1997-03-25 - Why I might want a trusted third party.

Header Data

From: “Phillip M. Hallam-Baker” <hallam@ai.mit.edu>
To: “Cypherpunks (E-mail)” <cypherpunks@toad.com>
Message Hash: 581d6bc040a0e2f4dace84d326bdb3126a62a419683514c69bb542d01dcc6478
Message ID: <01BC3942.FF16CB80@crecy.ai.mit.edu>
Reply To: N/A
UTC Datetime: 1997-03-25 22:31:07 UTC
Raw Date: Tue, 25 Mar 1997 14:31:07 -0800 (PST)

Raw message

From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Date: Tue, 25 Mar 1997 14:31:07 -0800 (PST)
To: "Cypherpunks (E-mail)" <cypherpunks@toad.com>
Subject: Why I might want a trusted third party.
Message-ID: <01BC3942.FF16CB80@crecy.ai.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


Hi,

	There have been a number of comments on the UK proposals by the DTI to introduce a legal framework for use of trusted thrid parties. I contacted some old friends to find out what the issue really was. I was surprised by the result.

	First off the proposals are not intended as a Trojan horse for the Clipper chip "or any other colonial scheme". The UK authorities have been fighting terrorists rather longer than the US and the ones they are concerned about have used encryption for a decade. My friend was somewhat concerned that the US administration may have poisoned the water preventing any sensible scheme being deployed.

	The issue of concern is not private use of encryption but corporate users. Imagine you are a security administrator for IBM or DEC. You probably don't want your employees using absolutely secure email systems that would allow them to post company secrets through your firewall. I used to administer security at a large nuclear installation with an improbable amount of Uranium to hand (several hundred tonnes). Last thing I was going to allow was encrypted communications from the secure area to the Internet.

	Companies probably don't want to have their LAN completely open to snooping either. Their sysop may be snooping for a competitor as much as for them. For this particular customer the trusted third party concept is quite a good one. They can collect large quantities of information in a manner that avoids the risk of having gathered together a large collection of en-clair sensitive material in one place. Such a company would probably prefer to have the decryption key far away from the reach of their employees, ideally the key would be stored in such a way that even the TTP didn't know who it related to.

	Basically the DTI proposal clears the way for people to offer this type of service in the UK. They are emphatically not trying to introduce a Clipper chip proposal. Unfortunately what they do propose is clearly a slippery slope to a Clipper situation. If use of TTPs became ubiquitous it might become possible to enforce their use somehow at a later date.

	I think that this is a remote possibility but one that should raise concerns. If it was merely the UK government that was involved I would have fewer concerns than the current situation. The problem with US policy is that the executive keeps making ignorant and dangerous bids for unlimited power over the Internet and the people seem to have little influence over Congress. There was a tellling episode during the PICs/CDA fiasco when one of the professional lobbyists said "now we need to collect money for the hearings". Basically the governing assumption in DC amongst lobbyists is that you buy your way into hearings with campaign donnations. Crypto has many rich supporters but they tend not to understand just how corrupt US politics are.
	

Phillip M. Hallam-Baker
Visitng Scientist
MIT Laboratory for Artificial Intelligence.
hallam@ai.mit.edu
http://www.ai.mit.edu/people/hallam/hallam.html







Thread