[4880] in WWW Security List Archive
Re: Fwd: Britain to ban free use of crypto
daemon@ATHENA.MIT.EDU (Gene Hardesty)
Mon Mar 24 04:32:49 1997
Date: Sun, 23 Mar 1997 14:35:08 -0900
From: Gene Hardesty <geneh@surfline.ne.jp>
Reply-To: geneh@surfline.ne.jp
To: Jeremey Barrett <jeremey@veriweb.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Geez....sounds like the British gov. is going to follow the US gov on
crypto-restrictions....which I'm not that fond of....
Lucky, I don't live in the UK nor the US.
G.
Jeremey Barrett wrote:
>
> This came across the cypherpunks list. I think this would concern
> anyone on this list.
>
> ----------------- Begin forwarded message
>
> ---------------------------------------------
> From: rja14@cl.cam.ac.uk (Ross Anderson)
> Newsgroups: alt.security.pgp,alt.security,sci.crypt
> Subject: UK Government to ban PGP - now official!
> Date: 21 Mar 1997 10:07:22 GMT
> Message-ID: <5gtmkq$7ns@lyra.csx.cam.ac.uk>
>
> The British government's Department of Trade and Industry has sneaked
> out proposals on licensing encryption services. Their effect will be to
> ban PGP and much more besides.
>
> I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as
> their own web server appears to be conveniently down.
>
> Licensing will be mandatory:
>
> We intend that it will be a criminal offence for a body to offer
> or provide licensable encryption services to the UK public without
> a valid licence
>
> The scope of licensing is broad:
>
> Public will be defined to cover any natural or legal person in the
> UK.
>
> Encryption services is meant to encompass any service, whether
> provided
> free or not, which involves any or all of the following
> cryptographic
> functionality - key management, key recovery, key certification,
> key
> storage, message integrity (through the use of digital signatures)
> key
> generation, time stamping, or key revocation services (whether for
> integrity or confidentiality), which are offered in a manner which
> allows a client to determine a choice of cryptographic key or
> allows
> the client a choice of recipient/s.
>
> Total official discretion is retained:
>
> The legislation will provide that bodies wishing to offer or
> provide
> encryption services to the public in the UK will be required to
> obtain a licence. The legislation will give the Secretary of State
> discretion to determine appropriate licence conditions.
>
> The licence conditions imply that only large organisations will be able
> to
> get licences: small organisations will have to use large ones to manage
> their keys (this was the policy outlined last June by a DTI spokesman).
> The main licence condition is of course that keys must be escrowed, and
> delivered on demand to a central repository within one hour. The mere
> delivery of decrypted plaintext is not acceptable except perhaps from
> TTPs overseas under international agreements.
>
> The effect of all this appears to be:
>
> 1. PGP servers will be outlawed; it will be an offence for me to sign
> your pgp key, for you to sign mine, and for anybody to put my
> existing signed PGP key in a foreign (unlicensed) directory
>
> 2. Countries that won't escrow, such as Holland and Denmark, will be
> cut out of the Superhighway economy. You won't even be able to
> send signed medical records back and forth (let alone encrypted
> ones)
>
> 3. You can forget about building distributed secure systems, as even
> relatively primitive products such as Kerberos would need to have
> their keys managed by a licensed TTP. This is clearly impractical.
> (The paper does say that purely intra-company key management is
> OK
> but licensing is required whenever there is any interaction with
> the outside world, which presumably catches systems with mail, web
> or whatever)
>
> There are let-outs for banks and Rupert Murdoch:
>
> Encryption services as an integral part of another service (such
> as in
> the scrambling of pay TV programmes or the authentication of
> credit
> cards) are also excluded from this legislation.
>
> However, there are no let-outs for services providing only authenticity
> and
> nonrepudiation (as opposed to confidentiality) services. This is a point
> that
> has been raised repeatedly by doctors, lawyers and others - giving a
> police
> officer the power to inspect my medical records might just conceivably
> help
> him build a case against me, but giving him the power to forge
> prescriptions
> and legal contracts appears a recipe for disaster. The scope for fraud
> and
> corruption will be immense.
>
> Yet the government continues to insist on control of, and access to,
> signing
> keys as well as decryption keys. This shows that the real concern is not
> really law enforcement at all, but national intelligence.
>
> Finally, there's an opportunity to write in and protest:
>
> The Government invites comments on this paper until 30 May 1997
>
> Though if the recent `consultation' about the recent `government.direct'
> programme is anything to go by, negative comments will simply be
> ignored.
>
> Meanwhile, GCHQ is pressing ahead with the implementation of an escrow
> protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is
> broken
> (see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz).
>
> In Grey's words, ``All over Europe, the lights are going out''
>
> Ross
>
> ----------------- End forwarded message
>
> --
> Jeremey Barrett VeriWeb Internet Corp.
> Crypto, Ecash, Commerce Systems http://www.veriweb.com/
> PGP key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
--
My PGP public keys can be found at
http://www.geocities/Tokyo/5536/KeyX.txt
where X is the number (0-9).
Example: http://www.geocities.com/Tokyo/5536/Key0.txt
