From: ulf@fitug.de (Ulf =?iso-8859-1?Q?M=F6ller?=)
Date: Fri, 10 Oct 1997 04:24:20 +0800
To: cypherpunks@toad.com
Subject: Re: EU Rejects GAK
In-Reply-To: <9710091554.AA41750@public.uni-hamburg.de>
Message-ID: <m0xJOr2-0003bcC@ulf.mali.sub.org>
MIME-Version: 1.0
Content-Type: text/plain



> ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION

Sorry, I got the URLs wrong, and for some reasons the interesting
parts of the summary got cut off.

http://www.ispo.cec.be/eif/policy/97503exec.html

   ENSURING SECURITY AND TRUST IN ELECTRONIC COMMUNICATION
   
     Towards A European Framework for Digital Signatures And Encryption
                                      
                             EXECUTIVE SUMMARY
                                      
   Introduction
   
   Open electronic networks such as the Internet are increasingly being
   used as a platform for communication in our society. They have the
   capacity to create new businesses, new channels of distribution and
   new methods of reaching the customer. They also open up opportunities
   to re-engineer business conduct itself. It is now largely expected
   that electronic commerce will be one of the key drivers for the
   development of the global information society. Electronic Commerce
   presents the European Union with an excellent opportunity to advance
   its economic integration by means of a "virtual" economic area.
   
   However, the realisation of such developments are hampered by the
   noticed insecurities typical to open networks: messages can be
   intercepted and manipulated, the validity of documents can be denied,
   personal data can be illicitly collected. As a result, the
   attractiveness and advantage of electronic commerce and communication
   cannot be fully exploited.
   
   In order to make good use of the commercial opportunities offered by
   electronic communication via open networks, a more secure environment
   needs to be established. Cryptographic technologies are widely
   recognised as essential tools for security and trust on open networks.
   Two important applications of cryptography are digital signatures and
   encryption.
   
   Several Member States announced their intentions to introduce specific
   regulation on cryptography and some already have done so. For
   instance, Germany and Italy already moved ahead with digital signature
   laws. In other Member States internal discussions are taking place,
   and some tend to refrain, at least for the moment, from any specific
   regulation at all.
   
   Divergent and restrictive practices with regard to cryptography can be
   detrimental to the free circulation of goods and services within the
   Internal Market and hinder the development of electronic commerce. The
   European Union simply cannot afford a divided regulatory landscape in
   a field so vital for the economy and society.
   
   The main objectives of this Communication are to develop a European
   policy in particular with a view to establishing a common framework
   for digital signatures, ensuring the functioning of the Internal
   Market for cryptographic services and products, stimulating a European
   industry for cryptographic services and products and stimulating and
   enabling users in all economical sectors to benefit from the
   opportunities of the global information society. As far as timing is
   concerned, the Commission considers that appropriate measures ought to
   be in place throughout the Union by the year 2000 at the latest. As a
   consequence, the Commission intends to come forward with detailed
   proposals in 1998 after the assessment of comments on this
   Communication.
   
   This is in line with the April 1997 adopted Communication on
   Electronic Commerce, where the Commission announced the intention to
   prepare a policy aiming at guaranteeing the free movement of
   encryption technologies and products, as well as to propose a specific
   initiative on digital signatures.
   
   Digital Signatures
   
   Some Member States are in the process of introducing voluntary
   schemes, others of mandatory licensing schemes to build trust in
   Certification Authorities (CAs) and to encourage legal recognition of
   digital signatures. Whilst the development of a clear framework is
   welcomed, different national regulatory approaches and the lack of
   mutual recognition of each others regulatory requirements may easily
   lead, due to the inherent cross-border nature of digital signatures,
   to a fragmentation of the Internal Market for electronic commerce and
   on-line services throughout the Union.
   
   In order to stimulate electronic commerce and the competitiveness of
   the European industry as well as to facilitate the use of digital
   signatures across national borders, a common legal framework at
   Community level is urgently needed. Any regulation in the field of
   digital signatures must meet two main requirements: create a clear
   framework to build trust in digital signatures on one side and be
   flexible enough to react to new technical developments on the other
   side.
   
   Encryption
   
   Stimulated by the rapid expansion of the Internet encryption will
   become an integral part of personal and business computing. Electronic
   commerce as well as many other applications of the information society
   will only receive acceptance and will only unfold their economic and
   social benefits if confidentiality can be assured in a user-friendly
   and cost-efficient way. In open networks, encryption of data is very
   often the only effective and cost-efficient way of protecting
   confidentiality of data and communications.
   
