[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UK govt. to ban PGP (was Re: UK TTP Paper)
John Young <[email protected]> forwards from Cyberia-L:
:
: Making absolutely no comment on the subject of licensing of certification
: authorities, you may be interested in a UK paper entitled LICENSING OF
: TRUSTED THIRD PARTIES FOR THE PROVISION OF ENCRYPTION SERVICES - Public
: Consultation Paper on Detailed Proposals for=20
: Legislation, March 1997.
:
: You can obtain a full document at http://www.dti.gov.uk/pubs.
Ross Anderson <[email protected]> posted his interpretation of this
to sci.crypt, alt.security.pgp, alt.security today, which I think
cypherpunks might find eye opening, I'm off to read the doc myself
now.
: From: [email protected] (Ross Anderson)
: Newsgroups: alt.security.pgp,alt.security,sci.crypt
: Subject: UK Government to ban PGP - now official!
: Date: 21 Mar 1997 10:07:22 GMT
: Message-ID: <[email protected]>
:
:
: The British government's Department of Trade and Industry has sneaked
: out proposals on licensing encryption services. Their effect will be to
: ban PGP and much more besides.
:
: I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as
: their own web server appears to be conveniently down.
:
: Licensing will be mandatory:
:
: We intend that it will be a criminal offence for a body to offer
: or provide licensable encryption services to the UK public without
: a valid licence
:
: The scope of licensing is broad:
:
: Public will be defined to cover any natural or legal person in the UK.
:
: Encryption services is meant to encompass any service, whether provided
: free or not, which involves any or all of the following cryptographic
: functionality - key management, key recovery, key certification, key
: storage, message integrity (through the use of digital signatures) key
: generation, time stamping, or key revocation services (whether for
: integrity or confidentiality), which are offered in a manner which
: allows a client to determine a choice of cryptographic key or allows
: the client a choice of recipient/s.
:
: Total official discretion is retained:
:
: The legislation will provide that bodies wishing to offer or provide
: encryption services to the public in the UK will be required to
: obtain a licence. The legislation will give the Secretary of State
: discretion to determine appropriate licence conditions.
:
: The licence conditions imply that only large organisations will be able to
: get licences: small organisations will have to use large ones to manage
: their keys (this was the policy outlined last June by a DTI spokesman).
: The main licence condition is of course that keys must be escrowed, and
: delivered on demand to a central repository within one hour. The mere
: delivery of decrypted plaintext is not acceptable except perhaps from
: TTPs overseas under international agreements.
:
: The effect of all this appears to be:
:
: 1. PGP servers will be outlawed; it will be an offence for me to sign
: your pgp key, for you to sign mine, and for anybody to put my
: existing signed PGP key in a foreign (unlicensed) directory
:
: 2. Countries that won't escrow, such as Holland and Denmark, will be
: cut out of the Superhighway economy. You won't even be able to
: send signed medical records back and forth (let alone encrypted
: ones)
:
: 3. You can forget about building distributed secure systems, as even
: relatively primitive products such as Kerberos would need to have
: their keys managed by a licensed TTP. This is clearly impractical.
: (The paper does say that purely intra-company key management is
: OK
: but licensing is required whenever there is any interaction with
: the outside world, which presumably catches systems with mail, web
: or whatever)
:
: There are let-outs for banks and Rupert Murdoch:
:
: Encryption services as an integral part of another service (such as in
: the scrambling of pay TV programmes or the authentication of credit
: cards) are also excluded from this legislation.
:
: However, there are no let-outs for services providing only authenticity and
: nonrepudiation (as opposed to confidentiality) services. This is a point that
: has been raised repeatedly by doctors, lawyers and others - giving a police
: officer the power to inspect my medical records might just conceivably help
: him build a case against me, but giving him the power to forge prescriptions
: and legal contracts appears a recipe for disaster. The scope for fraud and
: corruption will be immense.
:
: Yet the government continues to insist on control of, and access to, signing
: keys as well as decryption keys. This shows that the real concern is not
: really law enforcement at all, but national intelligence.
:
: Finally, there's an opportunity to write in and protest:
:
: The Government invites comments on this paper until 30 May 1997
:
:
: Though if the recent `consultation' about the recent `government.direct'
: programme is anything to go by, negative comments will simply be ignored.
:
: Meanwhile, GCHQ is pressing ahead with the implementation of an escrow
: protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is broken
: (see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz).
:
: In Grey's words, ``All over Europe, the lights are going out''
:
: Ross
Adam
--
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`