Brian O'Higgins
Executive VP and CTO
Entrust Technologies
750 Heron Road, Suite 800
Ottawa, Ontario K1V 1A7

April 21, 1998

Helen McDonald
Director General, Policy Development
Task Force on Electronic Commerce,
Industry Canada
20th floor, 300 Slater Street
Ottawa, Ontario K1A OC8

Subject: Entrust Technologies Ltd. Response To "A Cryptography Policy Framework for Electronic Commerce - Building Canada's Information Economy and Society"

Dear Ms. McDonald,

I am writing on behalf of Entrust Technologies Ltd. in reference to your call for industry commentary on the discussion paper entitled "A Cryptography Policy Framework for Electronic Commerce" which is currently available on the world-wide web at http://strategis.ic.gc.ca/crypto/

Entrust Technologies Ltd. hosted an industry roundtable March 31, 1998 to gather relevant business opinion of this brief. The consolidated industry view is attached to this letter.

As an industry-leader in public key infrastructure products, and one of the fastest growing enterprise security organizations world-wide, Entrust Technologies is vitally interested in developments of Canadian policy regarding cryptography and electronic commerce. This industry is extremely hot and one of the fastest growing segments of the internet economy, with CAGR estimates between 128% to 211% (Dataquest, SoundView Financial, UB Securities).

Entrust Technologies Ltd growth reflects these market statistics, and has been at a pace of greater than 100% CAGR. Entrust has grown from less than 100 employees in January 1997 when it was spun off from Nortel, to over 325 people in April 1998, with a forecast for well over 400 by year end 1998. This kind of pace should continue for the next few years. This is representative of what other Canadian corporations can do as world leaders in the electronic commerce arena, but this success requires a relaxation of export controls of cryptography. As an absolute minimum, certainly do not further tighten controls such as the General Software Note exemption in Wassenaar.

While we are sympathetic to law enforcement needs in handling encrypted intercepts, the scope of Wassenaar arrangement should not expanded to accommodate law enforcement concerns.

We believe it is important for Canada to support the following postions if it is to become a player in the new Electronic Commerce economy.

1.
Stored Data
Do not mandate key recovery technologies for stored data. Commercial products will prevail that support this function. The Government can also lead by example and only buy products that met its specific key recovery requirements.

2.
Session Data
Do not mandate key recovery technologies for session data. It is not a commercial requirement. It would be infeasible to deploy as current protocols (SSL, IPSec, ISAKMP, etc.) do not support this function. Mandatory key recovery for session data would be a disaster - it would be extremely expensive to deploy and could be circumvented with a trivial effort.
3.
Export Control
Remove export controls to all countries other than embargoed nations or terrorist-supporting countries. Continue to work within the Wassenaar framework, but employ a liberal interpretation to level the playing field for Canadian corporations. (ie., Ireland, Finland, New Zealand have more liberal interpretations that support domestic industry)

Sincerely,

Brian O'Higgins
Entrust Technologies


Attachment:

Submission to Industry Canada:
A Cryptography Policy Framework for Electronic Commerce

April 21, 1998

A group of companies in the field of Information Technology Security (ITS) met on March 31, 1998, to discuss the Cryptography Policy Framework document, produced by the Task Force on Electronic Commerce and published in February 1998. As a result of that meeting, the representatives of the companies and associations involved have prepared this submission for consideration by Industry Canada in developing a Canadian policy. The representatives have a strong interest in a Canadian Cryptography Policy, and we wish to make our views known.

First of all, we strongly believe in the effort to produce a coherent and cohesive Cryptography Policy for Canada. A clear policy is essential, as electronic commerce is increasingly and rapidly being used for business and personal communications; the critical issues it raises must be addressed in the Canadian context. The objectives of a Canadian Cryptography Policy should be to protect the privacy of Canadians, to ensure security of sensitive individual and corporate communications, and to prevent electronic crime such as fraud, unauthorized access and interception, and disruption. Enunciation of a Canadian Cryptography Policy will help to enable secure electronic commerce, and in the process assist the Canadian high-tech industry, both domestically and in the competitive global marketplace, creating jobs and promoting a healthy Canadian economy.

Secondly, we want to express our appreciation of the government's efforts to support and assist Canadian business, particularly, in the ITS field, the work of the Communications Security Establishment (CSE) and the Department of Foreign Affairs and International Trade (DFAIT), the latter with respect to export control. CSE's negotiations with the U.S. in particular have assisted Canadian business in penetrating that critical market. As much as possible, the government has been helpful and responsive to industry needs, although this positive view must be tempered with our concern about inconsistency and unacceptable delays due to process.

