RE: key escrow compromise

[Paul Koning 1695 <pkoning@chipcom.com>]

Quoting: "Vladimir Z. Nuri" <vznuri@netcom.com>
>I tend to agree with Clark in only one regard: the government is going
>to get into the key storage/retrieval business in some form or another
>eventually & inevitably; it's just not stoppable.

Well, I would tend to disagree.  If PGP weren't out, you might conceivably
have a point.  Given that it is out, are you suggesting that the NSA would
be able to make all copies of it go away?  And all copies of PEM?
And everyone else's encrypted Email programs including all those
available from many other countries?  Shutting down the Internet
completely wouldn't be a sufficient measure to make that happen.

>the aspect
>that is up for grabs is whether these systems will be *mandatory* for
>all private communication.

I remember some clear statements that this is the goal, as should be
obvious, since any smaller goal doesn't make any sense.

>here's a quick idea. the post office is getting into
>certification authorization come hell or high water (ETA summer, 96).
>now, frankly I think this is a good thing. someday we will need some kind
>of legal agency to deal with citizen keys, so that we could have
>cryptographic dealings with federal agencies such as the motor
>vehicles department, etc.

Well, I don't know why a government agency that calls itself a 
non-government
agency one minute and hides underneath special government
monopoly privileges should be given yet another special
privilege, but anyway... yes, clearly at some point we will need
certification that will make digital signatures useable.

However, that has NO connection with GAK, and in fact is a strong
argument against it.  If the government has access to my keys, then
why should anyone trust my signature?  Conversely, certification
for digital signatures involves making statements about the validity
of PUBLIC keys, and imposes NO requirement on private keys.

     paul