Statements

UNESCO - IFIP World Computer Congress 2002 Youth Declaration

IFIP-TC9 Statement on National Identification Schemes (NIDS)

Electronic (Internet) Voting in IFIP

The IFIP Position on Cryptopolicies

  1. IFIP recognizes the highly important role of cryptographic mechanisms. In the Global Information Infrastructure GII and in Electronic Commerce these mechanisms will influence acceptability, usage, and competitiveness.
  2. IFIP takes notice that for the convenience of discussion it is helpful to distinguish between the differing objectives for the use of cryptographic mechanisms - preservation of confidentiality, provision of the ability to authenticate people/organizations, provision of the ability to prove the integrity/completeness of data, etc.
  3. IFIP is fully convinced that a range of cryptographic mechanisms is required to meet the security needs of the GII. Users may select the most effective for their specific purposes.
  4. IFIP recognizes that cryptography at the same time is prone to potential abuse by criminals. In this context law enforcement plays also an important role and we face the situation that different countries exhibit different attitudes.
  5. Being aware that responsibilities for crime prevention and detection lies at national governments and that business is less and less related to national borders IFIP recognizes that cryptographic services and cryptographic applications cannot be bound to a nation's territory.
  6. IFIP recognizes the technical consensus that forbidding or restricting the use of strong cryptography is from a technical standpoint ultimately unfeasible.

Taking the above said into account IFIP takes the following position on the use and regulation of cryptography:

  1. Cryptography has equal impact and importance when data are stored or transmitted. A distinction is unrealistic in a world of networked computers.
  2. It is the prime goal that, whoever is involved in the process, cryptographic procedures and keys are handled in a way that full confidence of all partners, including the public at large, is assured.
  3. It is desirable that voluntary and free use be in place for all types of cryptography.
  4. While a business will generally take precautions to protect itself against lost/forgotten/stolen keys, such considerations should be carefully separated from the law enforcement considerations, even though the mechanisms for each may be the same or overlap.
  5. When establishing key management and cryptography infrastructures this should be primarily driven by the users needs and not by regulatory requirements.
  6. Law enforcement shall not establish methods in the cryptography context that infringe on a citizen's expectations of personal privacy and integrity within a country.
  7. IFIP assumes that organized and major crime will successfully avoid or evade any requirement to comply with a key deposit scheme. Law enforcers must therefore not rely primarily on key deposit schemes when addressing the issue of criminal intelligence gathering. Research should be conducted, which results in a set of appropriate, acceptable, and well focused alternative methods.
  8. In cases where keys are deposited at third parties it is necessary that commercial and privacy interest as well as commercial liabilities must be guaranteed in all phases. This is particularly necessary if such systems allow law enforcement to access data in clear or keys, under proper legal constraint.
  9. There is a great need that cryptographic methods and especially digital signatures be recognized by national and international law. Such recognition carries with it responsibilities for assuring availability of relevant keys throughout any legally specified retention period and liabilities for improper disclosure of or change to keys whilst they are being kept.
  10. Any legal or regulatory arrangement between two nations, in respect to cryptography and access to relevant materials, must be symmetric.

IFIP Statement on Information Security Assessment and Certification

  1. In keeping with the global move to electronic commerce, the information security status of IT systems and the information security management of such systems should be assessed against specified standards related to information security management
  2. those performing such assessments should themselves be accredited according to specified certification standards, and
  3. members of IFIP should be instrumental to ensure that such standards, for systems and individuals, be harmonized on an international level.
  4. TC11 of IFIP is organizing a workshop in 1999 to consolidate on the aspects above. For more information contact Prof Jan Eloff at eloff@rkw.rau.ac.za.