Our third general point concerns the role of government in the international arena. It is the consensus of the group that Canada must maintain good standing with its partners and allies. As active participants in the global marketplace, it is our view that Canada must continue to support and adhere to international agreements, as a means of ensuring favourable international trade status and international recognition as a global trading nation in good standing. We therefore urge the government to continue to work within the framework of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-use Goods and Technologies.

Having said that, Canada should take positions within international frameworks, such as and including the Wassenaar Arrangement, that optimize opportunities for our ITS industry and give them maximum flexibility to compete, that allow privacy for Canadian citizens, and that firmly establish Canada as a leader in secure electronic commerce and secure electronic service delivery.

Canada has a robust, innovative and growing ITS industry. Companies supporting this submission represent world leaders in ITS, including Certicom Corp., developers of elliptic curve cryptography; Entrust Technologies, a leader in Public Key Infrastructure (PKI); Chrysalis-ITS, developing smart card public-key security; KyberPASS, a vital company that has developed and is implementing a unique Virtual Private Network (VPN) authentication technology; TimeStep, a developer of VPN solutions; Milkyway Networks, a leading maker of firewall and authentication technologies; and Hewlett-Packard (Canada). These are only a few companies of the burgeoning ITS industry in "Silicon Valley North", in the National Capital Region, the Toronto region and Western Canada. These companies look beyond the somewhat limited domestic market in order to succeed. Furthermore, the nature of the industry demands a global approach, as electronic commerce and associated security solutions know no national boundaries. Thus, these companies need the support and assistance of the federal government in pursuing international markets. The government should not in any way impede their ability to compete effectively on a global scale. For example, the government should not impose restrictive export controls on algorithm strength, a key issue that is discussed below. The government should, further, work towards common and compatible international standards that benefit the Canadian ITS industry, and thius contribute to the economic growth of Canada.

Canada also has a dynamic and growing IT industry, and this industry and its clients are demanding security solutions. For example, amongst the representatives listed below are Northern Telecom, world leader in telecommunications, Netscape Communications Canada, and JetForm, a vital electronic forms company, whose clients want integrated security.

Canadian citizens are increasingly using electronic means of communication and doing business. They should have the right to privacy in their electronic communications and security in their electronic business. Privacy of communications is explicitly protected by the Universal Declaration of Human Rights (Article 12), by the International Covenant on Civil and Political Rights (Article 17), and by Canadian law. Canadians recognize and support the requirements of law enforcement and Canadian intelligence agencies; however, these requirements must not, and need not, supersede the individual's right to privacy.

Canada is a leader in electronic commerce and electronic service delivery. Indeed, Industry Canada, as the lead of the interdepartmental Task Force on Electronic Commerce, devotes considerable effort towards achieving the objective of electronic service delivery wherever possible by the year 2000. It is an admirable objective which we in the ITS industry fully support. It is in fact the indigenous development of security solutions, notably public key technologies, that will enable meeting the objective. When the Minister of Industry hosts his OECD colleagues in the fall 1998, he should be able to point to the close cooperation of Canadian industry and government in working to achieve the objective. A new Cryptography Policy is necessary to meet the objective, along with amendments to legislation to support electronic commerce, and national and international recognition of digital signatures as electronic equivalents of hand-written signatures. The new Cryptography Policy should support the electronic service delivery objective of the Industry Canada Task Force, and not impede it.

In view of the above, our responses to the specific options presented in Part 4 of the Framework follow:

Encryption of Stored Data

As technologies develop, governments around the world are grappling with the issue of key recovery. The global trend appears, at this point, to be moving towards industry self-regulation on key recovery; that is, the reliance on companies involved in the supply of public-private keys to users, to ensure that a copy of the private key is kept in order to recover stored data should the primary key pair be lost or corrupted. The ITS industry recognizes this approach as sound management practice. Whether the keys are kept by the user (individual or corporate), by the service provider, or by a Trusted Third Party (TTP), is secondary to the issue, although the preferred approach is to keep the keys at the lowest level practicable; i.e., as close, in a business sense, as possible to the entities involved, to balance operational convenience with the essential security and integrity. The government need not and should not mandate key recovery outside government; it will be done as sound management practice within the context of an overall security policy.

