Overview of the Administration Proposal

• Acknowledges the importance of encryption and the need for a public key infrastructure (PKI) -- The proposal reaffirms the importance of encryption and the emerging need for a system to certify public encryption keys. Such a "public key infrastructure" would allow users to certify to other users that their public keys in fact belonged to them, allowing the keys to be used and trusted for encrypted commerce and communication. Without such a system, "users cannot know with whom they are dealing on the network, or sending money to, or who signed a document, or if the document was intercepted and changed by a third party."¹
  
  
• Establishes a complex new Key Management Infrastructure (KMI) -- The proposal would form a new public key infrastructure to tie encryption users to their public keys. The KMI would establish new certification authorities that would guarantee -- and be held liable for -- the identity of a public key. The new entities proposed under the Administration plan include:
  
  
  • Certification Authorities (CAs) - to identify and issue certificates to users;
  • Escrow Authorities (EAs) - to hold private key information as required; and
  • Policy Approving Authorities (PAAs) -- overarching bodies, possibly under governmental control, responsible for certifying trusted escrow authorities.
  
  
• Requires key escrow as a condition of participation in the new public key infrastructure -- In order to participate in the new Key Management Infrastructure, users would be required to ensure law enforcement access to encrypted information. "One condition of obtaining a certificate is that sufficient information (e.g., private keys or other information as appropriate) has been escrowed with a certified escrow authority to allow access to a user's data or communications."² The escrow agent could be the certification authority or another third-party, so long as they meet "minimum standards" including "performance criteria to meet law enforcement's needs." Self-escrow would also be allowed for entities that meet certain unspecified "necessary performance requirements."
  
  
• Relaxes export controls for key escrow products as in Clipper II -- The proposal would "continue and expand" the NIST "Clipper II" export control provisions proposed this fall, allowing 64 bit software/80 bit hardware exports to any destination if keys are escrowed in the U.S. or if the U.S. has a bilateral escrow agreement. Other exports to certain markets would be considered, upon case-by-case review and under certain conditions. Key length limits would presumably expand as law enforcement confidence in the key escrow authorities grew.

Critique and Areas of Concern

• It makes key escrow a precondition for participation in the public key infrastructure - Other than law enforcement access, there is no reason the public key infrastructure must store private keys. On the contrary, the essential breakthrough of public key cryptography is the ability it gives users to share public key information and partake fully in authenticated, secure communications without revealing any private key information to third parties. Data recovery -- the ability to recover encrypted data if a private key is lost -- is the main rationale presented for key escrow. However, data recovery can be done independently of the public key infrastructure if desired, and in a more secure manner.
  
  
• It is not voluntary -- Though participation is theoretically "voluntary," under Clipper III users will have no choice but to escrow their keys or forego participation in the Information Age economy. The proposal itself calls the key infrastructure a "basic and entirely essential foundation." To participate, users will need to escrow their keys; if they choose not to participate in the KMI, users will be unable to obtain the essential certifications that the Administration foresees as being the standard for secure electronic communications and commerce.
  
  
• It targets domestic users -- While export controls have ostensibly been aimed at controlling the use of encryption by foreign users, the Clipper III proposal is clearly aimed at domestic users of encryption.
  
  
• It leaves international key exchange problems unresolved -- Without a system of international agreements, interoperability is at risk. The same encryption and/or authentication scheme exportable to Germany or France might not be exportable to India or China in the absence of appropriate bilateral agreements. Bilateral agreements raise their own issues: under what standards will keys be released to foreign governments, especially those with no tradition of Fourth Amendment search and seizure protection?
  
  
• It contains no key escrow privacy provisions -- The Administration proposal only tangentially addresses the privacy problems posed by key escrow systems. As others have already noted in the encryption policy debate, any key escrow system (even if voluntary) raises issues regarding the need for: liability rules for unauthorized key disclosures by escrow agents; standards for law enforcement access; auditing requirements for escrow agents; and guidelines for decryption information access.⁴ Clipper III contains no such standards or guidelines.
  
  
• It compromises network security by encouraging storage of private key information -- Clipper III requires the accumulation of private keys or other decryption information in dangerous and vulnerable points-of-failure -- the escrow agents. At the same time as it seeks to design a secure infrastructure, the proposal builds enormous new vulnerabilities into the system.
  
  
• It is not responsive to years of feedback from industry and policy advocates --The proposal answers few of the concerns repeatedly raised by privacy advocates or industry. It reflects a policy-making process still driven by national security and law enforcement concerns rather than the privacy needs of individuals and the security needs of the online economy.

Conclusion

Footnotes