Interview with David Herson - SOGIS
The following is an edited transcript of an interview
with David Herson - Head of SOGIS, Senior
Officers' Group on Information Security (EU).
The interview took place in Paris, September 25, 1996,
and was conducted by Kurt Westh Nielsen - Engineering
Weekly, Denmark and Jérôme Thorel,
Planéte Internet, France. First question concerns
the experiments at the moment with european key
Will the call for tenders be a long process -
which kind of decision will you have at the beginning of
- The decision is separate from the preparatory
action. My feeling is, that neither the commission nor
the council are in any hurry to take a decision on
cryptography for the reasons you've heard today. This is,
the OECD guidelines in my view are a useful stepping
stone. What we need are a few marker posts out there -
reference points. If the only reference point is the
French Law or what ever - it's not good enough. You need
a bit more balanced than that.
The politics of cryptography has been the big change
in my life. There was no crypto-politics in 1970. Non
existing - now it's a big subject. But unfortunately you
cannot really understand the politics unless you
understand the technical underpinnings and that's the
problem. Quite often you can separate the two - in this
subject you can't.
When is the European infrastructure in place ?
- I think it's going to emerge bottom up. My original
theory was that we would have a meet in the middle attack
as it were. We'd have a high level policy approach and a
lot of individual activities going on, you know practical
needs as it were. Either stimulated by the Commission or
resulting from market requirements and the two events
would sort of converge - and I think it's still the best
model. But the timing may not be perfect. As I just said
I think the amount of interest in this preparatory action
of the ETS has shown that there's an tremendous amount of
latent Interest and energy out there waiting to get this
show on the road. So let's hope that the momentum the
project generates will spread the interest in the
technology. It's my belief, quite clearly, that the TTP
approach is the right approach for both sets of
interests. I mean, if you decategorize people into just
two camps I'm sure that it is the right way to meet the
right compromise. To get there. You got to have all the
right safeguards, I'm well aware of these arguments about
regimes becoming totalitarian and abusing the facilities.
But we got to make first step - otherwise we're not going
to get the wide use cryptography that we're after. I
presume that this is what the majority of people in the
room are interested in - a much more extended use of
cryptography. And good crypto as well - that's important.
Is the EU going to take the first step or going to
wait for the OECD recommendations ?
-My recommendation to my management is, that if we're
successful in getting a consensus in OECD then that's a
good launch point for a more detailed policy. Remember
the OECD policy is only guidelines, and it's going to be
weak, it's not going to be a strong statement. What I
wanted was a fairly high level policy statement- getting
down, I been I've been beating the drum about the
principles now for more than year in my various public
addresses. And frankly the present document does not look
very differently from what I was putting out over a year
ago. I think if you can get those basic principles down
and sort of sense of balance there - I think the balance
is right at the moment... You've seen the guidelines ?
have you ? No, No it's not public.
If we can get a reasonable statement of the balance
between trusting crypto. Or get the right balance between
all these different principles *including* Law and
enforcement, I mean it's naive if anybody thinks that
they can somehow institutionalize the use of crypto
without taking account of it. The point is getting it
right in a sort - in the order of things - the right
position in the spectrum, and let's hope that the debate
in the OECD will achieve that. Because if it doesn't,
we're left with the old regime of cryptograph is use
controls via export control. The French position is
special but in fact the French position is not so
untypical of the rest of the world. Although other
countries only have export regulations - in practice
export control means use control. There is an indirect
mechanism, which means that ... If you take the old
paradigm that exportability means exploitability - the
only cryptography, that is available to the business and
private user is exploitable cryptography .. I you want to
get away from that to a state where business can have
good cryptography, and I don't think business will use
the GII and all these good things without good
cryptography - I mean, we're not talking about buying a
theater ticket over the Internet or something, we're
talking about routine transactions of billions of dollars
all the time. To do that you got to have confidence in
the system - it's not corruptible and all these good
things. So you got to have strong cryptography , to relax
the code controls on strong crypto, you got to
institutionalize an arrangement which protects the
National security and enforcement....
Via TTP's ?
-TTP's are just a practical mechanism for getting
there - I appreciate it can be abused - I listened to the
people here today - heard it many times before - but
anything can be... Guns are abused. I don't approve of,
let's say my government, whatever that might be, going
off and using nuclear weapons or something.. You know..
but they do it , I mean, people use what there is.
Similarly I think Intelligence agencies whether it's law
enforcement or national security will use whatever
mechanism is built. It's all very well, Zimmermann
sitting there saying' PGP is secure, it's open for public
inspection and so on, but he is not actually in control
of how people use PGP. He's not intercepting encrypted
messages - with all the stupid things that people might
do. You can be damn sure, that if there's some way of
misusing PGP - they're doing it out there. The fact that
the algorithm might be good - in principle- does not
guarantee a secure cryptography. I don't think that in a
business environment you could ever comfortably use PGP.
You would always have doubts that you're usingsomething
which is not authenticated. You've got a version of PGP
on your PC ? I'm sure you have, so have I, but where did
you get it from - what's the quality of the source. Are
you competent to inspect the code you have.... So who are
you trusting for the code to be good ....
It's not a good basis on which to put trust in
transactions. A lot of business activity is based on the
trust the parties have...
What will happen to the call for tenders ?
