CORDIS Archive : INFOSEC: ETS: Studies and Pilot Projects: EAGLE

[Decisions | ETS | Evaluation | Downloads]

Investigation of the Commercial, Licensing and Regulatory Issues Associated with ETS Including the Supporting Mechanisms

The contact point for the project is:

Mr. Per Christoffersson

TELIA PROMOTOR
Po Box 168
13623 HANINGE
Sweden

Tel no: + 46-8-7073500
Fax no: + 46-8-7073599
E-Mail: per.e.christoffersson@telia.se

1. Your problem

Your company needs to exchange confidential information with other companies in Europe.
You have agreed on a common encryption system.
You have heard of export restrictions and problems surrounding the use and export of encryption systems.
You are aware of the need to generate and exchange encryption keys in a secure way.
You are not sure how to approach this area, especially considering that

the traffic and the number of people you want to communicate with will grow quickly
they are all over Europe and outside Europe as well.

The answer is to use Trusted Third Parties, which will help you with all these problems!

The EAGLE project will show how a TTP service can be designed to support this.

2. What is EAGLE?

EAGLE is a joint European project tasked with studying the use and co-operation of TTPs. It is funded by Directorate General Thirteen (DG XIII) of the European Commission, under their INFOSEC (information security) program and is scheduled to run during 1997.

The partners working on this project are:

Telia Promotor, Sweden (Project leader)
Deutsche Telekom, Germany
France Telecom - CNET, France
KPN Research, NL
Racal Research, UK
Vodafone, UK

3. What is a TTP?

A Trusted Third Party, is a "security authority, or its agent, trusted by other entities with respect to security related activities" according to an ISO definition. It means that TTPs may provide a variety of security services to its users, e.g.:

assist users in establishing secure communications using encipherment
assist in authenticating one user to another
generate and certify keys
perform notary functions like time stamping and secure storage of documents

4. What will EAGLE do?

EAGLE will study commercial, technical and regulatory aspects of TTPs and implement a pilot demonstration.

Study on commercial aspects

In order to facilitate the development of a pan-European network of TTPs, organisations must be able to offer services on a commercial basis. The scope of this study is to investigate the commercial issues associated with offering TTP services, and to define a set of assessment criteria which may be used to evaluate the commercial feasibility of a TTP.The study will :

select one or more user communities on which to focus the study;
identify a selection of TTP services;
investigate commercial models which may be used to sell TTP services to customers;
define assessment criteria to measure whether the TTP services are commercially feasible
evaluate the commercial feasibility of the selected TTP services;
consider possible methods for charging.

User requirements will be gathered through a combination of background studies and direct contact with users through interviews and questionnaires. The requirements capture will address the following areas:

trust assurance;
security level;
·ervice level;
costing and charging;
ease of use;
performance

In order to be able to sell TTP services to customers, organisations will need a commercial model. The study will investigate the use of such models, which may be based on existing telecommunications models. The commercial model will address the following issues:

roles and responsibilities;
trust relationships;
charging, billing and accounting;
licensing and accreditation

The results of the study will be a report on the commercial issues associated with offering TTP services, including the identification of market requirements, the investigation of commercial models and an evaluation of the commercial feasibility of TTP services.

The commercial study will be led by Vodafone.

Study on technical aspects

A wide variety of mechanisms and schemes are available to provide TTP services. A technical evaluation of different schemes is required in order to be able to select mechanisms, or propose enhanced mechanisms, which fulfil our criteria.

The technical study will :

investigate and compare mechanisms and schemes which provide TTP services over a pan-European network of TTPs;
define assessment criteria which may be used to evaluate TTP schemes from a technical point of view;
evaluate TTP schemes from a technical point of view.

