- Email: [email protected]
tScheme — voluntary approval for certificate authority services
ISTR 0803.qxd
13/11/2003
15:41
Page 23
tScheme – voluntary approval for certificate authority services Abstract This paper describes tScheme, the independent, industry-led, co-regulatory scheme for electronic trust services. A broad coalition of organisations representing users, service providers and technology suppliers from industry, trade bodies, consumer interest groups, government and elsewhere actively supports tScheme through their membership contributions and by sending delegates to its expert working groups. tScheme operates as a not-for-profit company limited by guarantee and owned by its members. Its governance ensures its openness, transparency and independence. It is self-funding from annual membership contributions, service approval fees and licence payments for the permitted use of its materials. tScheme creates definitive documents — known as approval profiles — containing the criteria to which electronic trust services must operate if they are to adhere to known best practice. tScheme publishes these criteria and offers electronic trust service providers the opportunity to have their individual services assessed against the appropriate profiles. Services that meet the criteria and gain approval are able to indicate this by displaying the tScheme Approved Service mark, thereby encouraging user confidence. Service providers using the mark are bound by contractual terms covering continuing performance, redress and sanctions to ensure that good practice is maintained. tScheme provides the co-regulatory environment that avoids the need for the UK Secretary of State for Trade and Industry to invoke his powers under Part I of the Electronic Communications Act 2000. tScheme also enables the UK government to fulfil certain obligations
under the European Directive for a Community Framework on Electronic Signatures. Through tScheme, the UK is demonstrating its leadership in creating an ideal environment for the growth of electronic commerce.
Part I: market factors
1 tScheme and risk perceptions Users of electronic transactions are all too familiar with threats from viruses, worms, hackers and the like. However, far outweighing these threats are the benefits for the global business economy, given proper security measures. Currently, perceptions of risk overshadow visions of opportunity, creating an inertia that prevents proper comprehension of either. tScheme is committed to a realistic, positive vision for the future, where secure identity management and authentication are the basis of a networked economy that will create enormous potential for growth. This is why tScheme is determined to promote best practice in the services that are evolving to address this vision, combining specialist expertise from the fields of cryptography and information security. Given their strong technical element, such services do not appear to be too promising to the average business user that is already struggling with real-world imperatives. Such services are therefore the focus of tScheme’s stringent assessment activities and grants of approval. tScheme approval means that, for the business user, the underlying technical complexity is replaced with a clear
1363-4127/03/© 2003, Elsevier Ltd
23
Dick Emery Independent Director, tScheme Stephen Upton Chief Executive, tScheme Richard Trevorah Technical Manager, tScheme
ISTR 0803.qxd
13/11/2003
15:41
Page 24
PKI re-visited – current issues and future trends
assurance of service reliability. Wherever the tScheme Approved Service mark is displayed, it may be authenticated by simply clicking on the mark itself and, provided that the mark is genuine, it will link directly to the secure directory on the tScheme website, where full details of the grant of approval may be found. The tScheme approval criteria recognise that security depends as much — if not more — on human cultural factors as it does on technology. This is why tScheme’s best-practice criteria for electronic trust services include financial probity, good employment practices, clarity of liabilities, and proper management systems that, taken together, easily outnumber the technical factors. tScheme is also committed to bridging the gap between technical expertise and user needs. The ‘tScheme Guide to Securing Electronic Transactions’, which can be found on the tScheme website [1], is a simple guide that aims to enable senior business managers to understand better the opportunities presented by the whole field of digital security. After all, their active participation is essential if we are to reap the true benefits of a secure networked world.
2 Securing electronic transactions There are several approaches in common use for securing electronic transactions. One popular approach employs a name (or other unique identification) and a PIN (personal identification number) that is secret and typically comprises four numeric digits. Sometimes a password replaces the PIN and typically comprises eight or more letters and numbers. However, a truly secure password — one that is not easy to guess or to discover by repeated trial — must be long and difficult to memorise.
24
PINs and passwords are therefore rarely found to be truly secure and, since each separate type of transaction is likely to depend on its own particular choice of name and PIN or password, this multiplies the problem of keeping track of all the secret values. The temptation is to record all the combinations on paper, further risking compromise. Hence, what appears to be a simple solution quickly turns into a potential nightmare and a security risk. The solution is to use one single unique identity — your real one — and one complex PIN, derived through cryptography, to create the basis of your own electronic signature. You can then use this for every transaction, without the need to commit it to writing for others to discover. Some websites, for example the UK government gateway, already encourage this approach and it is set to spread. The whole point of electronic signatures is to make the handling of identity both secure and convenient.
3 Electronic signatures We sign things to show that we agree with them. This must apply to things that we agree electronically just as much as for things on paper. For an electronic transaction, we can use an electronic signature — sometimes known as a digital signature. But, for any form of signature to provide a reliable confirmation of an individual’s intentions, it must satisfy some very important tests: • It must be uniquely and exclusively connected to the signer. We don’t want impersonation. • It must attach correctly to what is being signed. We don’t want fraudulent re-use of old signatures on new documents. • It must guard against later alteration of what has been signed. We don’t want deception.
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 25
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
When correctly used, an electronic signature meets all of these tests. In fact, an electronic signature can actually provide greater confidence than an ink signature. Not only does it prove integrity, it also applies to every detail of the whole document signed, rather than simply to the last page. All of the above is simply achieved by expert services available at reasonable cost. These are known as ‘electronic trust services’ and can be used by any organisation to support the use of electronic signatures on all its sensitive documents. The benefits apply equally to documents and records exchanged within a ‘closed’ network community as they do to transactions conducted across ‘open’ public networks.
4 tScheme approval scope Of course, technology is never the whole solution. Electronic signatures supported by electronic trust services ultimately depend on the way humans behave. Those who rely on a service expect and deserve high standards — and an electronic trust service provider should always be required to adopt current known best practice, as this is the only way that they can be certain that the service is reliable. However, this requirement in itself is not simple, as most people are not experts yet they need to find a way of judging whether a service does indeed follow best-practice criteria. tScheme answers this need. It describes in public documents what expert practitioners consider to be current best practice for electronic trust services. It recognises independent experts who assess individual services against these published best-practice criteria. It then grants approval to those services that meet the criteria, provided that their suppliers agree to continue to operate to the same high standards. Only those
services may display the tScheme Approved Service mark. This means that any procurement or tender exercise for electronic signature services should always mandate or indicate a preference for tScheme service approval, since tScheme approval reduces the cost of evaluation and selection by ensuring transparency at all stages. There is also another significant benefit to organisations using approved services for their internal transactions. By extending service approval into the closed network as a recognised operational standard, for which the right to use a tScheme mark can be granted, the highest standards of assurance and best practice are demonstrated, while the reputation of the organisation is enhanced by a visible conformance to standards in fulfilling its key business governance responsibilities.
5 tScheme benefits: reputation and best practice Organisations in the public eye — whether in the public or private sector — have a responsibility to pursue best practice. Their business reputations ultimately depend on demonstrating due commitment to corporate governance requirements through selecting, implementing and maintaining appropriate operating standards. This responsibility grows more challenging with the emergence of advanced business applications, where increasing levels of expertise are demanded even to define best practice. One such advanced business application provides for secure electronic transactions, which are just as important in closed communities as they are when conducted with external organisations over insecure communications networks such as the public Internet.
Information Security Technical Report. Vol. 8, No. 3
25
ISTR 0803.qxd
13/11/2003
15:41
Page 26
PKI re-visited – current issues and future trends
In fact, electronic signature-based transaction methods, developed for the world of public networks to meet high standards of confidentiality, integrity and non-repudiation, are now available within closed community networks, where the same business needs arise. The introduction of secure transaction standards in closed networks is no longer an optional extra when facing a business audit — it is becoming essential to demonstrate that all reasonable steps have been taken, for example in securing the handling of employee, customer and all other confidential records, and in protecting business continuity. tScheme already offers a best-practice standard that can be used to test the security and integrity of an organisation’s internal transactions on the basis of electronic signatures. Compliance with tScheme approval criteria sends a strong signal to the outside world that, where confidential transactions are concerned, best practice is alive and well within the organisation.
