[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    OECD Crptography Guidelines Announced
From:       Gaudia Ray Sarna <lpuadm () LEONARDO ! NET>
Date:       1997-03-30 6:23:43
[Download RAW message or body]


In alt.security.pgp, rode@info.su.eunet.de (Thomas Rode) wrote:

>FYI
>There's an OECD press release about the crypto guidelines they
>adopted. You might wish to point your webbrowser to
>http://www.oecd.org/news_and_events/release/nw97-24a.htm
>and pay attention to No's 2, 6, and 7 of the guidelines.
>regards      - Th. Rode -

Here's what the Press Release states:

29  MEMBER COUNTRIES
Australia       Austria Belgium Canada         Czech Republic
Denmark Finland France          Germany Greece
Hungary Iceland Ireland Italy           Japan
Korea           Luxembourg      Mexico          Netherlands     New Zealand
Norway          Poland          Portugal        Spain           Sweden
Switzerland     Turkey          United Kingdom             United States

Paris, 27 March 1997

OECD ADOPTS GUIDELINES FOR CRYPTOGRAPHY POLICY

               The OECD has adopted Guidelines for Cryptography Policy,
setting out principles to guide countries in formulating their own policies
and legislation relating to the use of cryptography.

               The Recommendation which came before the governing body of
the OECD, the Council, on Thursday 27 March, is a non-binding agreement
that identifies the basic issues that countries should consider in drawing
up cryptography policies at the national and international level. The
Recommendation culminates one year of intensive talks to draft the
Guidelines.

               The need for Guidelines emerged from the explosive worldwide
growth of information and communications networks and technologies and the
requirement for effective protection of the data which is transmitted and
stored on those systems. Cryptography is a fundamental tool in a
comprehensive data security system. Cryptography can also ensure
confidentiality and integrity of data and provide mechanisms for
authentication and non-repudiation for use in electronic commerce.

               Governments want to encourage the use of cryptography for
its data protection benefits and commercial applications, but they are
challenged to draft cryptography policies which balance the various
interest at stake, including privacy, law enforcement, national security,
technology development and commerce. International consultation and
co-operation must drive cryptography policy because of the inherently
international nature of information and communications networks and the
difficulties of defining and enforcing jurisdictional boundaries in the new
global environment.

               The Guidelines are intended to promote the use of
cryptography, to develop electronic commerce through a variety of
commercial applications, to bolster user confidence in networks, and to
provide for data security and privacy protection.

               Some OECD Member countries have already implemented policies
and laws on cryptography, and many countries are still developing them.
Failure to co-ordinate these national policies at the international level
could introduce obstacles to the evolution of national and global
information and communications networks and could impede international
trade. OECD governments have recognised the importance of international
co-operation, and the OECD has contributed by developing consensus on
specific policy and regulatory issues related to cryptography and, more
broadly, to information and communications networks and technologies.

               The Guidelines set out eight basic Principles for
cryptography policy:

                 1.Cryptographic methods should be trustworthy in order to
generate confidence in the use of information and communications systems.

                 2.Users should have a right to choose any cryptographic
method, subject to applicable law.

                 3.Cryptographic methods should be developed in response to
the needs, demands and responsibilities of individuals, businesses and
governments.

                 4.Technical standards, criteria and protocols for
cryptographic methods should be developed and promulgated at the national
and international level.

                 5.The fundamental rights of individuals to privacy,
including secrecy of communications and protection of personal data, should
be respected in national cryptography policies and in the implementation
and use of cryptographic methods.

                 6.National cryptography policies may allow lawful access
to plaintext, or cryptographic keys, of encrypted data. These policies must
respect the other principles contained in the guidelines to the greatest
extent possible.

                 7.Whether established by contract or legislation, the
liability of individuals and entities that offer cryptographic services or
hold or access cryptographic keys should be clearly stated.

                 8.Governments should co-operate to co-ordinate
cryptography policies.  As part of this effort, governments should remove,
or avoid creating in the name of cryptography policy, unjustified obstacles
to trade.

               The Guidelines advise that the eight elements should be
taken as a whole in an effort to balance the various interests at stake.
These Principles are designed to assist decision-makers in the public and
private sectors in developing and implementing coherent national and
international policies for the effective use of cryptography. Member
countries should establish new, or amend existing, policies to reflect
them. Any national controls on use of cryptography should be stated clearly
and be publicly available.

               Drafting of the Guidelines for Cryptography Policy began in
early 1996, when the policy recommendations in the Guidelines are primarily
aimed at governments, but it is anticipated that they will be widely read
and followed by both the public and private sectors. Governments will now
engage in further consultation to co-ordinate and co-operate on the
implementation of the Guidelines. In the future, the Guidelines could form
a basis for agreements on specific issues related to international
cryptography policy. The Guidelines will soon be published as an OECD
document for broad distribution to promote awareness and public discussion
of the issues and policies related to cryptography.

               Journalists interested in a briefing should contact the
Communications Division. For further information and inquiries, please
contact the Information, Computer and Communications Policy Division (fax
(33) 01 45 24 93 32).

[prev in list] [next in list] [prev in thread] [next in thread]