Re: Will Price (NAI employee) on KRA

[John Young <jya@pipeline.com>]

Forwarded:

To: ukcrypto@maillist.ox.ac.uk
Subject: Re: Escrow - news
Date: Sat, 14 Nov 1998 15:42:26 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
:

Will Price writes:

> NAI being listed on the KRA page is *solely* a result of our TIS
> acquisition

On his most recent speaking tour of Europe, at which he promoted 
PGP v 6, Phil Zimmermann assured us categorically that NAI had at
his insistence withdrawn from the KRA.

It now appears that either (1) he lied to us (2) he was himself
lied to by NAI management or (3) NAI has rejoined.

> I really doubt anyone here actually called some KRA person and 
> officially renewed our membership.  Frankly, I doubt anyone
> here actually knows who to talk to there -- if there even is a
> "there".

You marketed version 6 of your product on the back of a claim that
you'd left the KRA. Yet NAI is now listed on the KRA website as a
member, and this is clearly doing your product material harm. Either
it's not true that you're a member, in which case your lawyers will be
able to extract so much money from KRA that it goes out of business,
whereupon the world will cheer and buy your product, or it is true, in
which case the damage will continue.

There is a deeper issue for the community here. For many years we have
tended to trust products because we know the technical people
involved. This has been the foundation for trust of other kinds. For
example, some years ago, a certain country's foreign ministry asked me
for a reference on Entrust prior to buying their products; my response
was that I knew both Paul van Oorschot and Mike Wiener, and in my
opinion they were both very competent. As a result of this, purchasing
decisions may have been taken with a significant effect on national
intelligence, economic competitiveness and even military preparedness.
As the country in question is a NATO member, its diplomatic comsec (or
lack of it) affects the UK directly.

Now, in one weekend, we have two cases where assurances from credible
technical people turned out to be unsatisfactory. Where does that
leave us?

Since I gave that reference for Entrust, the University here has
tightened up on liability. We must take care not to give references
that are untruthful or even misleading. We are urged to err on the
side of caution. So next time a foreign ministry asks me whether
Entrust products are kosher, I probably have to reply:


`You cannot prudently trust any third party to sell you trustworthy
comsec products. Recall Britain's selling old Enigmas to allies in the
Commonwealth; think of the fuss over red-threading; check out the
trapdoor in Sesame; and read up on key escrow. The only way you can
get good kit is if you build it yourself.  If you don't have the
skills, then I suggest you get some bright graduates to check out our
PhD programme - see <http://www.cl.cam.ac.uk/UoCCL/research/>'

A very traditional view of the world. Has nothing really changed since
the 1960's?

Ross

----------

Date: Sat, 14 Nov 1998 14:55:45 GMT
Message-Id: <199811141455.OAA30151@server.eternity.org>
From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Subject: Will Price (NAI employee) on KRA

This comment on NAI's KRA(P) membership by Will Price
<wprice@pgp.com>, a crypto type who works for PGP was forwarded to the
ukcrypto list by Ian Goodyer (uk-crypto list admin).  Not sure where
it was posted originally, or perhaps Will asked Ian to forwarded it.

Adam

------- Start of forwarded message -------
Date: Sat, 14 Nov 1998 11:43:07 +0000
To: ukcrypto@maillist.ox.ac.uk
From: "Ian D. Goodyer" <goodyer@well.ox.ac.uk>
Subject: Re: Escrow - news

Here is a response from Will Price who was formally from PGP inc and now of
course is with NAI.   ian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've commented about this on this list before I believe.  This appears
to be a case of really old news suddenly being dredged up for no
apparent wholesome reason -- which strikes me as quite odd because
Wired was apparently so eager to break this ancient story that they
didn't wait to ask anyone from NAI about it.

NAI being listed on the KRA page is *solely* a result of our TIS
acquisition.  I really doubt anyone here actually called some KRA
person and officially renewed our membership.  Frankly, I doubt anyone
here actually knows who to talk to there -- if there even is a
"there".  As I have said before, due to the TIS acquisition, NAI now
has a bunch of products which contain key escrow features. 
Eliminating or modifying these features such that they work in a less
big brother-like fashion will take significant time -- indeed entire
TIS products were based around managing key escrow infrastructures. 
Don't get me wrong, TIS had a lot of other great products, but it will
take time to redesign and rethink some of them in the context of
export and key escrow.  I'm not sure there's much point in withdrawing
from KRA when those products still exist.

These issues have no effect whatsoever on the PGP group.  As always,
we continue to publish full source code which effectively solves all
the export issues for us.


Robert Guerra wrote:
> I just picked this up from another mailing list that I am on.
Perhaps the
> folks at NAI can clarify things?
> 
> - ---------- Forwarded message ----------
> Date: Fri, 13 Nov 1998 10:55:06 +0000
> From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
> To: ukcrypto@maillist.ox.ac.uk
> Subject: Escrow - news
> 
> (1) Network Associates has quietly rejoined the Key Recovery
Alliance
> - - see http://www.kra.org.

- -- Will
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBNkySo6y7FkvPc+xMEQIuygCfYosXGISVrKd4dYWwM8xOrVdd4WAAn3dT
XvDG6FMapZpjmvjucF67fwM5
=xa+R
-----END PGP SIGNATURE-----


Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
Direct  (408)346-5906
Cell/VM (650)533-0399
<pgpfone://cast.cyphers.net>

PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=getsearch=0xCF73EC4C>
------- End of forwarded message -------