6 tScheme and the EC Directive Untold riches aside, the dotcom boom promised global competition, the death of distance and the compression of time. With the dotcom collapse the perceived riches have gone, but those other promises remain as tangible as ever. Whether in the public or private sector, there are still better deals to be made, costs to be reduced and delays to be eliminated through the exploitation of electronic transactions. European leaders have acted to grasp this opportunity. The so-called Electronic Signatures Directive from Brussels [2] sets conditions for the widespread adoption of electronic transactions across Europe and beyond. Its
26
two primary aims are to stop member states creating barriers in the electronic single market and to ensure that member states create a well-ordered environment for the mutual recognition and legal acceptability of electronic signatures. The objective is to grow a seamless electronic single market that delivers economic and social benefits for European citizens and businesses. The Directive focuses on issues of security that affect the trust that we can place in electronic signatures. Is the party at the other end who they claim to be? Has someone read or interfered with my message? How can I prove to a court what we agreed if things go wrong? These are legitimate concerns, but electronic signatures, used the right way, solve them all. As allowed by the Directive, the DTI — on behalf of the UK government — has given notification to the EC of tScheme as a voluntary scheme. Those who make the EU model of electronic signatures work — often known as trust service providers or TSPs — can seek tScheme approval to demonstrate the trustworthiness of their services. tScheme also deals with other electronic signature models and services such as time stamping. In defining its sets of criteria to describe current best practice in electronic trust services, tScheme often extends what the Directive strictly requires. For example, the Directive requires the TSP to provide relevant information, on request, to those who rely on certification services offered by the TSP to vouch for electronic signatures. tScheme is much more specific about what this information should be and how it should be maintained, and requires that it is easily available. The result is that the Directive lays down broad requirements that TSPs must meet in
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 27
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
order to underpin the Directive’s specified form of electronic signatures. tScheme turns this into verifiable, best-practice criteria and defines a process for assessing services against these criteria. Those services that gain a tScheme grant of approval therefore clearly meet the standards required to satisfy the Directive.
7 Membership and approved service focus Membership of tScheme is open to all, from individuals and sole traders to large corporations and government departments. The present membership represents those wishing to support the growth of reliable, secure electronic transactions. Over time, tScheme will extend its membership constituency as it engages the attention of those who represent the millions who will want a say in setting the trust standards on which they come to rely. Future growth in approval submissions from electronic trust service providers depends on a number of factors. The two most important are the general growth rate of the electronic trust services market and the pace at which tScheme develops new approval profiles in response to service evolution. Market growth is particularly difficult to judge at a time when the electronic commerce market remains short of maturity and continues to evolve. This continuing market development, while defeating any attempt at precision, strongly indicates a broadening scope for tScheme in the coming years. Whilst the current number of identified potential approved services is numbered in no more than a few tens, the future possibility of many hundreds appears wholly plausible. An up-to-date list of members, together with a secure Directory of Approved Services
and of current Registered Applicants, appears on the tScheme website [1].
8 Support for tScheme Any organisation with an interest in the growth of electronic transactions, whether public or private sector, whether supplier or user, can become a supporting member of tScheme and contribute to its development. tScheme’s authority depends on its wide membership constituency, representing a broad range of interests. Ultimately, everyone stands to benefit from the growth of electronic transactions that are based on a secure and trustworthy foundation. Therefore every organisation, whether public or private sector, whether across closed or open networks, should use electronic signatures to secure its electronic transactions — and should seek approval against tScheme’s unique best-practice criteria.
Part II: tScheme focus 9 Background and formation of tScheme In 1997, the UK government began consultation in the field that is now the subject of the Electronic Communications Act 2000. Throughout the consultation period, the private sector consistently pressed for industry-led self-regulation and, through the Alliance for Electronic Business1, developed proposals for such a scheme, known as tScheme. Part I of the act outlines the process by which the Secretary of State would regulate the industry. However, if industry satisfies
Information Security Technical Report. Vol. 8, No. 3
27
ISTR 0803.qxd
13/11/2003
15:41
Page 28
PKI re-visited – current issues and future trends
the Secretary’s requirements, then the Secretary’s power to impose statutory regulation expires in 2005 through the ‘sunset’ clause in the Act. As the bill leading to the Act began its parliamentary stages, the Alliance distributed a prospectus for tScheme to all MPs [3], making it publicly available on 6 December 1999. Further work to demonstrate the viability in detail enabled ministers to cite tScheme in successive statements to Parliament. During the Lords’ second reading of the bill on 22 February 2000, Lord Sainsbury of Turville stated that, ‘The government’s preference is for self-regulation, which is well known, as is our involvement in the Alliance for Electronic Business’s tScheme. We are confident that the scheme can deliver.’
10 Aims and objectives of tScheme tScheme provides a voluntary, industryled, co-regulatory scheme that encompasses credible and effective criteria and procedures for the approval of trust services that relate to electronic commerce and other activities exploiting cryptography in information and communications technologies. tScheme does not seek to duplicate the work of other schemes working in neighbouring areas, for example relating to terms and conditions of consumer trade. tScheme exploits what already exists and focuses on the specialist needs of electronic trust service users and providers. Above all, tScheme seeks to attract the positive support of all those whom it serves, whether as users or providers of electronic trust services. In particular, tScheme seeks to: • meet the needs of users (business, consumers and government) and providers of electronic trust services; • work closely with government to help ensure that the UK is not only the best but
28
also the most reliable place in the world to conduct electronic commerce; • provide an effective voluntary approvals regime for cryptographic services, making it unnecessary for the government to bring into force Part I of the Electronic Communications Act 2000; • provide accreditation and service enhancement functions for the purposes of fulfilling the requirements of articles 3.2 and 7.1(a) of the European Directive [2]; • work to ensure a supportive legislative and policy environment, within which voluntary regulation can work effectively; • apply oversight with a redress capability, to enforce conditions of its approval; and • demonstrate leadership in the adoption of business-led, market-driven, open standards.
11 Organisation tScheme Ltd has been established in the UK as an independent, self-sustaining, notfor-profit company, limited by guarantee and employing its own professional staff. Each subscribing member has voting rights. Membership is open to anyone, individual or corporate, subject only to minimum safeguards. To the maximum practical extent, tScheme publicly discloses its proceedings, decisions and documents as a guarantee of its openness and independence. The set of bodies that constitute the structure of tScheme can be divided into three groups: • Governing Group — This is responsible for the overall operation of tScheme, including the development of its constitution, its financial health and its continuing independence and openness. Two governance bodies operate: (i) The Members in General Meeting, which allows the entire subscribing membership to elect the officers and to
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 29
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
exert their collective views on the actions and plans of the organisation. (ii) The Board and its Committees which, through delegated authority from the members, are responsible for tactical and strategic direction within the overall policies approved by the members. The board comprises elected directors, independent directors appointed annually by the elected members, and a chief executive ex officio. In addition, UK government is represented through a DTI observer and a Cabinet Office representative, who sit on the board as non-voting members. There are annual elections with rotating resignations based on a maximum of three-year terms. The board appoints committee members. • Expertise Group — This is primarily responsible for the development and maintenance of the technical aspects of tScheme. The key body within this group is the Profiles and Processes Committee. This is responsible for developing and managing the set of Approval Profiles that define the best-practice criteria against which tScheme approves trust services. This body is made up of technical representatives from the members. It can establish working groups with appropriate expertise to undertake specific activities — say, developing a new profile — as is necessary to maintain an appropriate set of Approval Profiles as services continue to evolve. • Secretariat — This is the permanent resource that supports the day-to-day operation of tScheme. The secretariat also facilitates the functioning of the bodies within the other two groups.
