[437] in cryptography@c2.net mail archive
Re: Analysis of proposed UK ban on use of non-escrowed crypto.
daemon@ATHENA.MIT.EDU (Kent Crispin)
Tue Apr 1 18:12:20 1997
Date: Mon, 24 Mar 1997 02:19:00 -0800
From: Kent Crispin <kent@songbird.com>
To: ben@algroup.co.uk
Cc: Kent Crispin <kent@songbird.com>, aba@dcs.ex.ac.uk,
cypherpunks@cyberpass.net, cryptography@c2.net, trei@process.com,
ttp.comments@ciid.dti.gov.uk, rja14@cl.cam.ac.uk
In-Reply-To: <9703240902.aa17508@gonzo.ben.algroup.co.uk>; from Ben Laurie on Mon, Mar 24, 1997 at 09:02:23AM +0000
On Mon, Mar 24, 1997 at 09:02:23AM +0000, Ben Laurie wrote:
> Kent Crispin wrote:
> > You need to revise your knowledge: NorTel's "Entrust" product does key
> > escrow, and has been on the market for some time. It has FIPS (US
> > Federal Information Processing Standard) certification. Signing and
> > encrypting keys are separated: only encryption keys are escrowed. The
> > intended market is the large enterprise.
>
> Just because someone implements it, it doesn't mean it works - look at X.500,
> for example. There are obvious pressures in the US to implement key escrow
> whether it works or not.
>
> I haven't seen the specs for Entrust, though - are they available?
www.entrust.com
In fact, entrust uses x.509 certs, in an x.500 directory service.
However, that is a hidden detail. They only really require a database
running on a secure machine to store the keys. Externally they use an
LDAP interface. They are very closely monitoring standards in this
area. The directory service works fine for this purpose -- it is vast
overkill, but it doesn't matter.
Indeed, I don't know why you think key escrow is hard to implement --
it strikes me as one of those things that people like to think of as
hard to do, because they don't like it, but in fact it's not that
hard at all.
Entrust is already in wide use -- I always hesitate to make judgements
like this, but it gives every appearance of actually being a good,
competently done product. The client is like a spiffed up PGP,
connected to a central, enterprise-wide certificate authority.
CAs can be cross certified...key revocation is sensibly dealt with,
etc, etc. They just thought about the problems and came up with
reasonable solutions.
Like it or not, businesses like -- no, *need* -- key escrow -- company
secrets can't go down the drain because someone gets hit by a truck.
--
Kent Crispin "No reason to get excited",
kent@songbird.com,kc@llnl.gov the thief he kindly spoke...
PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html