-At the beginning of October we shall be evaluating
the tenders. Selecting those, that we want to go forward
with. Next week we have a panel meeting with independent
expect from various countries. They will evaluate the
proposals, select the best ones, five- six, we'll have to
see how much money we have - how good the proposals are.
And then we will go to SOGIS and get their blessing. Then
we will have to get the formal approvals through the
commission machinery to engage in the contracts. So about
the 1st. Of January these people will start
work.. So this is quite independent of the Council
decision - quite independent.
So the aim is to better understand... ?
-We need to understand better and to
explore/experiment to discover the problems with
international use of TTP's. We think we know what the
problems are but until you actually do the communications
and you see whether this meets national requirements...
Will the work lead to recommendations for the
council to choose specific companies as providers ?
- No, the model is, to maintain the sovereignty issue,
licensing should occur nationally. What I would like to
be able to do at the end of this action is to recommend
the minimum rules - rules for accreditation.. We have to
avoid - it's simple really - you can not trust a guy who
works in a garage on weekends - anybody offering ttp
services has got to offer very high standard of trust -
physical protection of the key-database. Procedural
And physically in the same country ?
-That's the French law at the moment, but I don't
believe any other country will impose that requirement.
Certainly the Commision will have to think hard about
whether it would be acceptable to constrain a single
market in that way. I don't think most countries will
accept that . And I don't think France will eventually.
The problem in France is that since they are the first
and only country in the world that has introduced any new
law concerning TTP's there are no basis for comparison,
they must insist that the keys are being escrowed in
France. If the international infrastructure works
properly then they will relax that condition.
What do you think about the fact that the crypto
debate focuses on privacyversus Law Enforcement ?
- Law Enforcement is a protective shield for all the
other governmental activities . You should use the right
word - we're talking about foreign intelligence, that's
what we're talking about - that's what all this is about.
There is no question - that's what it is about. The Law
enforcement is a smoke screen, because we all understand
law enforcement, policemen, courts, this is something we
see everyday in our life. And it's an important element,
I'm not suggesting it's not relevant but it is a
protective shield for what goes on behind that. Countries
like France and the United States, as you well know, are
active. So at the OECD meeting at least half the people
round the table understand that - not everybody but half
of them do. And no solution will be acceptable unless it
keeps that in balance as well.
In principle we want the government to protect us from
terrorism and drug dealers, paedophilia or whatever
bothers you today. And I think you can put a package
around those interets - some of which you understand -
some of which you don't. But you can identify them as
something which is the public good as against the private
good, and all we're trying to do is keep the public and
private interest in balance. That's the new concept - the
new paradigm. The old methods of control did not
recognize that. The old methods put the government, the
public interets first. So there isn't a private interest.
The Private citizen doesn't need crypto - that's been
proved. Telephone calls or transactions across the
Internet , these are private interests where security is
Something which doesn't show through in the OECD
guidelines yet which is very important from the
Commisions' point of view is the fact that cryptography
has these two dimensions - the integrity of messages and
the overwhelming business requirement for integrity. We
should not let this political debate damage the real
benefits that come to public and private communication
through use of digital signature - that the magic bullet
- the signature. It will benefit society a great deal. It
will transform us to the information society.
Do you think it will help government to act on
confidentiality, the fact that digital signatures are
useful for everybody ?
-A good French approach to these affaires is to go in
easy steps - we don't have to do everything at once. Many
people have argued that we should have got rid of he
digital signature problem. Have all that sorted out,
before we moved on to the confidentiality problem.
Regrettably it's too late in the day. The confidentiality
problem is the one that has been raised as the big
Because of PGP ?
-..Partly, but it' sonly one of many elements.
What is the role of the commission in the OECD
meetings - are the guidelines a small step or..?
-Well, the commission is equivocal about the OECD.
It's not comfortable. But inthis particular case, because
of the way the Commission has acted in this field in the
last two or three years, I think our position is
relatively significant. We're not a member state of the
OECD, but I can speak collectively on behalf of the EU.
What is your impression of the points of view in
the Scandinavian countries ?
- Many of the Scandinavian countries are coming to
this problem for the first time. They are not very
sophisticated in the underlying concepts. And it varies,
I mean Norway and Denmark are members of NATO already, so
they have significant experience of the secure
communications, Sweden and Finland are advanced
technically in the development of equipment, but perhaps
less advanced in the development of policy concerning the
balance between intelligence and privacy.
So that occurs because those countries don't have
the experience and background ?
-It varies, you were not at the meeting, but flavor
that will come through from several Scandinavian
countries is that they are grappling with the issues for
the first time. Trying to understand the balance and so
on. Denmark made a clear statement at the last meeting -
which was basically a clear statement that they would not
seek to introduce new measures to gain access to Internet
traffic. They are the only country who have been quite
clear I think in their public statements so far. The have
made it clear that they intend to introduce no new
measures to gain access to secure communications
traveling over the Internet in Denmark. Now, that comes
from a spokesman for the Danish government . The
Netherlands, if you see them as sort of a
pseudo-Scandinavian country have come out with a similar
position to Denmark. It's only two years since the tried
to introduce through the back door a law on access which
died. A journalist got the story and blew it up and the
law got a real hammering. I think the minister resigned
in the end. So you can make a mess of these things.
10/04/1996 - last revision 02/25/1997
Related articles (In Danish) from