Austrian Comments on the “November Draft” of the OECD Cryptography Guidelines
4

[71] Both brackets should be adopted. The Item should read

[71] WHETHER ESTABLISHED BY CONTRACT OR LEGISLATION, THE LIABILITY OF INDIVIDUALS AND ENTITIES THAT OFFER CRYPTOGRAPHIC SERVICES, HOLD OR ACCESS CRYPTOGRAPHIC KEYS SHOULD BE CLEARLY DEFINED.

[72] Adopt the first bracket [including; consumer protection, ] delete the second bracket, but adopt the word “users” instead of “private parties”. Delete the third bracket [, including a government entity, ], adopt the fourth [of f any par ty], and fifth bracket [either]. Delete the sixth bracket [explicit] Adopt the seventh [or any third party that has legitimate contact with keys/ and eighth /can/ bracket. Adopt the ninth bracket [access/, and delete the tenth [request]

[72] Subject to government legislation designed to protect public interests, including consumer protection. users are free to establish, by prior agreement, the liability of individuals and entities who hold or have access to cryptographic keys. The liability of any party that holds cryptographic keys on behalf of another, or which gains access to cryptographic keys of another should be made clear, by contract and, where appropriate, by either national legislation or international agreement. The liability of users for misuse of their own keys should also be made clear. A keyholder or any third party that has legitimate contact with keys can not be held liable for providing cryptographic keys or plaintext of encrypted data in accordance with lawful access. The party that obtains lawful access should be liable for misuse of cryptographic keys that it has obtained.

This principle should remain as proposed.

[74] Adopt the text in brackets. The Item should read:

[74] Aspects of cryptography policy which should be harmonised at the international level include regulation and certification of keyholders or key management systems, mutual recognition of digital signatures, conditions of lawful access, requirements for privacy protection, and government controls or regulations placed on cryptographic methods, including their import, export and use.

[75] This item should be adopted. The first bracket [Member countries should avoid unnecessary hindrances to international availability of high quality cryptographic products.] should be deleted, the second [merely on the basis of cryptography policy/ adopted. Austria proceeds on the assumption that this Item also addresses export restrictions. If not, Austria proposes an extra clause which prohibits export restrictions merely on the basis of cryptography policy. The Item should read:

[75] In order to avoid creating artificial obstacles to international trade, member countries should avoid developing laws, policies and practices which create unjustified obstacles to global electronic commerce. No government should impede the free flow of encrypted data through its national boundaries merely on the basis of cryptography policy.