[4881] in WWW Security List Archive
Re: Fwd: Britain to ban free use of crypto
daemon@ATHENA.MIT.EDU (Doug Breault)
Mon Mar 24 11:54:36 1997
Date: Mon, 24 Mar 1997 09:07:13 -0500 (EST)
From: Doug Breault <dbreault@ns.sprintout.com>
To: Jeremey Barrett <jeremey@veriweb.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <333312F5.7FC19D9D@veriweb.com>
Errors-To: owner-www-security@ns2.rutgers.edu
<USELESS_COMMENTARY>
Doesn't it make you feel even BETTER knowing that the British
gave up their guns? Losing PGP is going to be the least of
their problems... it's sad, people never learn.
"Thank God for gun control. Where would the government be without
it? Run by the people maybe?"
</USELESS_COMMENTARY>
Sorry for the rubbish chaps,
-Doug
> The British government's Department of Trade and Industry has sneaked
> out proposals on licensing encryption services. Their effect will be to
> ban PGP and much more besides.
>
> I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as
> their own web server appears to be conveniently down.
>
> Licensing will be mandatory:
>
> We intend that it will be a criminal offence for a body to offer
> or provide licensable encryption services to the UK public without
> a valid licence
>
> The scope of licensing is broad:
>
> Public will be defined to cover any natural or legal person in the
> UK.
>
> Encryption services is meant to encompass any service, whether
> provided
> free or not, which involves any or all of the following
> cryptographic
> functionality - key management, key recovery, key certification,
> key
> storage, message integrity (through the use of digital signatures)
> key
> generation, time stamping, or key revocation services (whether for
> integrity or confidentiality), which are offered in a manner which
> allows a client to determine a choice of cryptographic key or
> allows
> the client a choice of recipient/s.
>
> Total official discretion is retained:
>
> The legislation will provide that bodies wishing to offer or
> provide
> encryption services to the public in the UK will be required to
> obtain a licence. The legislation will give the Secretary of State
> discretion to determine appropriate licence conditions.
>
> The licence conditions imply that only large organisations will be able
> to
> get licences: small organisations will have to use large ones to manage
> their keys (this was the policy outlined last June by a DTI spokesman).
> The main licence condition is of course that keys must be escrowed, and
> delivered on demand to a central repository within one hour. The mere
> delivery of decrypted plaintext is not acceptable except perhaps from
> TTPs overseas under international agreements.
>
> The effect of all this appears to be:
>
> 1. PGP servers will be outlawed; it will be an offence for me to sign
> your pgp key, for you to sign mine, and for anybody to put my
> existing signed PGP key in a foreign (unlicensed) directory
>
> 2. Countries that won't escrow, such as Holland and Denmark, will be
> cut out of the Superhighway economy. You won't even be able to
> send signed medical records back and forth (let alone encrypted
> ones)
>
> 3. You can forget about building distributed secure systems, as even
> relatively primitive products such as Kerberos would need to have
> their keys managed by a licensed TTP. This is clearly impractical.
> (The paper does say that purely intra-company key management is
> OK
> but licensing is required whenever there is any interaction with
> the outside world, which presumably catches systems with mail, web
> or whatever)
>
> There are let-outs for banks and Rupert Murdoch:
>
> Encryption services as an integral part of another service (such
> as in
> the scrambling of pay TV programmes or the authentication of
> credit
> cards) are also excluded from this legislation.
>
> However, there are no let-outs for services providing only authenticity
> and
> nonrepudiation (as opposed to confidentiality) services. This is a point
> that
> has been raised repeatedly by doctors, lawyers and others - giving a
> police
> officer the power to inspect my medical records might just conceivably
> help
> him build a case against me, but giving him the power to forge
> prescriptions
> and legal contracts appears a recipe for disaster. The scope for fraud
> and
> corruption will be immense.
>
> Yet the government continues to insist on control of, and access to,
> signing
> keys as well as decryption keys. This shows that the real concern is not
> really law enforcement at all, but national intelligence.
>
> Finally, there's an opportunity to write in and protest:
>
> The Government invites comments on this paper until 30 May 1997
>
>
> Though if the recent `consultation' about the recent `government.direct'
> programme is anything to go by, negative comments will simply be
> ignored.
>
> Meanwhile, GCHQ is pressing ahead with the implementation of an escrow
> protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is
> broken
> (see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz).
>
> In Grey's words, ``All over Europe, the lights are going out''
>
> Ross
>
> ----------------- End forwarded message
>
> --
> Jeremey Barrett VeriWeb Internet Corp.
> Crypto, Ecash, Commerce Systems http://www.veriweb.com/
> PGP key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
>