The study will concentrate on key management for encryption and for digital signatures. The support of key recovery for lawful access to encrypted communications will be studied as an important option as several countries require this kind of facility by law and more countries may require it in the future. Other TTP services may also be considered.The ISO SC27 and ETSI TC Security work, which describes and identifies requirements for TTP services, will be the starting point for the technical studies. The availability of trustworthy, practical and interoperable mechanisms to provide TTP services will be investigated. Comparisons between alternative mechanisms providing similar services will be made. Deficiencies of existing mechanisms will be reported, with recommendations for improvements. The following key management issues will be investigated:

the availability of supporting standards / protocols / products;
the practical impact of installation and operation at the user end;
international interoperability, taking into account any technical solutions which allow for differences in national crypto policies;
trust in the TTP and its services, including the split of trust between TTPs;
the protection of user-TTP exchanges;]
requirements for specific environments (e.g. e-mail, World-Wide Web, EDI);]
the need for complementary services (e.g. directory access) to aid the creation of TTP services.

The result of the study will be a report providing the conclusions of the investigation and comparison of mechanisms to provide TTP services over a pan-European network of TTPs.

The technical study will be led by France Télécom.

Study on regulatory aspects

An organisation offering TTP services may be subject to national regulations. This part of the study will investigate these regulatory conditions for TTP organisations in the five participating countries, and possibly others as well, e.g. the USA. This study will concentrate on:

the licensing and accreditation criteria for basic TTP functionalities, like issuing of certificates and key generation and for sets of TTP services;
potential regulatory barriers to the commercial viability of TTP services;
international regulations that will influence national policies;
the legal implications of cross-border traffic of encrypted messages;
the evaluation of the regulatory issues associated with offering TTP services;

While legislation and regulation tend to lag behind developments, trends and preliminary regulations will be investigated where there is no official point of view.

Information will be retrieved by background studies and interviews with regulators or representatives of the appropriate governmental bodies.The result of the study will be a report containing the regulatory conditions for offering TTP services in France, Germany, United Kingdom, The Netherlands and Sweden and specifically the regulatory criteria for the assessment of key management mechanisms.

The regulatory study will be led by KPN Research.

The pilot demonstrator

The objective of this work package is to manage and operate a TTP service between the project participants, to identify any practical problems which may be encountered. To this end a research tool will be developed by EAGLE. A further objective of this work package is to apply assessment criteria to the research tool and report the results.

The TTP research tool consists of a TTP server and a client application. A TTP server will be set up in each of the participating countries, thus establishing a network of TTP servers for the support of key management according to a scheme developed by Jefferies, Mitchell and Walker . Furthermore each partner will provide users in its company with the client application. Communication will be set up between users belonging to the same TTP server and users belonging to different TTP servers. Participants in the countries covered by the TTP network will be able to use their TTP to protect files sent via electronic mail to any other participant.

The"JMW" scheme specifically supports key recovery as an option, and lawful access can thus also be demonstrated. The research tool will be developed by Racal Research.

The functionality of the software and its usability will then be tested according to the commercial scenarios and to the technical and regulatory assessment criteria established by the studies.

The organisation of the pilot will be led by Deutsche Telekom.

SUMMARY

The consolidated results of the EAGLE project will be an evaluation of the feasibility of selected TTP services based on study results and the research tool trial results. The evaluation will especially present our views on the commercial feasibility of the chosen TTP services being offered in a few different market segments. However, the results will be generalised, where possible, to present an overview of the commercial feasibility of a wide range of TTP services offered in a variety of market segments.

Click below to download the EAGLE Final Report

Notice of Conditions

Before downloading, please note the following conditions:

This report has been prepared for the European Commission under contract and is placed on this web site to ensure the widest possible dissemination of the results of our work on ETS. However, please note that the European Commission does not necessarily endorse the content or conclusions of the report. Extracts from the report may be freely taken, so long as the source is clearly acknowledged.

Download the Final Report in MS Word

Feedback and comments regarding INFOSEC,
should be addressed to:

DG XIII/C.4
European Commission
INFSO-C4@ec.europa.eu