1998-11-15 - TIS & PGP – who is pulling the strings (Re: Will Price (NAI employee) on KRA)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: aba@dcs.ex.ac.uk
Message Hash: b93ff099cf47dd4bd97bd43f8df33a77dc0f8810cc0047e7dbc8afd222e53258
Message ID: <199811142333.XAA32197@server.eternity.org>
Reply To: <199811141455.OAA30151@server.eternity.org>
UTC Datetime: 1998-11-15 00:06:29 UTC
Raw Date: Sun, 15 Nov 1998 08:06:29 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 15 Nov 1998 08:06:29 +0800
To: aba@dcs.ex.ac.uk
Subject: TIS & PGP -- who is pulling the strings (Re: Will Price (NAI employee) on KRA)
In-Reply-To: <199811141455.OAA30151@server.eternity.org>
Message-ID: <199811142333.XAA32197@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




To comment on Will Price's comments I forwarded earlier today:

Will Price <wprice@pgp.com> wrote:
> I've commented about this on this list before I believe.  This appears
> to be a case of really old news suddenly being dredged up for no
> apparent wholesome reason -- which strikes me as quite odd because
> Wired was apparently so eager to break this ancient story that they
> didn't wait to ask anyone from NAI about it.

I didn't heard anything other than speculation as to whether the TIS
acquisition would result in NAI rejoining KRA.  The news is that it
now is listed again (or at least someone noticed that it is now
listed).  Perhaps I was not paying attention, but I didn't hear anyone
from PGP announce that NAI had rejoined (or automatically rejoined)
KRA as a result of TIS merger.

> NAI being listed on the KRA page is *solely* a result of our TIS
> acquisition.  I really doubt anyone here actually called some KRA
> person and officially renewed our membership.  Frankly, I doubt anyone
> here actually knows who to talk to there -- if there even is a
> "there".  

Surely some of your TIS GAKware colleagues know all about KRAP --
being major league GAKkers, and having specifically signed up in the
first place, being leading contributers to the KRAP/GAK drive effort.

> As I have said before, due to the TIS acquisition, NAI now has a
> bunch of products which contain key escrow features.  

Watch terminology here.  TIS stuff contains GAK -- "key escrow" or
"message recovery" where the government has the master keys.

All commercial PGP versions 5.x and higher contain key recovery in the
form of PGP's "Corporate Message Recovery" (CMR) design.  Even the
personal use versions know how to cooperate in providing corporate
backdoors.

Now CMR is clearly much less objectionable than TIS stuff, tho'
politically debatable I would argue.  TIS stuff is outright GAK.  But
I think part of the point of KRA was to coerce/bribe crypto companies
to demonstrate working and workable NSA master key type GAK.

The problem people have had with PGP building a CMR / CKE mechanism is
you as a side effect demonstrate a method which would be workable as
an NSA master key GAK system.  Clearly all that is missing is software
configuration and the NSA to publish a key, and a law requiring use of
it.

Yeah, OK so there was always encrypt to self, but giving the NSA
ammunition is bad (viz the quotes from US government saying that Key
Recovery works and using PGP 5.x as an example).  I think that helping
the US government claim that GAK is workable is a bad result for a
company with PGP's privacy stance to end up contributing to.

I am glad that CMR was kept out of the OpenPGP spec.

> Eliminating or modifying these features such that they work in a
> less big brother-like fashion will take significant time -- indeed
> entire TIS products were based around managing key escrow
> infrastructures.  Don't get me wrong, TIS had a lot of other great
> products, but it will take time to redesign and rethink some of them
> in the context of export and key escrow.  

Will seems to be saying here that NAI is planning to remove GAK from
the TIS products acquired in the NAI purchase of TIS.

Firstly this is interesting because I wonder who is pulling the
strings inside NAI -- consider: NAI paid a lot more for TIS than they
paid for PGP.  TIS has lots of US government defense contracts
(presumably partly as bribery for assistance to US Government with
KRAP/the GAK drive).

Secondly he comments that it will take significant time to make the
TIS products less big brother like.  I don't buy this.  You've got the
source code -- just release a patch to fill the GAK field with garbage.
Sounds like a days work tops.

> I'm not sure there's much point in withdrawing from KRA when those
> products still exist.

Sure there is.  The bad PR of being in KRAP alone should make it worth
quiting.  This was why PRZ arranged the pull out last time around.

Secondly pulling out of KRA would be a nice way to back up your claims
that NAI intends to remove the GAK from the bought TIS products.  If
NAI intends to do this, what is the point of being a member of KRA
which is all about acheiving the reverse -- about putting GAK into
products.

> These issues have no effect whatsoever on the PGP group.  

Glad to hear it.  The effect it does have is in reputation damage due
to PR fall out.  Some people may prefer not to buy from a company
supporting the US government in it's attempts to force key escrow onto
users.  NAI is pulling in two directions, TIS and KRA membership, and
PGP privacy stance.

Adam





Thread