[450] in cryptography@c2.net mail archive
Re: Analysis of proposed UK ban on use of non-escrowed crypto.
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Apr 1 21:06:34 1997
To: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 23 Mar 1997 22:24:15 +0000 (GMT)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Cc: cypherpunks@cyberpass.net, cryptography@c2.net, trei@process.com,
ttp.comments@ciid.dti.gov.uk, rja14@cl.cam.ac.uk, aba@dcs.ex.ac.uk
In-Reply-To: <199703220147.BAA01386@server.test.net> from "Adam Back" at Mar 22, 97 01:47:44 am
Reply-To: ben@algroup.co.uk
I've also spent several hours also reading the document, and have some comments
on the comments below ;-)
Adam Back wrote:
> : * Use of licensed TTPs is voluntary - those wishing to do otherwise
> : are at liberty to do so - The market will decide if it wants to use
> : TTP services and not Government. The Government believes that the
> : benefits of this scheme will far outweigh any others. Of course
> : those wishing to use any other cryptographic solutions can continue
> : to do so, but they will not be able to benefit from the convenience,
> : and interoperability of licensed TTP services.
>
> Which on first reading seems to say that you don't have to use TTPs.
>
> However re-reading the above in the light of this (whoah!):
>
> : The legislation will provide that bodies wishing to offer or provide
> : encryption services to the public in the UK will be required to
> : obtain a licence. The legislation will give the Secretary of State
> : discretion to determine appropriate licence conditions.
>
> This seems to imply an outright ban on use of non-escrowed crypto,
> regressing UK crypto policy to a similar dark ages view as countries
> like Iraq, and Iran. The fact that the licensing conditions will be
> decided at the Secretary of State's "discretion" is also in line with
> Iraq, Iran, dictator style.
This may be unduly pessimistic. In paragraph 74, "Encryption services" are
defined to be:
... any service ... which involves ... key management, key recovery, key
certification, key storage, message integrity ... key generation, time
stamping or key revocation services ...
The key[1] word here is "service". Providing software which does encryption is
not one of the services mentioned. Of course, these may be weasel words.
I suspect that the intent is more liberal than we fear, but we should stress
the importance of making these distinctions clear.
I also think that an important omission is the individual right to sign
another's key, regardless of licencing. So long as one doesn't purport to make
this service available to the public, it should be made clear that this is an
OK thing to do.
The danger of abuse of TTPs is also a major point. We should make noise about
that.
Cheers,
Ben.
[1] Pardon the pun.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