   Law enforcement authorities and national security agencies are
   concerned that wide-spread use of encrypted communication will
   diminish their capability to fight against crime or prevent criminal
   and terrorist activities. For this reason, there are reflections in
   several Member States to establish regulation on cryptography, in
   addition to controls on export and intra-Community shipments. This has
   led to a discussion about the need, technical possibilities,
   effectiveness, proportionality and privacy implications of such
   regulations.
   
   However, nobody can be effectively prevented from encrypting data
   (criminals or terrorists also can use encryption for their
   activities), e.g. by simply downloading strong encryption software
   from the Internet. As a result restricting the use of encryption could
   well prevent law-abiding companies and citizens from protecting
   themselves against criminal attacks. It would not however prevent
   totally criminals from using these technologies.
   
   Proposals for regulation of encryption have generated considerable
   controversy. Industry expresses major concerns about encryption
   regulation, including key escrow and key recovery schemes. Although
   there is a lack of experience, as electronic communication and
   commerce have just begun to penetrate economy and society, this
   Communication makes some assessments to build a common European
   understanding of the subject.
   
   Policy actions in the area of digital signatures
   
   The at European level urgently needed framework should include common
   legal requirements for CAs (in particular common requirements for the
   establishment and operation of CAs) allowing certificates to be
   recognised in all Member States.
   
   In addition, the Commission will monitor the legal developments in
   Member States introducing new legislation with the aim to respect
   Internal Market principles and will encourage Member States to rapidly
   implement appropriate measures to build trust in digital signatures.
   
   In order to achieve as wide as possible acceptance of digital
   signatures Member States should co-ordinate activities to ensure legal
   recognition of digital signatures at the latest by the year 2000. The
   Commission will evaluate the necessity to provide for the legal
   recognition of digital signatures at Community level by harmonising
   different national regulation (e.g. form requirements, evidence
   rules).
   
   The Community and Member States should take part in or initiate a
   dialogue with international organisations, such as the OECD, the
   United Nations and the WTO, notably to establish common technical
   standards and mutual recognition of regulations.
   
   Policy actions in the area of encryption
   
   The EC Treaty and the Treaty on the European Union fully respect the
   competence of Member States with regard to national security and law
   enforcement.
   
   To ensure that the development of electronic commerce in the Internal
   Market is not hindered and to facilitate the free circulation and use
   of encryption products and services the Commission calls upon Member
   States to avoid disproportionate restrictions. Moreover the Commission
   will examine whether restrictions are totally or partially justified,
   notably with respect to:
   
     * the free circulation provisions of the Treaty, in particular
       Articles 30, 36, 52, 56 and 59,
     * the principle of proportionality,
     * the Council Directive 83/189/EEC of 28.3.1993 laying down a
       procedure for the provision of information in the field of
       technical standards and regulations and
     * the EU Directive 95/46/EC of 24.10.95 on the protection of
       personal data.
       
   The Commission also believes that it will be important for Member
   States to distinguish "digital signature services" from "encryption
   services", because different rules and different goals separate these
   two aspects.
   
   Additional measures:
   
     * Adapting the Dual Use Regulation (CE) 3381/94 in view of the
       requirements for the cryptographic products market;
     * Improving the co-operation of police forces on a European and
       international level;
     * Working towards international agreements between the Community and
       other countries because of the global dimension of electronic
       communications and commerce.
       
   Accompanying measures
   
     * Encouraging industry and international standards organisations to
       develop interoperable technical and infrastructure standards for
       digital signatures and encryption to ensure secure and trustworthy
       use of networks.
     * Proposal of a Council and Parliament Decision for an INFOSEC II
       programme building on the INFOSEC programme carried out from 1992
       until 1994. Such a programme would aim at developing overall
       strategies for the security of electronic communications, in
       particular with a view to provide the user with appropriate
       protection systems.
     * Continuing of the current projects in the field of digital
       signatures and encryption within the 4th framework programme for
       Community activities in the field of research and technological
       development (1994 - 1998) and launching of new projects within the
       5th framework programme (1998 - 2002).
     * Support of the use of digital signatures and encryption in EU
       services and government administrations.
     * Setting up of an European Internet-Forum in 1997 as a means to
       inform and exchange information on the regulatory and use aspects
       of digital signatures and encryption.
     * Organisation of an international hearing on "digital signature and
       encryption" beginning of 1998.
       
   Timeframe
   
   4.Q./1997: European Internet-Forum
   
   4.Q./1997: Commission proposal to amend the Dual-Use Regulation
   
   1.Q./1998: International hearing
   
   1.Q./1998: Assessment of the comments on the Communication, the
   results of the Internet-Forum and the international hearing
   
   2.Q./1998: Proposal for further action (e.g. Directive on digital
   signatures)
   
   2.Q./1998: Proposal for an Infosec II programme
   
   1998-2002: Projects within the 5th framework programme
   
   by 2000: Common framework on cryptography put in place throughout the
   Union