[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nightmare Scenario: Public Key Distribution Controlled



Tim wrote:

> "Distribute a key, go to prison."

> How does the New World Order limit the use of strong crypto without "key
> recovery" when so many copies of older, pre-ban crypto are already out
> there?

> Simple, by declaring that public keys themselves are crypto material, as
> the Brits did in their Trusted Third Parties draft proposal, and hence
> declaring that distribution of keys after the effective date of the
> legislation constitutes a violation. Give someone your key, either by
> placing it on keyservers or even by mailing it to them, and one has just
> "distributed" crypto.

> This will make the public key infrastructure essentially useless, as the
> public key servers go down, as corporations yank any directories they may
> have, and (possibly) as individuals stop putting PGP or S/MIME fingerprints
> or pointers in their messages.

> How possible is this? Recall that the British proposal formally classified
> key material, the keys themselves, as cryptographic products. The language
> of the current unSAFE and Procto-CODE draconian bills, still changing of
> course as committees rewrite them to be more Big Brotherish, is vague on
> what constitutes crypto.


I agree with the gist of this nightmare view, but don't think it describes
the British TTP proposal very well.


   140 These proposals - aimed at facilitating the provision of secure
   141 electronic commerce - are being brought forward against a background

               ha ha ha 

  1122   Encryption services_ is meant to encompass any service, whether
  1123     provided free or not, which involves any or all of the following
  1124     cryptographic functionality - key management, key recovery, key
  1125     certification, key storage, message integrity (through the use of
  1126     digital signatures) key generation, time stamping, or key
  1127     revocation services (whether for integrity or confidentiality),
  1128     which are offered in a manner which allows a client to determine a
  1129     choice of cryptographic key or allows the client a choice of
  1130     recipient/s.

My giving you my key does not provide you with 'choice of cryptographic key or
...  recipient/s' as I read it.  But if I signed your key and distributed it,
that would probably be a certification service (to you) in which you had
chosen the key to be signed.  Also if I gave you 2 keys of mine I think
that would be banned, because you'd have a choice.  This certainly does
discourage effective use, but I don't think the current wording is quite
so dire as to outlaw distribution of a single key.  I'd also say that when
an ISP carries my emailed key to someone they are providing a transport
service, and not a cryptographic one.

The 'or allows the client a choice of recipient/s' looks to me like a direct
reference to remailers.

As to signing non-key material; a service would be if someone I know brought
something (a photo for me to certify true likeness, a will for me to witness
their signature ...) and I signed it for him to indicate something to others.
Signing my outgoing letters is not normally considered a service.  My checking
the signatures on my incoming mail is probably not a service, even if it forms
part of the decision on whether to reply.

As to self-signing a key; it may be permitted following the model of the
above paragraph, or not.  I believe the proposal is deliberately vague for
FUD - and is bad law, regardless of the bad content.  I mentioned the
difficulty of deciding exactly what would be banned by this proposed law
in my article: "Ruritania Discovers Motor Transport".  Check the ar...BANG



--
##############################################################
# Antonomasia   [email protected]                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################