From: jim bell <jimbell@pacifier.com>
Date: Fri, 11 Oct 1996 13:52:45 -0700 (PDT)
To: Adam Back <everheul@NGI.NL
Subject: Re: AW: Binding cryptography - a fraud-detectible alternative to key-esc
Message-ID: <199610111917.MAA01715@mail.pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 01:08 PM 10/11/96 +0100, Adam Back wrote:

>As your paper describes, your system allows anyone to check the
>correctness of the escrowed session key.  Have you considered
>modifying it so that the only person who can check is the owner of a
>designated private key of a public/private key pair?  This would allow
>say for the TTP to check correctness, and not the TRP, nor the public.
>I'm not sure of the usefulness of this, but it allows you to select
>from the full spectrum according to requirements:
>
>a) no one can check, PGP second recipient (Carl Ellison, Bill Stewart)
>b) recipient only can check (my suggestion)
>c) holder(s) of designated keys can check
>d) anyone can check (your proposal)

I think the biggest problem with allowing "anyone" to check the correctness 
of a key is that what is a technical possibility today, will become a 
legally-mandated requirement tomorrow.  What if Internet backbone companies 
and/or ISP's were told that they had to implement software check these keys, 
and if they discovered an "incorrect" escrowed key, they were legally 
obligated to either refuse to forward that message, and/or forward a copy of 
that message to someone like Spooks@NSA.gov or Thugs@DOJ.gov.    

Even worse, if this checking process revealed the sender, or at least a 
coded identity unique to the sender, the government could issue "digital 
APB's" where it would insist on being sent copies of all messages with a 
given ID number.  Suddenly, the Internet might go from being hard to tap, to 
being practically automatically tapped.


Jim Bell
jimbell@pacifier.com