Market-driven key recovery is somewhat of a risk for law enforcement and intelligence gathering because with this approach, there is no guarantee that all encrypted data would be recoverable. As noted in the Framework document, however, even if key recovery were mandated by government, that too is no guarantee. Users could circumvent mandated key recovery by using non-Canadian service providers, or other types of encryption, even if prohibited by Canadian law. It is well understood that the very users likely to be of interest to law enforcement or intelligence agencies are those most likely to circumvent barriers (and break the law). The situation is such that, from our perspective, the risk to individual and corporate rights to privacy of personal and proprietary information must take precedence over the limited effect of mandated key recovery.

While allowing the market to practice key recovery, the government would not be prevented from encouraging the use of key recovery techniques. The Framework document sets out a minimum-standards approach as separate and distinct from market-driven key recovery; these two options may, however, be quite compatible. The government should take a leadership role by setting minimum standards for government use for back-up and recovery of encryption keys; promote the standard and encourage the use of service providers that meet the standard, without in any way impeding the use of service providers that do not meet the standard. One must give some credit to users, who, we expect, would see the inherent advantage of key recovery of encrypted stored data. Canadian users, whether corporate or individual, will want, first, assurance that their encrypted stored data is indeed recoverable, and, second, that the means of recovery is assured and trusted, in order to guarantee recovery, to respect privacy, and to ensure security.

This approach is analogous to the federal government's approach to security in general. The government has set minimum standards through its Government Security Policy (GSP). It is mandatory for the federal government only; private sector individuals and companies need not comply. The government takes a leadership role in providing sound business practice for security.

The marketplace of the Canadian ITS industry is international. The Canadian market is limited, and in order to survive, Canadian companies must sell their products abroad. If the government mandated key recovery or key escrow, with the keys held by government, it would be very difficult to sell our products abroad. Nor can we afford to produce two different versions of each product, one for the domestic market with mandated key recovery or key escrow, and one for export, without key recovery or escrow. Furthermore, because of the historical association of key recovery with U.S. initiatives such as the Clipper Chip, the commercial distrust (whether justified or not) in systems involving government-mandated key recovery precludes the commercial viability of such products, particularly in foreign markets.

Encryption of Real-time Communications

The Policy Framework paper notes that, "while there is a business case for the recovery of stored data, there is not an equivalent commercial need for key recovery of encrypted real-time communications (e.g., telephone calls, real-time sessions between two computers on a network, and remote applications or database access)."[p. 18] We concur with this view, with one important qualification: If information is considered valuable, then it will be stored, as sound management practice. Therefore there is no need to recover encryption keys for "data on the move".

Some of the options presented in the Framework document with respect to encryption of real-time communications are unrealistic and impractical in the face of current and emerging communications technology. To a large extent, encryption and decryption of data on the move will be carried out by, and under the control of, end-users, rather than carriers. In this environment, the carrier has no control over the user and the user's selection of encryption. Evolving communications technology for secure transactions extensively uses one-time session encryption keys. Mandating decryption on presentation of a warrant would be impractical, and at odds with the technology in use. We appreciate the implied difficulty for law enforcement; however, it must be recognized that imposing a policy that is unenforceable serves no purpose. It is inconceivable that law enforcement or intelligence agencies would undertake the exhaustive time and prohibitive expense that would be needed to monitor for unlawfully encrypted signals. It is eminently more reasonable to target communication at source or destination with a judicial warrant.

From this perspective, the choice amongst the options presented is clear-cut. The status quo should be maintained, and there should be no government controls, through legislation or regulation, to impose key recovery for encrypted real-time communications. The paper continues that, "Regulatory measures risk slowing down the rapid evolution within the information technology products and services market, and creating obstacles to international commerce."[p. 18] Again, we concur. To facilitate international electronic commerce, and to give Canadian companies the ability to compete, real-time communications should not be subject to government controls.

Export Controls

It is our view that controls on the export of cryptography should be liberalized as much as possible within the framework of the Wassenaar Arrangement, and, further, that the government should work in international bodies to liberalize the framework even more. The international marketplace is demanding global electronic commerce solutions, and that includes strong security. It is critical for the Canadian ITS industry to have the latitude to meet the demand.

The existing export control regime was appropriate for the times in which it was constructed, that is, during the Cold War. Cryptographic technology, in particular cryptographic software as well as hardware, was not available in many countries. The past several years, however, have witnessed rapidly evolving technology and changing world political and economic circumstances. Cryptography expertise is now widely dispersed, no longer the exclusive domain of a handful of mostly government players. Furthermore, software is in a sense an intangible good that is not easily controlled because the Internet has no discernible national boundaries. The radically changed global situation dictates the need for a concomitant change to the premises on which the export control regime is built. A different approach is needed.