12 Processes and procedures 12.1. Profiles — concept, development and maintenance The Expertise Group develops Approval Profiles (normally known as profiles) as the basis for assessing an electronic trust
service when its provider applies for its approval under tScheme. Each profile defines the minimum set of qualifying criteria that an electronic trust service, as offered by a specific provider, must meet in order to gain approval. The set of criteria covers five general categories: organisational, personnel, physical, legal, and technical. Wherever possible, tScheme does not itself develop standards to support the approval process. It identifies suitable existing standards against which compliance provides sufficient evidence of good practice in the chosen aspect, such that business and individual users can commit their trust. Both members and nonmembers of tScheme can submit proposals for the development of new profiles. A key objective of tScheme is not to extend existing market standards unnecessarily. To that end, tScheme’s approach is to recognise evidence of prior qualification as far as possible, for example where this arises from approval or accreditation under another regulatory regime or peer scheme. Moreover, tScheme may accept any of a range of qualifications as evidence to satisfy appropriate criteria, so long as such evidence is derived through equivalent rigour, including independent assessment. This allows sector-specific qualifications as satisfactory evidence in meeting certain approval criteria, for example regulation by the Financial Services Authority.
12.2. Approval process The process for approving a service involves a number of discrete steps: 1. tScheme develops, authorises and publishes a collection of approval profiles, containing best-practice criteria defined by its expert contributors;
Information Security Technical Report. Vol. 8, No. 3
29
ISTR 0803.qxd
13/11/2003
15:41
Page 30
PKI re-visited – current issues and future trends
2. an independent organisation — UKAS2 in the UK — working with tScheme accredits suitably qualified assessors for the given profile collection; 3. tScheme then enters into an agreement with the assessor governing its use of tScheme material and, as a result, it becomes tScheme-recognised; 4. a service provider, intending to submit one of its services for approval, provides initial details of the service and a proposed timescale for its assessment to tScheme, thereby attaining registered applicant status; 5. the service provider engages a tScheme-recognised assessor to audit one of its services against the appropriate profiles, and receives an assessment report that certifies compliance with the appropriate criteria plus other information relating to the assessed service; 6. the service provider applies to tScheme for a formal grant of approval, citing the assessor’s report and certification of compliance; 7. tScheme’s Approvals Committee3 considers the assessment report and, if satisfied, invites the service provider to sign an agreement that covers the service provider’s use of the relevant tScheme mark, the attendant conditions and the related fees; 8. the service provider signs the agreement and then displays the tScheme Approved Service mark against the approved service for the period of its contract with tScheme, thereby indicating to its service users that the service conforms to standards that are deserving of trust; and 9. the service provider periodically completes independent reassessment of its service against the then current profile criteria, and hence applies to tScheme for renewal of the service approval.
30
12.3. Redress and sanctions On-going conformity is assured through periodic re-assessment plus a provision for random audits, as deemed necessary. The grant of approval agreement binds the service provider to remedy failures and to commensurate sanction procedures for failing to act. The possible penalties include orders for immediate correction, redress for those injured, and termination of approval rights. Those found to have breached their obligations have rights of appeal, as specified in their grant of approval agreement. tScheme encourages those who discover or suffer breaches of trustworthy behaviour to report their findings for investigation and action. The reputation of tScheme depends on its timely and vigorous response to any issues arising from user reliance on the services to which it grants approval.
13 Finance tScheme recovers its operational costs through the following sources of revenue: • Fees on grant of approval and for the renewal of existing approvals against a published schedule. There are also licence fees that are gathered from assessors for their use of the profiles during audits. • Annual contributions from members, at a level appropriate to their type of organisation. In particular, commercial service providers and technology suppliers contribute substantially more than trade or consumer associations. • Occasional charges and commissions from related activities, as agreed by the board: for example, royalties from licensing the use of tScheme’s profile and process documentation or methodology by peer regulatory bodies outside the UK.
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 31
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
The tScheme board is responsible for setting the levels of fees, contributions and charges so that its income covers its operating costs. tScheme must be, be seen to be, and continue to be financially and operationally independent from any individual or interest group, in order to protect its own neutrality. tScheme does not pay dividends, but rather uses any operating surplus to improve its effectiveness or to abate fees, charges or contributions.
14 National and international relationships tScheme’s design and structure attempts to minimise overlap with, and to make maximum use of, the work of other regulatory and standards bodies, both in the UK and internationally. Within the European context, tScheme has gained recognition as a voluntary accreditation scheme for certification service providers for the purposes of Article 7.1(a) of the Directive [2]. Its industry-led rather than national statutory basis makes it attractive as an approval body for providers that are based in other countries, including other member states of the European Union. One aim of tScheme is to grow relationships beyond the UK’s borders, on the basis that many trust service providers wish to operate internationally. This also serves to engender consumer trust in crossborder transactions. tScheme converses with equivalent organisations across Europe, with a view to extending co-operation and mutual recognition. tScheme’s readiness to accept into its profile criteria existing standards mandated by other bodies aids in creating the desired inter-locking systems of mutual recognition across Europe and elsewhere. To this end, tScheme is currently playing a leading role in the creation of
an international common interest group known as ViTAS (Voluntary Trust Approvals Schemes) [4]. The objective is to work toward a shared Code of Practice that will enable appropriate evidence of service approval granted under one scheme to be recognised by the other participating schemes. This is important in encouraging the growth of consistent approval criteria and service best practice, and in avoiding the potential fragmentation of approval schemes. Such fragmentation would prove entirely counter to the intention of the Directive itself, by creating new barriers that inhibit the use of electronic transactions as a key driver for the growth of cross-border trade.
15 tScheme summary tScheme is the industry-led, not-forprofit, co-regulatory organisation that is working to establish best-practice criteria in the electronic trust services market and to grant approvals to services that meet those criteria. An independent voluntary approvals body, tScheme has the full backing of the UK government in its mission to protect the interests of those who use and rely on electronic trust services to support their electronic transactions. The company, limited by guarantee, was formally established in May 2000 following a lengthy period of discussion with ministers. Its objectives were formally acknowledged in a parliamentary announcement that confirmed tScheme as the government’s preferred option in meeting Part I of the Electronic Communications Act 2000. DTI officials have notified tScheme to the European Commission as a voluntary scheme within the terms of the EC Directive on Electronic Signatures [1999/93/EC].
Information Security Technical Report. Vol. 8, No. 3
31
ISTR 0803.qxd
13/11/2003
15:41
Page 32
PKI re-visited – current issues and future trends
During 2003 the accumulated investment made by members since 1999, including financial contributions and the provision of expert resources, reached a total estimated at £2m, of which government has contributed around 5%. tScheme now has five services under approval. This number should increase before the end of 2003. A number of the current approved services are now in the second year of approval. There is now no doubt about the effective functioning of the scheme and its potential contribution to the international growth of secure electronic transactions. This article describes the situation that pertains at the time of writing (September 2003). Meanwhile, the development and growth of tScheme continues.
IBM Institute for Information Industries (Taiwan) Intellect Lloyds-TSB Microsoft Royal Mail The Royal Bank of Scotland Group Vodafone
Part III: origins and legal context
16 tScheme members in 2003 ACCA (the Association of Chartered Certified Accountants) APACS (the Association of Payment Clearing Services) Baltimore Technologies Barclays Bank British Chambers of Commerce BT CBI e-CentreUK Experian Hitachi (Tokyo)
32
17 Trust Services Association In the first half of 1997, a working party of the Federation of the Electronics Industry (FEI) conceived the idea of a ‘trust services association’. The working party promoted the idea to other trade associations such as the Computer Services and Software Association (CSSA) and other interested parties. In the second half of 1997, the FEI joined with the CSSA, the Confederation of British Industry (CBI), the Direct Marketing Association (DMA) and e-CentreUK to form the Alliance for Electronic Business (AEB). The AEB adopted the FEI concept and presented its developing ideas to the Department of Trade & Industry (DTI) and other government departments in February 1998. The associated paper hand-out for the presentation stated: “The Alliance proposes that the following be enacted with immediate effect:
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 33
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
Establishment of a UK Trust Services Association. The core proposal of this document is that industry-led bodies could act as voluntary regulators of trust services. Specifically, the Alliance proposes to register in England a private limited company ‘Trust Services Association Limited’ (TSA) as one such regulator. The Articles of Association of the TSA will limit membership to companies, registered anywhere, that: — offer trust services from anywhere to the UK public (where ‘public’ includes governments, businesses and citizens), or intend to do so; or — offer trust services from the UK to the public anywhere, or intend to do so. The objectives of the TSA will be: — to establish a policy for the offering of trust services to the public in the UK; — to establish a policy for the offering of trust services to the public from the UK; — through exercise of powers given to it under its rules, to enforce the implementation of trust services policies by TSA members; — to establish with equivalent organisations in other countries a Global Trust Services Federation (GTSF), to coordinate policies, rules, powers and legislation on a global basis; and — to promote and publicise the policies it has established.”
