check the Web site: http://www.freenix.fr/netizen)


* * * * *
Short Notes
* * * * *

* OECD update: The OECD draft guidelines of the crypto expert group have
been revealed in Austria. Check:
ftp://ftp.netsphere.co.at/Public/OECD/oecd.doc This is the document that
was amended during the September 26-27 meeting in Paris, thus there have
been changes since then. * EPIC conference proceedings: It's a long after
the event, but you can read the English version of a report on the crypto
conference EPIC organized in Paris on Sept. 25, on the eve of the OECD
meeting.
Check the Planete Internet Web site (English translation by K. N. Cukier):
http://194.51.213.12:80/interface/SendPage.exe?ID=389
* EF-Sverige: One Lambda subscriber advises people interesting in
cyber-rights in Sweden to check EF Sverige, independent from the US-based
organization (although, as for EF France and others, the EFF has given them
the right to use the name EF-Sverige. Check their web page at:
http://connectum.skurup.se/~annami/
EF-Sveridge was founded by two journalists: Anna-Mi Wendel
<annami@connectum.skurup.se>, the chairman, and Peppe Arninge
<journalist@peppe.pp.se>, a member of the board.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jerome Thorel 			Planete Internet
Journalist, Paris		Editor / Redac chef
thorel@netpress.fr		191 av A. Briand, 94230 Cachan
Tel: 33 1 49085833 - fax-31	www.planete-internet.com







Thread