[3640] in cryptography@c2.net mail archive
Re: DCSB: Risk Management is Where the Money Is; Trust in Digital Comm
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Nov 13 12:09:23 1998
Date: Fri, 13 Nov 1998 09:45:57 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Enzo Michelangeli <em@who.net>
CC: cryptography@c2.net
Enzo Michelangeli wrote:
>
> -----Original Message-----
> From: Anonymous <nobody@replay.com>
> Date: Thursday, November 12, 1998 4:42 AM
>
> [...]
> >> There is one potential fly in this ointment, and I do not intend to
> >> dwell on it, but I cannot get this far and not mention the threat to
> >> strong security apparati of having them undermined by key escrow.
> >
> >This is a red herring. The main issues in electronic commerce are
> >authentication and authorization, not secrecy and encryption. The latter
> >points can be important, but they are not crucial for commerce to proceed
> >in the way that binding contractual commitments are. Key escrow does not
> >apply to signature keys. No proposal for key escrow asks for signature
> >keys to be escrowed. Only encryption keys are escrowed.
>
> Alas, the latest proposals by the Department of Trade and Industry in UK are
> to extend legal protection only to digital signatures whose keys are
> escrowed with OFTEL (the UK Govt. telecom regulator). See:
> http://omnisite.liberty.org.uk/cacib/artview.php3?currentgroup=3&pid=12&type
> =resources
Actually, not. Even the DTI aren't quite that mad. If you want to be a
licenced CA you have to escrow any encryption keys you get your hands
on, not signing keys. Legal protection will be given only to signatures
made with keys lodged with licenced CAs.
> Note: OFTEL is a branch of the executive, NOT of the judiciary... To make it
> worse, the keys can be obtained by a "senior police officer" (whatever that
> may mean), and tipping off someone that his/her key has been obtained by the
> police will constitute criminal offense. Be ready to pay for purchases made
> by some crooked cop...
Note that none of this has actually happened yet. Also OFTEL is being
touted as the issuer of licenses, not the escrower of keys.
> I wonder if they have read Rivest's paper on chaffing and winnowing, and
> concluded that after all also digital signatures are highly subversive...
Close, but no cigar.
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