18 Electronic Communications Act During 1998 and 1999 the DTI, on behalf of the government, repeatedly consulted on proposed legislation relating to the regulation of e-commerce, cryptography and related issues. Over the period, the DTI’s attempts to conflate the encouragement of a trustworthy regulatory framework with the control of the use of
strong cryptography and the suspected threat of mandatory key escrow weakened under pressure from all sides of industry. By mid-1999, the DTI had brought forward the Electronic Communications Bill, which left aside contentious law enforcement issues for the later Regulation of Investigatory Powers Bill. In May 2000, the Electronic Communications Bill received royal assent and passed into law as the Electronic Communications Act 2000. Part I of the act deals with ‘Cryptography Service Providers’, which it defines as: “any service which is provided to the senders or recipients of electronic communications, or to those storing electronic data, and is designed to facilitate the use of cryptographic techniques for the purpose of: (a) securing that such communications or data can be accessed, or can be put into an intelligible form, only by certain persons; or (b) securing that the authenticity or integrity of such communications or data is capable of being ascertained.” This definition is slightly narrower than the one used by tScheme, but it is nevertheless a good approximation to tScheme’s stated focus. Part I makes it the duty of the Secretary of State (for Trade and Industry for the present) ‘to establish and maintain a register of approved providers of cryptography support services’. In turn ‘the Secretary of State has to secure that there are arrangements in force for granting approvals to persons who are providing cryptography support services in the United Kingdom’. And then it requires that the condition that must be fulfilled before an approval is granted to any person is that: “The Secretary of State is satisfied that that person:
Information Security Technical Report. Vol. 8, No. 3
33
ISTR 0803.qxd
13/11/2003
15:41
Page 34
PKI re-visited – current issues and future trends
(a) will comply, in providing the services in respect of which he is approved, with such technical and other requirements as may be prescribed; (b) is a person in relation to whom such other requirements as may be prescribed are, and will continue to be, satisfied; (c) is, and will continue to be, able and willing to comply with any requirements that the Secretary of State is proposing to impose by means of conditions of the approval; and (d) is otherwise a fit and proper person to be approved in respect of those services.” However, the government said that it would prefer to see an industry-led approvals process instead of the statutory scheme envisaged in Part I of the act. This then is part of tScheme’s purpose. The government also said that it would not commence Part I of the act if it continues to be satisfied that tScheme meets the government’s objectives. This is enacted by the appearance at the end of the act of the ‘sunset’ clause, which provides that ‘If no order for bringing Part I of this Act into force has been made under subsection (2) by the end of the period of five years beginning with the day on which this Act is passed, that Part shall, by virtue of this subsection, be repealed at the end of that period’. The ‘sunset’ clause appeared in the bill as a result of consistent industry lobbying. Most parts of industry with a stake in regulation were uniformly concerned that a government-created and operated regime would be bureaucratic, ponderous and burdensome. The DTI accepted that industry should have its chance to create its own regime, allowing the government to judge the result. During the passage of the bill, ministers repeatedly identified tScheme as the industry-led, self-regulatory scheme that would leave Part I to languish.
34
Therefore Part I of the Electronic Communications Act is currently NOT in force, although those wishing to gain a flavour of what the government continues to expect from tScheme should consult that text.
19 tScheme constitution During 1999, the Trust Services Association concept turned progressively into tScheme. In early 2000, the first substantial shape began to emerge from 1999’s extended deliberations. The first document to receive full publication was the tScheme briefing in April 2000. This described tScheme as ‘a nonstatutory, self-regulating scheme encompassing credible and effective systems and procedures for the approval of trust services relating to electronic commerce and other activities exploiting cryptography in information and communications technologies’. The briefing continues: “In particular, tScheme will: — meet the needs of users (business, consumer and government) and providers of electronic trust services; — provide an effective voluntary approvals regime for cryptographic services, making it unnecessary for the government to bring into force Part 1 of the impending Electronic Communications Act; — provide accreditation and supervisory functions for the purposes of the European Directive; — work to ensure a supportive legislative and policy environment, within which nonstatutory regulation can work effectively; — apply oversight with a redress capability, to enforce conditions of approval; and — be a leader in the adoption of business-led, market-driven, open standards.” During the remainder of 2000, a team developed tScheme’s formal constitution — the Memorandum and Articles of
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 35
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
Association. Although substantially completed before the end of 2000, adoption followed in early 2001. The Memorandum lays down tScheme’s objectives. The key points in the otherwise long list of objectives are: “To promote and enhance trust and confidence in the execution of commerce, commercial and other transactions by electronic means (‘Electronic Commerce’), in the United Kingdom and elsewhere, which use services for: (a) establishing the identity and other attributes of participants in electronic commerce; (b) ensuring the privacy and integrity of data in the course of electronic commerce; (c) implementing, operating and managing cryptography-based support functions and facilities relating to electronic commerce, including but not limited to key generation, time stamping, key recovery, certificate management and secure data storage; or (d) executing such other functions and facilities as enable and enhance the reliability and trustworthiness of electronic commerce; together known as ‘Electronic Trust Services’. • To nurture and promote trustworthy codes of conduct and reliable standards of performance for the provision of Electronic Trust Services. • To promote and facilitate … the growth and adoption of Electronic Trust Services and the sustainability of those who provide Electronic Trust Services or who contribute materially to enabling others to provide Electronic Trust Services (the ‘Electronic Trust Services Industry’). • To establish and support credible and effective systems of self-regulation for the provision of Electronic Trust Services that
will meet the reasonable expectations of businesses, consumers, government and all other users and beneficiaries of Electronic Trust Services. • To establish, maintain and publish standards … and other criteria for the achievement of reliable, trustworthy operation of Electronic Trust Services and to promote adherence to these by their providers through a voluntary approvals system.”
20 tScheme’s current focus Notwithstanding a wide selection of articles, conference presentations and other material published in tScheme’s name, nothing further of an authoritative nature has been circulated or published that supersedes any aspects of tScheme’s original mission and objectives.
21 References [1] www.tscheme.org [2] Directive 1999/93/EC of the European Parliament and of the Council, of 13 December 1999, on a Community framework for electronic signatures, (O.J. L13/12 19.1.2000 p.12) [3] The tScheme Prospectus, Version 2.0a, dated 6 December 1999 [4] Details of current working documents and forthcoming events can be found in the ViTAS pages of the tScheme website: www.ViTAS-cig.org
1 A grouping of trade associations promoting the takeup of electronic business in the UK, the members being the Confederation of British Industry, the Direct Marketing Association, e-CentreUK and Intellect (formerly the Computer Services and Software Association and the Federation of the Electronics Industry).
2 The United Kingdom Accreditation Service. 3 The tScheme board appoints the committee members to ensure commercial independence. In particular, no one who is or who represents an electronic trust service provider may sit on the Approvals Committee.
