SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)  
YOU ARE IN GAMMA’S RESEARCH ARCHIVES — THIS PAGE IS OF HISTORIC INTEREST ONLY — EXIT

 

Surveying Market Expectations of Trustworthiness in Third Party Electronic Services

Summary of a Report for the UK Department of Trade and Industry Information Security Policy Group, Published 28 April 1997

The study was undertaken for the UK Department of Trade and Industry's Information Security Policy Group to determine the market's perception of the word "trust" in the term "electronic Trusted Third Party Services (TTPSs)".

Undertaken principally in the UK, with additional input from BE, the EC, DE, DK and FR, the study involved some thirty-nine interviews in a market survey which examined the questions "What are the elements of a TTPS which influence trust?" and "What processes might help in demonstrating that trust in these elements is justified?".

The survey produced extensive insights into the state of the market for TTPSs.

A significant finding was that there appeared to be a broad need for greater familiarity with the concepts and potential benefits of TTPSs. The market is still at a low level of maturity. True, there are already some significant TTPSs operating, and experienced individuals in a number of related fields, (as providers and users of these services, consultants, auditors, regulators) but there remains a wide area where improved awareness would be beneficial. It is anticipated that there will be a significant burgeoning of the marketplace over the next five years or so.

Because of the relative immaturity of the marketplace it was not possible to answer definitively both of the project's objectives. Nevertheless, the findings of the survey revealed valuable information, lent support to a taxonomic model of TTPSs which is of great use in understanding the nature of TTPSs and the relationships between services and their providers / users, and supported the identification of key trust elements.

The technology to achieve the implementation of digital signature and confidentiality functions is only one aspect of the problem - the areas needing attention revolve around how such technology and its operational environment can be assured, what liability provisions exist, and the supporting infrastructure (including the legal framework) which exists. A major issue in the infrastructure domain is the urgent need for steps to be taken to achieve international recognition of these infrastructures and frameworks which facilitate interoperability across national boundaries without imposing constraints upon commercial efficiency.

The survey and subsequent analysis identified two principal courses of action which the DTI could follow - one, to put into effect positive licensing régimes for the regulation of TTPSs, the other to let the marketplace decide for itself what measures it needs implemented whilst offering support to the development of awareness and best practices in the domain and specifying the limits and boundaries only. These two choices are not necessarily mutually exclusive. The study's report proposed to the DTI a number of potential actions it could undertake, each supported by provision of a broad action to increase awareness generally. These recommendations were taken into consideration by the DTI as a part of its strategy for supporting UK industry's participation in electronic commerce.

SPONSORSHIP & PROJECT TEAM

The project was sponsored by the UK Department of Industry, and intended to solicit a European-facing UK perspective on the issue of trust in TTPSs. The project was led by the Zygma Partnership (UK) with Gamma Secure Systems Limited (UK), Needham & Grant (UK), Industrieanlagen-Betriebsgesellschaft mbH (DE) and PSTI-Evaluation (FR). All five companies are highly experienced international information security consultancies or lawyers, with wide experience in matters concerning the development of TTPSs, business risk management, trust, third-party security accreditation and the law.


A Taxonomic Model of Trusted Third Party Services

An important finding of the study is a generic taxonomic model of trusted third party services. There are three axes.

Axis 1 - Type of Services

The first dimension of the model distinguishes between the types of services which can be offered as being Primary-Value (PV) and Added-Value (AV) services. Primary-Value TTPSs could be, inter alia, any or all of the following services:

  • Key Generation
  • Registration Authority
  • Certification Authority
  • Directory Agent (Certificates and Revocations)
  • Key Recovery
  • Key Escrow.

This list is not intended to be exhaustive: its primary purpose is to illustrate the infrastructure-related TTP services. PV TTPs provide the basic mechanisms to create and use public-key technology - they are the enabling elements within a Public Key Infrastructure (PKI) or a general Key Management Infrastructure (KMI), but they generally do not provide any direct services which deliver business / commercial services. These are provided by Added-Value TTPSs. Added-Value Services could include:

  • Independent Time-stamping
  • Secure repository / registry for e.g. shared documents
  • IPR Handling and dealing in negotiable instruments (e.g. Bills of Lading)
  • Commercial Insurance
  • Notary Public Information (NOT Key) Escrow
  • Prescription dispensing.

Axis 2 - Scope of Supply

This aspect of the taxonomy distinguishes between the scope of supply of the services offered. There are three classes:

  • Private - The provision of 'trusted electronic' services solely for users within the same overall organisation (distinguished by there being a central CEO) irrespective of which national jurisdictions individual components of the business may potentially operate. These services are used only for internal business purposes
  • Syndicated - Extends the user-group of a Private service to enable the additional provision of services to selected suppliers / associates / clients of the providing organisation, but still only for business exchanges between (i.e. within) that group. These other organisations may potentially operate from a variety of national jurisdictions, as may the principal corporate
  • Public - Provision of any TTP services to any interested parties who wish to exchange information etc. using some kind of public-key technology / general infrastructure, potentially available to users in any national jurisdiction.

The Classification of a service can now be considered as the combination of provision of PV and AV service elements. Since both PV and AV services could, in theory, be provided under any of the scopes of supply, nine classifications are possible. That is not to say that all combinations are meaningful, and we consider that from the results of the survey, the following four classifications are the most realistic. Other combinations seem at the moment to be esoteric rather than practical. The classifications considered to be realistic are:

  • Class 1 - Private PV and Private AV
  • Class 2 - Syndicated PV and Syndicated AV
  • Class 3 - Public PV supporting Syndicated AV
  • Class 4 - Public PV and Public AV

and these can be represented in two dimensions as:

  Private AV Syndicated AV Public AV
Private PV Class 1 possible unlikely
Syndicated PV possible Class 2 unlikely
Public PV possible Class 3 Class 4

Axis 3 - Jurisdiction

This aspect is necessary because actions possible or undertaken in one national jurisdiction might not be binding or even permissible in another. This fact inhibits the uniform availability of all Classes and Types of TTPSs across national boundaries. This circumstance is actually a brake on the free development of commercial TTPSs, across Europe and beyond. In terms of the model, it may limit the types of classifications which are permitted to exist, i.e. certain types of trading relationships and supporting systems may not be allowed to operate. The third axis is therefore, commercially at least, an undesirable part of the model, and the removal of it represents the reduction if not removal of a barrier to the effective operation of pan-European and International TTPSs. It is unlikely that this axis shall ever be completely absent, but diminution of the variances between jurisdictions is a necessary target for trade facilitation.