[2957] in cryptography@c2.net mail archive
Re: IETF building GAK into the PKI
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jul 14 14:02:39 1998
To: Ben Cox <cox@djehuti.com>
cc: cryptography@c2.net, pgut001@cs.auckland.ac.nz
In-reply-to: Your message of "Tue, 14 Jul 1998 09:48:47 EDT."
<v04011700b1d10ca9f597@[158.98.7.94]>
Reply-To: perry@piermont.com
Date: Tue, 14 Jul 1998 13:56:57 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Ben Cox writes:
> I had thought this list was not for discussion of political issues, but
> since this is already being discussed, I'd like to add my two cents.
Political issues are fine on Cryptography. Non-cryptographic stuff is
what we don't accept.
> Despite the blind assertions to the contrary which I have seen on this list
> and others, there ARE legitimate business needs for key recovery.
I will point out, however, that such needs are to recover DATA -- that
is, to make sure that if an employee is hit by a bus, you continue to
be able to get at their files. Being able to tap interactive
conversations (telnet sessions, phone calls, etc.) or electronic mail
in transit is not something business needs, or even wants. However, it
is what the feds desperately want.
We must be careful to keep in mind that almost all the proposed forms
of GAK out there have *no* business application. No business wants to
be able to tap its employees NFS traffic and such. GAK in network
protocols is utterly useless to business.
> Organizations like banks, oil companies, telecommunications companies, etc.
> want key recovery.
They want key recovery for DATA. Not for interactive communication.
> The people who design systems like PKIX work for the companies who are
> getting those contracts (and hence, those of you "in hiring positions"
> aren't likely to see their resumes any time soon).
I think you are mistaken about what many of us do for a living. Many
of us (such as myself) are professionals who do this stuff for a
living, and most certainly *do* see the resumes of the sort of people
in question. Many of us *are* the sort of people in question.
However, just to point out, yet again:
PKIX is a public key infrastructure. Public keys are used for
interactive communication -- very rarely, if ever, are they used for
things like data storage. The result of this is that GAK is worthless
to any business in its public key infrastructure. Only the government
wants it. There is no legitimate business function here.
Perry