Information Security Technical Report. Vol. 8, No. 3
35
13/11/2003
15:41
Page 23
tScheme – voluntary approval for certificate authority services Abstract This paper describes tScheme, the independent, industry-led, co-regulatory scheme for electronic trust services. A broad coalition of organisations representing users, service providers and technology suppliers from industry, trade bodies, consumer interest groups, government and elsewhere actively supports tScheme through their membership contributions and by sending delegates to its expert working groups. tScheme operates as a not-for-profit company limited by guarantee and owned by its members. Its governance ensures its openness, transparency and independence. It is self-funding from annual membership contributions, service approval fees and licence payments for the permitted use of its materials. tScheme creates definitive documents — known as approval profiles — containing the criteria to which electronic trust services must operate if they are to adhere to known best practice. tScheme publishes these criteria and offers electronic trust service providers the opportunity to have their individual services assessed against the appropriate profiles. Services that meet the criteria and gain approval are able to indicate this by displaying the tScheme Approved Service mark, thereby encouraging user confidence. Service providers using the mark are bound by contractual terms covering continuing performance, redress and sanctions to ensure that good practice is maintained. tScheme provides the co-regulatory environment that avoids the need for the UK Secretary of State for Trade and Industry to invoke his powers under Part I of the Electronic Communications Act 2000. tScheme also enables the UK government to fulfil certain obligations
under the European Directive for a Community Framework on Electronic Signatures. Through tScheme, the UK is demonstrating its leadership in creating an ideal environment for the growth of electronic commerce.
Part I: market factors
1 tScheme and risk perceptions Users of electronic transactions are all too familiar with threats from viruses, worms, hackers and the like. However, far outweighing these threats are the benefits for the global business economy, given proper security measures. Currently, perceptions of risk overshadow visions of opportunity, creating an inertia that prevents proper comprehension of either. tScheme is committed to a realistic, positive vision for the future, where secure identity management and authentication are the basis of a networked economy that will create enormous potential for growth. This is why tScheme is determined to promote best practice in the services that are evolving to address this vision, combining specialist expertise from the fields of cryptography and information security. Given their strong technical element, such services do not appear to be too promising to the average business user that is already struggling with real-world imperatives. Such services are therefore the focus of tScheme’s stringent assessment activities and grants of approval. tScheme approval means that, for the business user, the underlying technical complexity is replaced with a clear
1363-4127/03/© 2003, Elsevier Ltd
23
Dick Emery Independent Director, tScheme Stephen Upton Chief Executive, tScheme Richard Trevorah Technical Manager, tScheme
ISTR 0803.qxd
13/11/2003
15:41
Page 24
PKI re-visited – current issues and future trends
assurance of service reliability. Wherever the tScheme Approved Service mark is displayed, it may be authenticated by simply clicking on the mark itself and, provided that the mark is genuine, it will link directly to the secure directory on the tScheme website, where full details of the grant of approval may be found. The tScheme approval criteria recognise that security depends as much — if not more — on human cultural factors as it does on technology. This is why tScheme’s best-practice criteria for electronic trust services include financial probity, good employment practices, clarity of liabilities, and proper management systems that, taken together, easily outnumber the technical factors. tScheme is also committed to bridging the gap between technical expertise and user needs. The ‘tScheme Guide to Securing Electronic Transactions’, which can be found on the tScheme website [1], is a simple guide that aims to enable senior business managers to understand better the opportunities presented by the whole field of digital security. After all, their active participation is essential if we are to reap the true benefits of a secure networked world.
2 Securing electronic transactions There are several approaches in common use for securing electronic transactions. One popular approach employs a name (or other unique identification) and a PIN (personal identification number) that is secret and typically comprises four numeric digits. Sometimes a password replaces the PIN and typically comprises eight or more letters and numbers. However, a truly secure password — one that is not easy to guess or to discover by repeated trial — must be long and difficult to memorise.
24
PINs and passwords are therefore rarely found to be truly secure and, since each separate type of transaction is likely to depend on its own particular choice of name and PIN or password, this multiplies the problem of keeping track of all the secret values. The temptation is to record all the combinations on paper, further risking compromise. Hence, what appears to be a simple solution quickly turns into a potential nightmare and a security risk. The solution is to use one single unique identity — your real one — and one complex PIN, derived through cryptography, to create the basis of your own electronic signature. You can then use this for every transaction, without the need to commit it to writing for others to discover. Some websites, for example the UK government gateway, already encourage this approach and it is set to spread. The whole point of electronic signatures is to make the handling of identity both secure and convenient.
3 Electronic signatures We sign things to show that we agree with them. This must apply to things that we agree electronically just as much as for things on paper. For an electronic transaction, we can use an electronic signature — sometimes known as a digital signature. But, for any form of signature to provide a reliable confirmation of an individual’s intentions, it must satisfy some very important tests: • It must be uniquely and exclusively connected to the signer. We don’t want impersonation. • It must attach correctly to what is being signed. We don’t want fraudulent re-use of old signatures on new documents. • It must guard against later alteration of what has been signed. We don’t want deception.
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 25
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
When correctly used, an electronic signature meets all of these tests. In fact, an electronic signature can actually provide greater confidence than an ink signature. Not only does it prove integrity, it also applies to every detail of the whole document signed, rather than simply to the last page. All of the above is simply achieved by expert services available at reasonable cost. These are known as ‘electronic trust services’ and can be used by any organisation to support the use of electronic signatures on all its sensitive documents. The benefits apply equally to documents and records exchanged within a ‘closed’ network community as they do to transactions conducted across ‘open’ public networks.
4 tScheme approval scope Of course, technology is never the whole solution. Electronic signatures supported by electronic trust services ultimately depend on the way humans behave. Those who rely on a service expect and deserve high standards — and an electronic trust service provider should always be required to adopt current known best practice, as this is the only way that they can be certain that the service is reliable. However, this requirement in itself is not simple, as most people are not experts yet they need to find a way of judging whether a service does indeed follow best-practice criteria. tScheme answers this need. It describes in public documents what expert practitioners consider to be current best practice for electronic trust services. It recognises independent experts who assess individual services against these published best-practice criteria. It then grants approval to those services that meet the criteria, provided that their suppliers agree to continue to operate to the same high standards. Only those
services may display the tScheme Approved Service mark. This means that any procurement or tender exercise for electronic signature services should always mandate or indicate a preference for tScheme service approval, since tScheme approval reduces the cost of evaluation and selection by ensuring transparency at all stages. There is also another significant benefit to organisations using approved services for their internal transactions. By extending service approval into the closed network as a recognised operational standard, for which the right to use a tScheme mark can be granted, the highest standards of assurance and best practice are demonstrated, while the reputation of the organisation is enhanced by a visible conformance to standards in fulfilling its key business governance responsibilities.
5 tScheme benefits: reputation and best practice Organisations in the public eye — whether in the public or private sector — have a responsibility to pursue best practice. Their business reputations ultimately depend on demonstrating due commitment to corporate governance requirements through selecting, implementing and maintaining appropriate operating standards. This responsibility grows more challenging with the emergence of advanced business applications, where increasing levels of expertise are demanded even to define best practice. One such advanced business application provides for secure electronic transactions, which are just as important in closed communities as they are when conducted with external organisations over insecure communications networks such as the public Internet.
Information Security Technical Report. Vol. 8, No. 3
25
ISTR 0803.qxd
13/11/2003
15:41
Page 26
PKI re-visited – current issues and future trends
In fact, electronic signature-based transaction methods, developed for the world of public networks to meet high standards of confidentiality, integrity and non-repudiation, are now available within closed community networks, where the same business needs arise. The introduction of secure transaction standards in closed networks is no longer an optional extra when facing a business audit — it is becoming essential to demonstrate that all reasonable steps have been taken, for example in securing the handling of employee, customer and all other confidential records, and in protecting business continuity. tScheme already offers a best-practice standard that can be used to test the security and integrity of an organisation’s internal transactions on the basis of electronic signatures. Compliance with tScheme approval criteria sends a strong signal to the outside world that, where confidential transactions are concerned, best practice is alive and well within the organisation.
