[2532] in cryptography@c2.net mail archive
Re: draft of my letter to Canada's Crypto Policy
daemon@ATHENA.MIT.EDU (M Taylor)
Tue Apr 21 12:24:14 1998
Date: Thu, 16 Apr 1998 22:45:54 -0300
To: Stanton McCandlish <mech@eff.org>
From: M Taylor <mctaylor@glyphmetrics.ca>
Cc: efc-talk@efc.ca, cryptography@c2.net
In-Reply-To: <199804152349.QAA08678@eff.org>
At 04:49 PM 4/15/98 -0700, Stanton McCandlish wrote:
>submitting it IC), I'm very skeptical of supporting "key management
>infrastructures". Every proposal for one I have ever seen has been a
>completely unnecessary bureacracy that simultaneously strips citizens of
...
>You don't need a government "infrastructure" (bureaucracy) for "key
>management" to do this, and the dangers of having one are severe, not to
>mention the costs and likely points of failure.
Excuse me for not making this clear originally, my letter's target is
Industry Canada and other members of the Task Force on Electronic Commerce
who would be familiar with the PKI project.
I was referring to a specific project which already underway within the
Government of Canada, the Public Key Infrastructure (PKI) is basically a
government-run Certificate Authority (CA) and "key management" (read:
data/key recovery) for the federal government itself. It is being overseen
by the ITS branch of the CSE, and more information is available from their
web site <http://www.cse.dnd.ca/cse/english/gov.html> et
<http://www.cse.dnd.ca/cse/francais/gov.html>.
Based on my personal queries to the CSE, it is not available for private
citizens or businesses as is. I suggested the cross-certification of
private industry CAs by the federal government's CA, as a means to reduce
the number of "root" CAs (within Canada) to possibly one.
BTW the PKI software being used is from Entrust Technologies, AFAIK.
I've witnessed at least one attempt to thwart the PGP web-of-trust. Since
then I feel that CAs are not useless given the preceived high level of
confidence in a digital signature. Yes this is a risk, but at a CA should
be able to reduce the risks of non-repudiation digital signatures in a
mass-market. How common is a fake driver's licence? It is possible to
create or aquire one, but it is certainly not common. I expect the same
with a CA signed public-key certificate.
-M Taylor
