Information Security Technical Report, Vol. 1, No. 1 (1996) l-3

Introduction

Gary Hardy, Director of Consulfancy, Zergo Ltd.

This issue of the Information Security Technical Report concentrates on the topic of trusted third parties or “TTPs”.

The dramatic growth in networking to support information systems, combined with the globalization of world economies and business practices, has resulted in an ever increasing demand for electronic exchange of information. The availability of open interoperable systems and high performance telecommunications networks has created unparalleled opportunities for radical changes in the way information can be exchanged.

The potential for electronic commerce is real at last, and future developments are likely to affect drastically the way businesses will conduct trade and process financial transactions. In the last two to three years alone the growth in the use of the Internet has shown that there will be a dramatic impact on banking practices, trading behaviour, and the ways in which commercial organizations operate their businesses. The information technology industry itself has responded with a new age of software companies, network service providers, and new tools able to exploit the network infrastructure that is now available. Governments and industry wish to exploit this technology to enable businesses to maintain competitiveness in national, regional and world markets. However, industry will only use the technology if risks are managed, and therefore sophisticated controls are required to support these activities.

Public services and social services will also be affected in a very significant way. The

opportunity to process personal data electronically across networks will be irresistible. The benefits of placing electronic medical records, social support information, and masses of data needed to support governmental and community activities on networks are potentially so great, issues of privacy and integrity will have to be overcome.

The information security industry will need to tackle probably the biggest set of challenges it has ever faced in its relatively short lifetime to support all of these initiatives. If true electronic commerce is to be accepted, all of the parties involved will need to feel confident about the security arrangements. In particular, there will be a demand for effective authentication and non-repudiation services. The need to protect the confidentiality of commercial as well as personal information over international networks will also have to be met. Intermediaries will also be required as part of the national and international electronic network infrastructure, to support the information flow between multiple parties, and in many cases to provide trusted controls.

In the past, a whole host of organizations have developed to support the traditional way information and transactions are exchanged and processed. These have included banks, post offices, chambers of commerce, company registers, solicitors and notary publics. In the new age of electronic commerce, a new age of intermediaries will be created. In the world of electronic messaging these kinds of organizations are becoming known as trusted fhivd parties (TTPs).

TTP functions will be wide ranging as more and more services become available. In the global

0167-4048/96/$15.00 0 1996, Elsevier Science Ltd 1

Introduction

marketplace the organization of TTPs will be complex and sophisticated.

The provision of security services will require the use of cryptographic techniques, and sophisticated key management schemes. In many parts of the world, major initiatives are being undertaken, by governments and commerce, to examine how these security technologies can be implemented in ways that are acceptable to all the parties - particularly the law enforcement agencies, national governments, and industry. Much of the demand and drive is coming from industry, and governments can help enable the kind of trans-national infrastructures that will be required.

A balance will need to be found between the needs of law enforcement agencies versus the freedom of individuals and commercial organizations. TTPs and key escrow are not synonymous - TTPs will provide a wide range of services. However, where licensed regulated TTPs are set up by governments, then it is likely that governments will want key escrow to be included.

Open debate and discussion is required to make sure that solutions are found that will be effective in practice and meet the needs of all the interested parties. The articles in this Report examine all these issues in more detail, and describe some of the practical experiences gained in recent years.

A secure TTP infrastructure will enable trust to be provided between parties, sensitive key information to be properly managed, and it is hoped, facilitate justified access by government agencies under controlled conditions. Protection against fraud, information misuse and abuse, and prevention of illegal drug, money laundering and other criminal activities can also be enhanced by an effective TTP

network. Of course, there are many issues beside security that will also need to be addressed, including legal, regulatory and commercial practices. This Report concentrates only on the security aspects, and aims to raise the awareness and understanding of these issues.

The Report covers the following topics: An overview of what TTPs are, who might operate TTPs and examples of some of the services that might be provided is covered by John Leach of Zergo.

The corporate business case is provided by Pieter Van Dijken of Shell.

A US perspective of the requirement is covered by Nanetfe Di Tosto with Barbara Baracks of CertCo.

The two central issues of ethical rights and the needs of law enforcement agencies are dealt with by David Herson of the European Commission.

Recently announced proposals by the UK’s Department of Trade and Industry are described by Nigel Hickson of the DTI.

Three articles describe practical experiences and two pilot projects. Andrew Edwards of Bolero Services describes electronic bills of lading, and Richard Winsborrow of Sema Group O_.U3, describes an electronic business register. Jan Van Auseloos of S.W.I.F.T., describes the kind of responsibilities required of a TTP based upon the experiences of an existing closed group TTP that supports worldwide electronic funds transfers.

The final part of the report takes a more

2 Information Security Technical Report, Vol. 1, No. 1

Introduction

technical look at how TTP technology might operate. Peter Landrock of Cryptomathic, Aarhus University, Denmark, provides a model for TTP service provision and Chris Mitchell, Royal Holloway, University of London, describes the security proposed in the “Royal Holloway TTP-based key escrow scheme” which could be used to support TTP services.

All of the articles in this report represent the views of the authors and not necessarily the views of the organizations that they represent.

Information Security Technical Report, Vol. 1, No. 1 3