6 tScheme and the EC Directive Untold riches aside, the dotcom boom promised global competition, the death of distance and the compression of time. With the dotcom collapse the perceived riches have gone, but those other promises remain as tangible as ever. Whether in the public or private sector, there are still better deals to be made, costs to be reduced and delays to be eliminated through the exploitation of electronic transactions. European leaders have acted to grasp this opportunity. The so-called Electronic Signatures Directive from Brussels [2] sets conditions for the widespread adoption of electronic transactions across Europe and beyond. Its
26
two primary aims are to stop member states creating barriers in the electronic single market and to ensure that member states create a well-ordered environment for the mutual recognition and legal acceptability of electronic signatures. The objective is to grow a seamless electronic single market that delivers economic and social benefits for European citizens and businesses. The Directive focuses on issues of security that affect the trust that we can place in electronic signatures. Is the party at the other end who they claim to be? Has someone read or interfered with my message? How can I prove to a court what we agreed if things go wrong? These are legitimate concerns, but electronic signatures, used the right way, solve them all. As allowed by the Directive, the DTI — on behalf of the UK government — has given notification to the EC of tScheme as a voluntary scheme. Those who make the EU model of electronic signatures work — often known as trust service providers or TSPs — can seek tScheme approval to demonstrate the trustworthiness of their services. tScheme also deals with other electronic signature models and services such as time stamping. In defining its sets of criteria to describe current best practice in electronic trust services, tScheme often extends what the Directive strictly requires. For example, the Directive requires the TSP to provide relevant information, on request, to those who rely on certification services offered by the TSP to vouch for electronic signatures. tScheme is much more specific about what this information should be and how it should be maintained, and requires that it is easily available. The result is that the Directive lays down broad requirements that TSPs must meet in
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 27
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
order to underpin the Directive’s specified form of electronic signatures. tScheme turns this into verifiable, best-practice criteria and defines a process for assessing services against these criteria. Those services that gain a tScheme grant of approval therefore clearly meet the standards required to satisfy the Directive.
7 Membership and approved service focus Membership of tScheme is open to all, from individuals and sole traders to large corporations and government departments. The present membership represents those wishing to support the growth of reliable, secure electronic transactions. Over time, tScheme will extend its membership constituency as it engages the attention of those who represent the millions who will want a say in setting the trust standards on which they come to rely. Future growth in approval submissions from electronic trust service providers depends on a number of factors. The two most important are the general growth rate of the electronic trust services market and the pace at which tScheme develops new approval profiles in response to service evolution. Market growth is particularly difficult to judge at a time when the electronic commerce market remains short of maturity and continues to evolve. This continuing market development, while defeating any attempt at precision, strongly indicates a broadening scope for tScheme in the coming years. Whilst the current number of identified potential approved services is numbered in no more than a few tens, the future possibility of many hundreds appears wholly plausible. An up-to-date list of members, together with a secure Directory of Approved Services
and of current Registered Applicants, appears on the tScheme website [1].
8 Support for tScheme Any organisation with an interest in the growth of electronic transactions, whether public or private sector, whether supplier or user, can become a supporting member of tScheme and contribute to its development. tScheme’s authority depends on its wide membership constituency, representing a broad range of interests. Ultimately, everyone stands to benefit from the growth of electronic transactions that are based on a secure and trustworthy foundation. Therefore every organisation, whether public or private sector, whether across closed or open networks, should use electronic signatures to secure its electronic transactions — and should seek approval against tScheme’s unique best-practice criteria.
Part II: tScheme focus 9 Background and formation of tScheme In 1997, the UK government began consultation in the field that is now the subject of the Electronic Communications Act 2000. Throughout the consultation period, the private sector consistently pressed for industry-led self-regulation and, through the Alliance for Electronic Business1, developed proposals for such a scheme, known as tScheme. Part I of the act outlines the process by which the Secretary of State would regulate the industry. However, if industry satisfies
Information Security Technical Report. Vol. 8, No. 3
27
ISTR 0803.qxd
13/11/2003
15:41
Page 28
PKI re-visited – current issues and future trends
the Secretary’s requirements, then the Secretary’s power to impose statutory regulation expires in 2005 through the ‘sunset’ clause in the Act. As the bill leading to the Act began its parliamentary stages, the Alliance distributed a prospectus for tScheme to all MPs [3], making it publicly available on 6 December 1999. Further work to demonstrate the viability in detail enabled ministers to cite tScheme in successive statements to Parliament. During the Lords’ second reading of the bill on 22 February 2000, Lord Sainsbury of Turville stated that, ‘The government’s preference is for self-regulation, which is well known, as is our involvement in the Alliance for Electronic Business’s tScheme. We are confident that the scheme can deliver.’
10 Aims and objectives of tScheme tScheme provides a voluntary, industryled, co-regulatory scheme that encompasses credible and effective criteria and procedures for the approval of trust services that relate to electronic commerce and other activities exploiting cryptography in information and communications technologies. tScheme does not seek to duplicate the work of other schemes working in neighbouring areas, for example relating to terms and conditions of consumer trade. tScheme exploits what already exists and focuses on the specialist needs of electronic trust service users and providers. Above all, tScheme seeks to attract the positive support of all those whom it serves, whether as users or providers of electronic trust services. In particular, tScheme seeks to: • meet the needs of users (business, consumers and government) and providers of electronic trust services; • work closely with government to help ensure that the UK is not only the best but
28
also the most reliable place in the world to conduct electronic commerce; • provide an effective voluntary approvals regime for cryptographic services, making it unnecessary for the government to bring into force Part I of the Electronic Communications Act 2000; • provide accreditation and service enhancement functions for the purposes of fulfilling the requirements of articles 3.2 and 7.1(a) of the European Directive [2]; • work to ensure a supportive legislative and policy environment, within which voluntary regulation can work effectively; • apply oversight with a redress capability, to enforce conditions of its approval; and • demonstrate leadership in the adoption of business-led, market-driven, open standards.
11 Organisation tScheme Ltd has been established in the UK as an independent, self-sustaining, notfor-profit company, limited by guarantee and employing its own professional staff. Each subscribing member has voting rights. Membership is open to anyone, individual or corporate, subject only to minimum safeguards. To the maximum practical extent, tScheme publicly discloses its proceedings, decisions and documents as a guarantee of its openness and independence. The set of bodies that constitute the structure of tScheme can be divided into three groups: • Governing Group — This is responsible for the overall operation of tScheme, including the development of its constitution, its financial health and its continuing independence and openness. Two governance bodies operate: (i) The Members in General Meeting, which allows the entire subscribing membership to elect the officers and to
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 29
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
exert their collective views on the actions and plans of the organisation. (ii) The Board and its Committees which, through delegated authority from the members, are responsible for tactical and strategic direction within the overall policies approved by the members. The board comprises elected directors, independent directors appointed annually by the elected members, and a chief executive ex officio. In addition, UK government is represented through a DTI observer and a Cabinet Office representative, who sit on the board as non-voting members. There are annual elections with rotating resignations based on a maximum of three-year terms. The board appoints committee members. • Expertise Group — This is primarily responsible for the development and maintenance of the technical aspects of tScheme. The key body within this group is the Profiles and Processes Committee. This is responsible for developing and managing the set of Approval Profiles that define the best-practice criteria against which tScheme approves trust services. This body is made up of technical representatives from the members. It can establish working groups with appropriate expertise to undertake specific activities — say, developing a new profile — as is necessary to maintain an appropriate set of Approval Profiles as services continue to evolve. • Secretariat — This is the permanent resource that supports the day-to-day operation of tScheme. The secretariat also facilitates the functioning of the bodies within the other two groups.
