[cooperation-wg] My summary of discussion on COM(2012) 238/2

My summary of the discussion is positive, although when you read the below it sounds negative. Yes, I am worried personally about the proposed regulation, but that has been the case for months -- and increased worried I am after the meeting Thursday. I am though optimistic the question whether I should be worried, or no longer, can be resolved as many people said they will now help looking at the proposal. So yes, concerned, very concerned, but also happy finally discussion starts.

So, discussions related to the proposed regulation COM(2012) 238/2 has started also in the organisations and areas which develop protocol and operational practices for the Internet. This happened previous week at the RIPE meeting that took place in Dublin. After some discussions with the EU Commission it was clear they could not participate on site, but on video. Quite irritating I must say that Commission that do issue (basis for) legislation that is quite specific without participating directly in the multi stakeholder discussions that exists on these topics.

Last time I had this kind of discussion with COM it was related to the future of E.164 numbers in Europe. You can see a summary of the discussion including exchange of letters here:

<http://stupid.domain.name/node/1459>

Last time I find COM did participate actively on technical matters was when Per Blixt did come to a RIPE meeting and not only participated but also listened. Andrea Glorioso, Linda Corugedo Steneberg and others have participated in discussions related to Internet Governance of course, although as much in the RIPE community as elsewhere (ICANN, EuroDIG for example).

So COM did not send a person this time either, but Andrea Servida that is one of the main persons related to the proposed regulation participated via a video conference. He presented and also responded to questions. Which of course was better than nothing.

My view of the situation *before* the meeting you can find here <http://stupid.domain.name/node/1674>.

You can find slides used for the cooperation working group here <https://ripe66.ripe.net/programme/meeting-plan/coop-wg/>. The ones interesting are the ones from Andrea Servida and the one from Patrik Fältström named "Article 5".

At <https://ripe66.ripe.net/archives/#Thursday> you can see video, transcripts and more.

In short, Andrea in my eyes confirmed the proposed regulation is not only about e-ID but much more general and related to all different kind of validation of who one communicate with. Not only e-ID but also "what web site one communicate with". This in turn to many in the room have impact on the models built for Internet at the moment using technologies like RPKI and DNSSEC which are directions there is broad consensus about.

Due to the discussions RIPE NCC has decided to investigate whether it is true that the regulation MIGHT have impact on DNSSEC, RPKI or federated identity systems. The review will be done in a number of steps, all so that incremental results can be delivered as there is a lack of time regarding sending feedback to the European Parliament and Council where the proposal is currently discussed.

Several country representatives (in a broad meaning), including SE, UK, DE and USA has contacted me and asked what my position is, and as a non-lawyer of course I can not say definitely. The good thing is that finally people do connect this proposed regulation with Internet. Something I claim COM has not done.

Because the largest problem is once again that COM has developed a text without participating in the processes that exists for technical development. This implies people do not disagree with the over all problem statement, but to the proposed solution of the problem. When then objecting, it is as if one disagree with the problem existing.

A summary of the situation is that the solution that is proposed is that in a combination of Brussels and Member States it is explicitly decided who are to be trust providers, and further that those trust providers must be trusted for various services that require among other things age, citizenship, residency and more (once again, according to Brussels/Member States).

A different solution, which is more "modern" and also deployed, is that different systems do require different levels and kind of security. In some areas those are called "federations". Then for each such federation there is a combined certification and accreditation process by which the providers can be approved. Parties can then trust whoever they want as long as they have passed this audit.

Decision of trust stays with whoever takes the risk.

And here we have not started looking at the questions on the sovereignty member states of EU has in relationship with each other, and the built in contradiction between this and the interest in free movement of goods and services.

Or the fact the proposed regulation define for example the following terms (as found by Gordon -- thanks):

electronic identification;
electronic identification means;
electronic identification scheme;
signatory;
electronic signature;
advanced electronic signature;
qualified electronic signature;
electronic signature creation data;
certificate;
qualified certificate for electronic signature;
trust service;
qualified trust service;
trust service provider;
qualified trust service provider;
product;
electronic signature creation device;
qualified electronic signature creation device;
creator of a seal;
electronic seal;
advanced electronic seal;
qualified electronic seal;
electronic seal creation data;
qualified certificate for electronic seal;
electronic time stamp;
qualified electronic time stamp;
electronic document;
electronic delivery service (including proof of sending or receiving the data);
qualified electronic deliver service;
qualified certificate for website authentication;
validation data.

I have no idea whether anyone have checked the definition of these terms to see how they match or not match the general view in the world, and for example matches the definitions used in for example trade discussions between EU and USA, within OECD and/or WTO.

Anyway, at last the discussion has started, and the first answers on the landscape should come from RIPE NCC that time should have read the document with a lawyers eyes.

And we can know whether we should continue to be worried, or whether this is something that indeed is not impacting what is happening on the Internet.

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </ripe/mail/archives/cooperation-wg/attachments/20130519/3ae050fd/attachment.sig>