The proposal, called a "decret d'application," is a prime ministerial decree scheduled to be issued after the Telecommunications Reform Act of July 27, 1996. In France, a law only takes effect after the government signs it as a decree.
The decree will define the business conditions of future "trusted third party" (TTP) systems -- in French referred to as "tiers de confidentialite," or a "privacy third party" -- and stresses the difference between the two basic encryption applications: digital signature and privacy. These agents will have the role of electronic notaries, keeping crypto keys in custody for law enforcement or national intelligence purposes.
This bulletin has also learned that French authorities won't impose the "key recovery" scheme as a "mandatory" one. Yet it seems clear that a company will not be able to do business-as-usual if its encryption systems aren't certified by TTPs.
Is this good news for individual users? It's not certain: The law says that crypto is legal *only* if keys are kept in custody. It won't be mandatory -- however if you get caught using PGP, it could be considered as a criminal offense.
The letter (see it in French also) obtained by the press is signed by Jean-Claude Jouas, president of the computer security think tank CLUSIF, and addressed to General Jean-Louis Desvignes, head of the SCSSI. The CLUSIF represents security-related executives from large French companies (some of which are state-owned, such as Bull and Thomson) and also from private consultancies. The SCSSI decided, after intense lobbying, to meet the industry think tank -- which highly suggests that the CLUSIF saw the close-doors draft decree.
Stephane Bortzmeyer, speaking for the French Internet Users Association, says: "We'll need more than these suggestions for allowing a reasonable use of crypto. For instance, the international exchanges case is simple: either PGP or SSH use are legal, or people [in France] won't be able to subscribe to CERT mailing lists." This is because CERT urges its participants to encrypt their communications (for integrity reasons).
In terms of certification, people can understand that this will protect the user from possible illegal duplication of encryption private keys, thus helping to prevent illegal interception of communications. If these certification procedures are not scheduled in the draft, people could consider it as a reason for an additional lack of trust.
Epilogue: The SCSSI says the final decree could be published by the end of this month. Lambda personal bet: It might be published on Friday, December 27th. (The previous crypto legislation, in 1990, was passed as law on December 29 -- and the decrees for it were officially signed in 1992, on December 28.)
Translation help - K. N. Cukier