12 Processes and procedures 12.1. Profiles — concept, development and maintenance The Expertise Group develops Approval Profiles (normally known as profiles) as the basis for assessing an electronic trust
service when its provider applies for its approval under tScheme. Each profile defines the minimum set of qualifying criteria that an electronic trust service, as offered by a specific provider, must meet in order to gain approval. The set of criteria covers five general categories: organisational, personnel, physical, legal, and technical. Wherever possible, tScheme does not itself develop standards to support the approval process. It identifies suitable existing standards against which compliance provides sufficient evidence of good practice in the chosen aspect, such that business and individual users can commit their trust. Both members and nonmembers of tScheme can submit proposals for the development of new profiles. A key objective of tScheme is not to extend existing market standards unnecessarily. To that end, tScheme’s approach is to recognise evidence of prior qualification as far as possible, for example where this arises from approval or accreditation under another regulatory regime or peer scheme. Moreover, tScheme may accept any of a range of qualifications as evidence to satisfy appropriate criteria, so long as such evidence is derived through equivalent rigour, including independent assessment. This allows sector-specific qualifications as satisfactory evidence in meeting certain approval criteria, for example regulation by the Financial Services Authority.
12.2. Approval process The process for approving a service involves a number of discrete steps: 1. tScheme develops, authorises and publishes a collection of approval profiles, containing best-practice criteria defined by its expert contributors;
Information Security Technical Report. Vol. 8, No. 3
29
ISTR 0803.qxd
13/11/2003
15:41
Page 30
PKI re-visited – current issues and future trends
2. an independent organisation — UKAS2 in the UK — working with tScheme accredits suitably qualified assessors for the given profile collection; 3. tScheme then enters into an agreement with the assessor governing its use of tScheme material and, as a result, it becomes tScheme-recognised; 4. a service provider, intending to submit one of its services for approval, provides initial details of the service and a proposed timescale for its assessment to tScheme, thereby attaining registered applicant status; 5. the service provider engages a tScheme-recognised assessor to audit one of its services against the appropriate profiles, and receives an assessment report that certifies compliance with the appropriate criteria plus other information relating to the assessed service; 6. the service provider applies to tScheme for a formal grant of approval, citing the assessor’s report and certification of compliance; 7. tScheme’s Approvals Committee3 considers the assessment report and, if satisfied, invites the service provider to sign an agreement that covers the service provider’s use of the relevant tScheme mark, the attendant conditions and the related fees; 8. the service provider signs the agreement and then displays the tScheme Approved Service mark against the approved service for the period of its contract with tScheme, thereby indicating to its service users that the service conforms to standards that are deserving of trust; and 9. the service provider periodically completes independent reassessment of its service against the then current profile criteria, and hence applies to tScheme for renewal of the service approval.
30
12.3. Redress and sanctions On-going conformity is assured through periodic re-assessment plus a provision for random audits, as deemed necessary. The grant of approval agreement binds the service provider to remedy failures and to commensurate sanction procedures for failing to act. The possible penalties include orders for immediate correction, redress for those injured, and termination of approval rights. Those found to have breached their obligations have rights of appeal, as specified in their grant of approval agreement. tScheme encourages those who discover or suffer breaches of trustworthy behaviour to report their findings for investigation and action. The reputation of tScheme depends on its timely and vigorous response to any issues arising from user reliance on the services to which it grants approval.
13 Finance tScheme recovers its operational costs through the following sources of revenue: • Fees on grant of approval and for the renewal of existing approvals against a published schedule. There are also licence fees that are gathered from assessors for their use of the profiles during audits. • Annual contributions from members, at a level appropriate to their type of organisation. In particular, commercial service providers and technology suppliers contribute substantially more than trade or consumer associations. • Occasional charges and commissions from related activities, as agreed by the board: for example, royalties from licensing the use of tScheme’s profile and process documentation or methodology by peer regulatory bodies outside the UK.
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 31
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
The tScheme board is responsible for setting the levels of fees, contributions and charges so that its income covers its operating costs. tScheme must be, be seen to be, and continue to be financially and operationally independent from any individual or interest group, in order to protect its own neutrality. tScheme does not pay dividends, but rather uses any operating surplus to improve its effectiveness or to abate fees, charges or contributions.
14 National and international relationships tScheme’s design and structure attempts to minimise overlap with, and to make maximum use of, the work of other regulatory and standards bodies, both in the UK and internationally. Within the European context, tScheme has gained recognition as a voluntary accreditation scheme for certification service providers for the purposes of Article 7.1(a) of the Directive [2]. Its industry-led rather than national statutory basis makes it attractive as an approval body for providers that are based in other countries, including other member states of the European Union. One aim of tScheme is to grow relationships beyond the UK’s borders, on the basis that many trust service providers wish to operate internationally. This also serves to engender consumer trust in crossborder transactions. tScheme converses with equivalent organisations across Europe, with a view to extending co-operation and mutual recognition. tScheme’s readiness to accept into its profile criteria existing standards mandated by other bodies aids in creating the desired inter-locking systems of mutual recognition across Europe and elsewhere. To this end, tScheme is currently playing a leading role in the creation of
an international common interest group known as ViTAS (Voluntary Trust Approvals Schemes) [4]. The objective is to work toward a shared Code of Practice that will enable appropriate evidence of service approval granted under one scheme to be recognised by the other participating schemes. This is important in encouraging the growth of consistent approval criteria and service best practice, and in avoiding the potential fragmentation of approval schemes. Such fragmentation would prove entirely counter to the intention of the Directive itself, by creating new barriers that inhibit the use of electronic transactions as a key driver for the growth of cross-border trade.
15 tScheme summary tScheme is the industry-led, not-forprofit, co-regulatory organisation that is working to establish best-practice criteria in the electronic trust services market and to grant approvals to services that meet those criteria. An independent voluntary approvals body, tScheme has the full backing of the UK government in its mission to protect the interests of those who use and rely on electronic trust services to support their electronic transactions. The company, limited by guarantee, was formally established in May 2000 following a lengthy period of discussion with ministers. Its objectives were formally acknowledged in a parliamentary announcement that confirmed tScheme as the government’s preferred option in meeting Part I of the Electronic Communications Act 2000. DTI officials have notified tScheme to the European Commission as a voluntary scheme within the terms of the EC Directive on Electronic Signatures [1999/93/EC].
Information Security Technical Report. Vol. 8, No. 3
31
ISTR 0803.qxd
13/11/2003
15:41
Page 32
PKI re-visited – current issues and future trends
During 2003 the accumulated investment made by members since 1999, including financial contributions and the provision of expert resources, reached a total estimated at £2m, of which government has contributed around 5%. tScheme now has five services under approval. This number should increase before the end of 2003. A number of the current approved services are now in the second year of approval. There is now no doubt about the effective functioning of the scheme and its potential contribution to the international growth of secure electronic transactions. This article describes the situation that pertains at the time of writing (September 2003). Meanwhile, the development and growth of tScheme continues.
IBM Institute for Information Industries (Taiwan) Intellect Lloyds-TSB Microsoft Royal Mail The Royal Bank of Scotland Group Vodafone
Part III: origins and legal context
16 tScheme members in 2003 ACCA (the Association of Chartered Certified Accountants) APACS (the Association of Payment Clearing Services) Baltimore Technologies Barclays Bank British Chambers of Commerce BT CBI e-CentreUK Experian Hitachi (Tokyo)
32
17 Trust Services Association In the first half of 1997, a working party of the Federation of the Electronics Industry (FEI) conceived the idea of a ‘trust services association’. The working party promoted the idea to other trade associations such as the Computer Services and Software Association (CSSA) and other interested parties. In the second half of 1997, the FEI joined with the CSSA, the Confederation of British Industry (CBI), the Direct Marketing Association (DMA) and e-CentreUK to form the Alliance for Electronic Business (AEB). The AEB adopted the FEI concept and presented its developing ideas to the Department of Trade & Industry (DTI) and other government departments in February 1998. The associated paper hand-out for the presentation stated: “The Alliance proposes that the following be enacted with immediate effect:
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 33
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
Establishment of a UK Trust Services Association. The core proposal of this document is that industry-led bodies could act as voluntary regulators of trust services. Specifically, the Alliance proposes to register in England a private limited company ‘Trust Services Association Limited’ (TSA) as one such regulator. The Articles of Association of the TSA will limit membership to companies, registered anywhere, that: — offer trust services from anywhere to the UK public (where ‘public’ includes governments, businesses and citizens), or intend to do so; or — offer trust services from the UK to the public anywhere, or intend to do so. The objectives of the TSA will be: — to establish a policy for the offering of trust services to the public in the UK; — to establish a policy for the offering of trust services to the public from the UK; — through exercise of powers given to it under its rules, to enforce the implementation of trust services policies by TSA members; — to establish with equivalent organisations in other countries a Global Trust Services Federation (GTSF), to coordinate policies, rules, powers and legislation on a global basis; and — to promote and publicise the policies it has established.”
