From: Adam Back <aba@dcs.ex.ac.uk>
Date: Tue, 25 Mar 1997 16:24:13 -0800 (PST)
To: hallam@ai.mit.edu
Subject: Re: Why I might^H^H^H^H^H *WILL NEVER* want a trusted third party.
In-Reply-To: <01BC3942.FF16CB80@crecy.ai.mit.edu>
Message-ID: <199703260019.AAA01978@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain



Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
> 	Companies probably don't want to have their LAN completely open to 
> snooping either. Their sysop may be snooping for a competitor as much as 
> for them. For this particular customer the trusted third party concept 
> is quite a good one. They can collect large quantities of information in 
> a manner that avoids the risk of having gathered together a large 
> collection of en-clair sensitive material in one place. Such a company 
> would probably prefer to have the decryption key far away from the reach 
> of their employees, ideally the key would be stored in such a way that 
> even the TTP didn't know who it related to.

Best argument I've seen for ombudsman key-escrow yet.  And
yet... surely it would be perfectly feasible to have the commercial
key escrow key system set up with the n of m directors and company
lawyer holding the key?  If they get suspicious they can check on
someone, and the rest of the time, no one can read anyone else's
messages.

In any case, if you were able to find an example of a company who
wanted this unusual setup, could they not draw up a contract with a
legal firm, or computer security company to achieve something similar.

The real problem I have with the DTI document is in `facilitating
ecommerce' or whatever the euphamism is for the government bid to have
real time access to user keys, they are also outlawing use of
unlicensed TTPs.  From the document it seems that activities which
require a TTP license are key server functionality, CAs (even for only
signature keys), time-stamping services, plus numerous other
possibilities, by entities which are not licensed TTPs.

Then they go on to say they want the market to decide on whether
government licensed TTPs are the best solution.  After outlawing most
other possibilities, and putting legal obstacles in the way of a fast
moving technological field.

> 	Basically the DTI proposal clears the way for people to offer
> this type of service in the UK. 

A lot of the proposal discusses outlawing non-licensed alternatives,
and timeliness of GAK (government access to keys), surely the way is
already clear for encryption companies to offer what they hell they
want to offer, to companies who are free to demand what they want.

> They are emphatically not trying to introduce a Clipper chip
> proposal. 

How do you describe all the `key recovery', and restrictions on TTPs
being interoperable and joining the network if they don't provide GAK?

Sounds _exactly_ like a clipper job to me.

> Unfortunately what they do propose is clearly a slippery slope to a
> Clipper situation. If use of TTPs became ubiquitous it might become
> possible to enforce their use somehow at a later date.

I'm sure this is the plan.  CESG is trying to push the CASM
architecture for TTPs (CASM is based of the Royal Holloway proposal).
CESG already has some `customers' who are legally obliged to use their
recommendations: central government.  The Health service had to put up
much resistance to avoid `the offer you can't refuse' of using Red
Pike in Health Service networks.  (Why Red Pike anyway?  It's a secret
algorithm, which is rumoured to be a modification of RC5, which itself
is a very new and relatively untested cipher.  What's wrong with 3DES?)

They plan to work their way out through peripheral government agencies
and authorities through the requirement to communicate with central
government, and the tendency to go with the government standard and
then move on to the public through the services the DTI is discussing
providing to the public.  Offering the public the opportunity to
interact electronically with both local and central government.

Along with legislation to make digital signatures binding in law only
when signed by keys held in a TTP licensed key server, certified by a
TTP licensed CA, they probably figure they can achieve de-facto
status, while quietly outlawing enough functionality to make
competition possible.  (For example running a non-TTP licensed
commercial CA or key servers would be a criminal offense.)

That's their game plan as I understand it.

Adam

-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`