We estimate that as much as 95% of our market is outside of Canada, and at present a large part of that market is in the U.S. Thus, the position of the U.S. is important: we cannot liberalize unilaterally; if the Canadian ITS industry were shut out of the U.S. market, it might not survive. It would certainly suffer. However, this is an unlikely scenario, since it would apparently require import controls in the United States, preventing import of goods from all countries in the rest of the world.

Liberalizing the export control regime should also include simplifying the process. The current process is too cumbersome, too onerous, too uncertain and too lengthy. Straightforward cases of export approval tend to be processed quickly, but it should not be necessary to apply for a permit for each new contract or sale: one approval for each product should be acceptable. In many cases, the only change may be country of destination; companies should be permitted to export approved products without re-submitting for approval provided the country of destination was not included in a published list of unacceptable countries of destination. In cases where there may be some doubt about approval, the process takes far too long; timing is uncertain, making it very difficult to meet customer requirements. Delays result in suspicion by foreign customers, quickly resulting in loss of sales. In today's rapidly paced business environment, companies must receive a decision within three weeks at most. Delays

Liberalizing should also include blanket approval of certain algorithm strength. Our preference is no limit on export of algorithm strength; however, if a limit must be imposed, then it is our view that blanket approval of 128-bit symmetric key and 1024-bit asymmetric key (e.g., RSA encryption and Diffie-Hellman key agreement) is the minimum acceptable limit. Anything less should not need approval; anything above should be considered quickly on a case-by-case basis.

We urge the government to negotiate liberalization within the Wassenaar Arrangement on two fronts: first, to accept Mass Market Software (MMS) and Public Domain Software (PDS). Second, the government should work with international colleagues on a continuing basis to review what is available on foreign markets, and to allow Canadian industry, and those industries in the other countries subsumed within the Arrangement, to export products of similar strength, without requiring export licenses. Even as a world leader in communications and data security, Canada is still unable to compete internationally when stronger security products, not subject to limitation, are available world-wide from unregulated or more liberal countries. For example, Ireland, New Zealand, and Finland have more liberal interpretations than Canada. Attempts by the government to control the international distribution of security solutions are futile, harmful to the domestic economy, and do not advance Canada's profile on the international stage.

Without liberalization, Canadian industry is at a competitive disadvantage. Any degree of regulation that impedes the free flow of products and services across borders impacts on the opportunities for Canadian companies and limits our ability to compete and succeed in global markets. Export controls create a poor climate for electronic commerce; the global growth in electronic commerce will be concentrated in areas that have the most liberal regulations with respect to cryptographic controls. We do not have a level playing field.

"What can governments do to accelerate the roll-out of the infrastructure which would offer public access to cryptography services and secure electronic commerce?"

The Canadian government should continue to be a leader in the roll-out of electronic service delivery. The government should continue to support and actively assist the Canadian ITS industry in providing the security for electronic commerce, security that is necessary if electronic commerce is to succeed. The government should acquire and promote Canadian ITS products and services. It should take action to recognize digital signatures as electronic equivalents to hand-written signatures on paper documents in Canada, and to harmonize national and provincial legislation and regulation. Particularly importantly to the group here represented, the government must continue to work in international fora to promote secure global electronic commerce and reduce barriers to global trade in cryptography products and services. The government can encourage the adoption of government practices (e.g. with respect to key recovery for stored data) by encouraging interoperation of other infrastructures, such as provincial instrastructures, with that of the Government of Canada PKI.

Above all, the government should allow the marketplace to work, and it should intervene only to ensure a level playing field for the Canadian ITS industry.


Summary of Recommendations

Encryption of Stored Data

We recommend that the government:

Encryption of Real-time Communications

We recommend that the government:

Export Control

We recommend that the government:

Additional Recommendations

We recommend that the government:

Representatives:

Brian O'Higgins, Executive VP and Chief Technology Officer, Entrust Technologies

Phil Deck, President and CEO, Certicom Corporation

Ron Walker, President and CEO, KyberPASS Corporation

Tim Hember, President, TimeStep Corporation

Lynn Anderson, Marketing Manager, Hewlett Packard (Canada) Ltd.

Benita Baker, Manager of Marketing Communications, Chrysalis-ITS

Robert Koblovsky, VP Marketing, MilkyWay Networks Corporation

Todd Finch, President, Netscape Communications Canada

Dermot Kavanagh, Manager, Regulatory Standards, Nortel Technology

Ralph Doran, VP Product Development, JetForm

Dr. David Jones, President, Electronic Frontier Canada

David Betts, Information Technology Association of Canada