18 Electronic Communications Act During 1998 and 1999 the DTI, on behalf of the government, repeatedly consulted on proposed legislation relating to the regulation of e-commerce, cryptography and related issues. Over the period, the DTI’s attempts to conflate the encouragement of a trustworthy regulatory framework with the control of the use of
strong cryptography and the suspected threat of mandatory key escrow weakened under pressure from all sides of industry. By mid-1999, the DTI had brought forward the Electronic Communications Bill, which left aside contentious law enforcement issues for the later Regulation of Investigatory Powers Bill. In May 2000, the Electronic Communications Bill received royal assent and passed into law as the Electronic Communications Act 2000. Part I of the act deals with ‘Cryptography Service Providers’, which it defines as: “any service which is provided to the senders or recipients of electronic communications, or to those storing electronic data, and is designed to facilitate the use of cryptographic techniques for the purpose of: (a) securing that such communications or data can be accessed, or can be put into an intelligible form, only by certain persons; or (b) securing that the authenticity or integrity of such communications or data is capable of being ascertained.” This definition is slightly narrower than the one used by tScheme, but it is nevertheless a good approximation to tScheme’s stated focus. Part I makes it the duty of the Secretary of State (for Trade and Industry for the present) ‘to establish and maintain a register of approved providers of cryptography support services’. In turn ‘the Secretary of State has to secure that there are arrangements in force for granting approvals to persons who are providing cryptography support services in the United Kingdom’. And then it requires that the condition that must be fulfilled before an approval is granted to any person is that: “The Secretary of State is satisfied that that person:
Information Security Technical Report. Vol. 8, No. 3
33
ISTR 0803.qxd
13/11/2003
15:41
Page 34
PKI re-visited – current issues and future trends
(a) will comply, in providing the services in respect of which he is approved, with such technical and other requirements as may be prescribed; (b) is a person in relation to whom such other requirements as may be prescribed are, and will continue to be, satisfied; (c) is, and will continue to be, able and willing to comply with any requirements that the Secretary of State is proposing to impose by means of conditions of the approval; and (d) is otherwise a fit and proper person to be approved in respect of those services.” However, the government said that it would prefer to see an industry-led approvals process instead of the statutory scheme envisaged in Part I of the act. This then is part of tScheme’s purpose. The government also said that it would not commence Part I of the act if it continues to be satisfied that tScheme meets the government’s objectives. This is enacted by the appearance at the end of the act of the ‘sunset’ clause, which provides that ‘If no order for bringing Part I of this Act into force has been made under subsection (2) by the end of the period of five years beginning with the day on which this Act is passed, that Part shall, by virtue of this subsection, be repealed at the end of that period’. The ‘sunset’ clause appeared in the bill as a result of consistent industry lobbying. Most parts of industry with a stake in regulation were uniformly concerned that a government-created and operated regime would be bureaucratic, ponderous and burdensome. The DTI accepted that industry should have its chance to create its own regime, allowing the government to judge the result. During the passage of the bill, ministers repeatedly identified tScheme as the industry-led, self-regulatory scheme that would leave Part I to languish.
34
Therefore Part I of the Electronic Communications Act is currently NOT in force, although those wishing to gain a flavour of what the government continues to expect from tScheme should consult that text.
19 tScheme constitution During 1999, the Trust Services Association concept turned progressively into tScheme. In early 2000, the first substantial shape began to emerge from 1999’s extended deliberations. The first document to receive full publication was the tScheme briefing in April 2000. This described tScheme as ‘a nonstatutory, self-regulating scheme encompassing credible and effective systems and procedures for the approval of trust services relating to electronic commerce and other activities exploiting cryptography in information and communications technologies’. The briefing continues: “In particular, tScheme will: — meet the needs of users (business, consumer and government) and providers of electronic trust services; — provide an effective voluntary approvals regime for cryptographic services, making it unnecessary for the government to bring into force Part 1 of the impending Electronic Communications Act; — provide accreditation and supervisory functions for the purposes of the European Directive; — work to ensure a supportive legislative and policy environment, within which nonstatutory regulation can work effectively; — apply oversight with a redress capability, to enforce conditions of approval; and — be a leader in the adoption of business-led, market-driven, open standards.” During the remainder of 2000, a team developed tScheme’s formal constitution — the Memorandum and Articles of
Information Security Technical Report. Vol. 8, No. 3
ISTR 0803.qxd
13/11/2003
15:41
Page 35
Dick Emery, Stephen Upton, Richard Trevorah tScheme - Voluntary Approval for Certificate Authority Services
Association. Although substantially completed before the end of 2000, adoption followed in early 2001. The Memorandum lays down tScheme’s objectives. The key points in the otherwise long list of objectives are: “To promote and enhance trust and confidence in the execution of commerce, commercial and other transactions by electronic means (‘Electronic Commerce’), in the United Kingdom and elsewhere, which use services for: (a) establishing the identity and other attributes of participants in electronic commerce; (b) ensuring the privacy and integrity of data in the course of electronic commerce; (c) implementing, operating and managing cryptography-based support functions and facilities relating to electronic commerce, including but not limited to key generation, time stamping, key recovery, certificate management and secure data storage; or (d) executing such other functions and facilities as enable and enhance the reliability and trustworthiness of electronic commerce; together known as ‘Electronic Trust Services’. • To nurture and promote trustworthy codes of conduct and reliable standards of performance for the provision of Electronic Trust Services. • To promote and facilitate … the growth and adoption of Electronic Trust Services and the sustainability of those who provide Electronic Trust Services or who contribute materially to enabling others to provide Electronic Trust Services (the ‘Electronic Trust Services Industry’). • To establish and support credible and effective systems of self-regulation for the provision of Electronic Trust Services that
will meet the reasonable expectations of businesses, consumers, government and all other users and beneficiaries of Electronic Trust Services. • To establish, maintain and publish standards … and other criteria for the achievement of reliable, trustworthy operation of Electronic Trust Services and to promote adherence to these by their providers through a voluntary approvals system.”
20 tScheme’s current focus Notwithstanding a wide selection of articles, conference presentations and other material published in tScheme’s name, nothing further of an authoritative nature has been circulated or published that supersedes any aspects of tScheme’s original mission and objectives.
21 References [1] www.tscheme.org [2] Directive 1999/93/EC of the European Parliament and of the Council, of 13 December 1999, on a Community framework for electronic signatures, (O.J. L13/12 19.1.2000 p.12) [3] The tScheme Prospectus, Version 2.0a, dated 6 December 1999 [4] Details of current working documents and forthcoming events can be found in the ViTAS pages of the tScheme website: www.ViTAS-cig.org
1 A grouping of trade associations promoting the takeup of electronic business in the UK, the members being the Confederation of British Industry, the Direct Marketing Association, e-CentreUK and Intellect (formerly the Computer Services and Software Association and the Federation of the Electronics Industry).
2 The United Kingdom Accreditation Service. 3 The tScheme board appoints the committee members to ensure commercial independence. In particular, no one who is or who represents an electronic trust service provider may sit on the Approvals Committee.
Information Security Technical Report. Vol. 8, No. 3
35