[1016] in cryptography@c2.net mail archive
Re: ALERT: Senate to vote on mandatory key escrow as early as Thu June 19!
daemon@ATHENA.MIT.EDU (Phil Karn)
Wed Jun 18 21:40:52 1997
Date: Wed, 18 Jun 1997 16:41:48 -0700 (PDT)
From: Phil Karn <karn@qualcomm.com>
To: shabbir@vtw.org
CC: cryptography@c2.net, karn@qualcomm.com
In-reply-to: <199706180606.CAA22098@panix3.panix.com> (shabbir@vtw.org)
A few more comments on the McCain/Kerrey bill, now that I've finished reading
the whole thing.
It does seem that the authors are rather unclear on some of the basic
concepts of public key cryptography. For example:
>SEC. 405. PUBLIC KEY CERTIFICATES FOR ENCRYPTION KEYS.
>The Secretary or a Certificate Authority for Public Keys registered
>under this Act may issue to a person a public key certificate that
>certifies a public key that can be used for encryption only if the
>person:
>(1) stores with a Key Recovery Agent registered under this Act
>sufficient information, as specified by the Secretary in regulations,
>to allow timely lawful recovery of the plaintext of that person's
>encrypted data and communications; or
Apparently the CA is being held responsible for the actions (or
inactions) of his users. Presumably they meant that the CA wouldn't
issue the certificate until it (acting as Recovery Agent) has received
some sort of secret key recovery info, or received confirmation of
this from another Recovery Agent.
But even a public key certificate that is supposedly usable only for
authentication can serve as a building block in a confidentiality
system. Many key exchange systems already do this. For example, the
Diffie-Weiner-van Oorschot Station to Station Protocol and its many
variations all use a digital signature function to sign an ephemeral
Diffie-Hellman key exchange to guard against a man-in-the-middle
attack. The result is an unescrowed session key usable for
encryption. There is no way the CA can prevent this use of the public
key certificates it issues, even if the algorithm implied by the
certificate theoretically supports only digital signatures (e.g.,
DSA).
And here's another oddity:
>SEC. 407. CRIMINAL ACTS.
>(2) any person to intentionally issue what purports to be a public key
>certificate issued by a certificate authority registered under this
>Act when such person is not a certificate authority registered under
>this Act;
Perhaps they had in mind somebody who claims to be a registered CA
when he's not. But wouldn't it be easier for the government to simply
publish the public keys of registered CAs? Then it would be impossible
for somebody to issue what appears to be a certificate issued by a
registered CA, because it would be straightforward to verify it
against the government list.
And then there's Section 302, deregulating exports of 56-bit DES. The
DESCHALL announcement couldn't have been better timed...
Phil
