[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Copy of: UK TTP Paper - For Your Information



-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 12 May 1997 [email protected] wrote:

> As further discussed in the answer to question 4, we can 
> confirm that we do not propose that the user be required to escrow his 
> private signature key (however generated) with a TTP. 
[snip]
> If, however, the TTP either generates the 
> confidentiality key pair for a user,  or, for example, certifies a 
> self-generated public key for confidentiality, then escrow of the 
> associated private key would be required under our proposals. 

This doesn't make much sense to me. If I were to use such a UTP[*]
then I'd simply get my signature key authenticated and then use that to
sign all my encryption keys rather than getting the UTP to sign them. So 
I'd get the benefits of a recognized authentication on my keys without 
having to worry about key surrender to governments. We don't _need_ to
have anyone authenticate our encryption keys, just the signature keys.

Or am I missing something? (Other than the obvious fact that this is just
the thin end of the wedge)

- -- HP

[*] UTP == Untrusted Third Party


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Charset: noconv

iQDzAwUBM3hStrmgWaN4MfkFAQH0WQbwg2Nj7+DdY5LXnqinjjhiJQCVbumMHbpD
yGHsoJJDY8BdvgtfPKBqFWSZ1OCvqYaM2M87xK5lF6qdVyESVOcr9GKuB3Cpafhk
WPwBOjcdYbL+WzsAo5T8gUH7HFv1dGI0/lMfsc42ik/Wl54YIWeWQr5ptDXpABd7
sSbgr0jjPKoqO2pyAYPS9c3mXooES99zRBDB5edWPf4ACF0u8DcMawZUuAcD+hTH
ILZV80VAnOIKKidRqNry5z90/z0L8F3qVklLRYX5qGyxZE60PEbECSE2lxjio/kh
PfbpoQCb
=ETNt
-----END PGP SIGNATURE-----