From: John Gilmore <gnu@toad.com>
Date: Wed, 26 Mar 1997 20:41:26 -0800 (PST)
To: hallam@ai.mit.edu, gnu
Subject: UK domestic crypto regulation proposal *is* Clipper
Message-ID: <199703270440.UAA22819@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


I've seen several comments on cypherpunks that misconstrue the UK proposal.
E.g. Phillip Hallam-Baker said:

> First off the proposals are not intended as a Trojan horse for
> the Clipper chip "or any other colonial scheme".
> ...
> They are emphatically not trying to introduce a Clipper chip proposal.

Unfortunately, I believe he is wrong.  It's worse than Clipper, since
it outlaws the competition.

The proposed legislation would make it illegal to offer the UK public
any service related to key management, including simply signing
peoples' keys, without being licensed by the state.  This licensing
scheme includes a GAK requirement, an interoperability requirement,
and a whole pile of requirements that may need a little translation.

This means that there would only be *one* public-key infrastructure in
the UK (they claim this as a feature for end-users, since it provides
interoperability -- though they apparently haven't picked *whose* PKI
they are going to enshrine as a monopoly).  Unfortunately it would be
completely subverted by the government.  Users would have no choice
about whether to use a different infrastructure, say from another
country, or by setting it up themselves using PGP, Secure DNS, or
whatever.  The "trust" they offer is 100% sham, since you yourself
don't get to pick who you trust.  They do.

"It will be necessary to ensure that TTP security personnel are
competent, suitably qualified, trusted, & have successfully completed
a recognised security vetting procedure."  Translation: "Public key
certification authorities will need a security clearance."

"Checks will need to be undertaken to ensure that the background and
other business interests of [TTP company] directors would not
compromise the trust placed in a TTP."  And later, "Checks will be
made to ensure that those who own, or effectively control, an
organisation, are suitable candidates for ownership of a TTP."
Translation: "We will only license people who we believe will turn
over anyone's key on demand.  If they show any sign that their
customers could actually trust them to keep private keys private,
their license will not be approved."

It explicitly states:

	It will be a criminal offence for a body to offer or provide
	licensable encryption services to the UK public without a
	valid license.

This isn't a requirement on USERS, it's a requirement on OFFERERS.
However, what this means for users is that if you want to use digital
signatures, you have to use a Traitorous Third Party.  It will be
illegal for anyone else to offer you a digital signature service.
Perhaps you could use encryption without using digital signatures, but
you've just lost most of the benefits of public-key cryptography.

I believe the proposal outlaws Secure DNS services.  Merely signing
the keys of sub-domains, for free or for money, would be illegal.  You
will only be able to secure the Internet if you first subvert the
Internet by turning over the keys.

And while the government mentions in several places that it isn't
interested in access to authentication keys, the proposal still
requires that anyone providing authentication services (like signing
keys) be a licensed TTP and subject to GAK.

	John Gilmore