[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UK govt. to ban PGP (was Re: UK TTP Paper)




John Young <[email protected]> forwards from Cyberia-L:
: 
: Making absolutely no comment on the subject of licensing of certification
: authorities, you may be interested in a UK paper entitled LICENSING OF
: TRUSTED THIRD PARTIES FOR THE PROVISION OF ENCRYPTION SERVICES - Public
: Consultation Paper on Detailed Proposals for=20
: Legislation, March 1997.
: 
: You can obtain a full document at http://www.dti.gov.uk/pubs.

Ross Anderson <[email protected]> posted his interpretation of this
to sci.crypt, alt.security.pgp, alt.security today, which I think
cypherpunks might find eye opening, I'm off to read the doc myself
now.

: From: [email protected] (Ross Anderson)
: Newsgroups: alt.security.pgp,alt.security,sci.crypt
: Subject: UK Government to ban PGP - now official!
: Date: 21 Mar 1997 10:07:22 GMT
: Message-ID: <[email protected]>
: 
: 
: The British government's Department of Trade and Industry has sneaked 
: out proposals on licensing encryption services. Their effect will be to 
: ban PGP and much more besides.
: 
: I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as
: their own web server appears to be conveniently down.
: 
: Licensing will be mandatory:
: 
:       We intend that it will be a criminal offence for a body to offer 
:       or provide licensable encryption services to the UK public without 
:       a valid licence
: 
: The scope of licensing is broad:
: 
:       Public will be defined to cover any natural or legal person in the UK.
: 
:       Encryption services is meant to encompass any service, whether provided 
:       free or not, which involves any or all of the following cryptographic 
:       functionality - key management, key recovery, key certification, key 
:       storage, message integrity (through the use of digital signatures) key 
:       generation, time stamping, or key revocation services (whether for
:       integrity or confidentiality), which are offered in a manner which 
:       allows a client to determine a choice of cryptographic key or allows 
:       the client a choice of recipient/s.
: 
: Total official discretion is retained:
: 
:       The legislation will provide that bodies wishing to offer or provide 
:       encryption services to the public in the UK will be required to 
:       obtain a licence. The legislation will give the Secretary of State 
:       discretion to determine appropriate licence conditions. 
: 
: The licence conditions imply that only large organisations will be able to 
: get licences: small organisations will have to use large ones to manage 
: their keys (this was the policy outlined last June by a DTI spokesman).
: The main licence condition is of course that keys must be escrowed, and
: delivered on demand to a central repository within one hour. The mere
: delivery of decrypted plaintext is not acceptable except perhaps from 
: TTPs overseas under international agreements.
: 
: The effect of all this appears to be:
: 
: 1.    PGP servers will be outlawed; it will be an offence for me to sign 
:       your pgp key, for you to sign mine, and for anybody to put my 
:       existing signed PGP key in a foreign (unlicensed) directory
: 
: 2.    Countries that won't escrow, such as Holland and Denmark, will be
:       cut out of the Superhighway economy. You won't even be able to
:       send signed medical records back and forth (let alone encrypted
:       ones)
: 
: 3.    You can forget about building distributed secure systems, as even
:       relatively primitive products such as Kerberos would need to have
:       their keys managed by a licensed TTP. This is clearly impractical.
:       (The paper does say that purely intra-company key management is 
: OK
:       but licensing is required whenever there is any interaction with
:       the outside world, which presumably catches systems with mail, web 
:       or whatever)
: 
: There are let-outs for banks and Rupert Murdoch:
: 
:       Encryption services as an integral part of another service (such as in 
:       the scrambling of pay TV programmes or the authentication of credit 
:       cards) are also excluded from this legislation. 
: 
: However, there are no let-outs for services providing only authenticity and
: nonrepudiation (as opposed to confidentiality) services. This is a point that
: has been raised repeatedly by doctors, lawyers and others - giving a police
: officer the power to inspect my medical records might just conceivably help
: him build a case against me, but giving him the power to forge prescriptions
: and legal contracts appears a recipe for disaster. The scope for fraud and
: corruption will be immense.
: 
: Yet the government continues to insist on control of, and access to, signing 
: keys as well as decryption keys. This shows that the real concern is not
: really law enforcement at all, but national intelligence.
: 
: Finally, there's an opportunity to write in and protest:
: 
:       The Government invites comments on this paper until 30 May 1997 
: 
: 
: Though if the recent `consultation' about the recent `government.direct'
: programme is anything to go by, negative comments will simply be ignored.
: 
: Meanwhile, GCHQ is pressing ahead with the implementation of an escrow
: protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is broken
: (see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz).
: 
: In Grey's words, ``All over Europe, the lights are going out''
: 
: Ross

Adam

-- 
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`