[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAI(L) in PGPs coffin (Re: network associates back in kra)





Steve Mynott writes:
> subject says it all
> 
> roll on gpg

NAI rejoining KRAP would be something of a gift for any competitors of
PGP producing PGP compabile replacements if there were any serious
contenders.  

Or perhaps for S/MIME vendors, if they weren't already mostly KRAP
members, or pretty neutral / prone to be bribed by defense contracts,
and if S/MIME and PKIX weren't so hierarchical in design:

I'm not sure S/MIME based offerings are much of an alternative because
the hierarchical model, and ability of a CA to restrict what the end
user can use keys for (not for certification for example), and
generally inability to use clients without cert obtained from another
KRA member -- verisign, all add up to bad news.  The whole mess can be
controlled by GAKkers via the CA, and the CAs are the target for
example of the UK GAK attempt being led by the DTI (Department of
Trade and Industry -- meant to be representing industry, but instead
trying it's level best to put GCHQ / ECHELON interests ahead of
business interests, as acknowledged by DTI winning Privacy
International's hall of shame award.).

To expand briefly on the UK (DTI) current proposal: it seems to be
that they are trying to stack the deck by giving signatures made with
a key certified by a UK government "licensed" CA given better
recognition in law than signatures made by an unlicensed CA.  The
licensed CA doesn't have to escrow signatures keys, but if it does and
provides any service relating to confidentiality keys also it must
also keep private keys.  (Deliverable to GCHQ / ECHELON within 1 hr 24
hours a day 365 days a year -- GAK on steroids).

Someone on ukcrypto coined the phrase `licensed to leak' to express
the government coerced baggage that goes with a licensed CA.

Indeed roll on the GPG.

Adam