From: Information Security <guy@panix.com>
Date: Mon, 7 Sep 1998 20:55:55 +0800
To: tytso@mit.edu
Subject: KRAP is at it in the IETF
Message-ID: <199809071253.IAA01912@panix7.panix.com>
MIME-Version: 1.0
Content-Type: text/plain



   >   From: "William H. Geiger III" <whgiii@invweb.net>
   >
   >   -----BEGIN PGP SIGNED MESSAGE-----
   >
   >   Hello,
   >
   >   It has come to my attention that the KRAP (key recovery alliance program)
   >   has submitted an I-D (internet draft) to the IETF for adding GAK
   >   (government access to keys) to the IPSEC protocols:
   >
   >   ftp://ftp.ietf.org/internet-drafts/draft-rfced-exp-markham-00.txt
   >
   >   I consider this a perversion of the standards process of the IETF to
   >   advance a political agenda which must be stopped at all cost.
   >
   >   Below are the e-mail addresses of some people that you should write
   >   (politely) expressing your objections to any such additions to the
   >   protocols:

Dear Sirs,

#    o Government Requirements: Governments must be able to intercept the
#   CKRB at the time of key establishment or periodically while the
#   security association remains active. This requires that the key
#   recovery enabled entity transmit the CKRB during the key establishment
#   protocol and every N hours during the security association.

   Speaking as someone who monitors company Internet traffic (email)
for compliance and security purposes, I would like to ask why the IETF
is working on a key recovery standard.

   If a company chooses to deploy, say, PGP with key recovery internally,
then any messages sent with it encrypted in the receiving party's public
key are available to the sending company's Information Security personnel.

   If a company wishes to make the key recovery information available
to the government, they can individually choose to do that.

   The IETF should not be helping to put such an infrastructure in place.

   Governments are our adversaries with respect to encryption and privacy.

   The US government, represented by the FBI/NSA, used to state that they
weren't pushing for mandatory domestic encryption. (requiring people use
curtains on their homes that the government can see through)

   Eventually we found out they lied, and were pushing for exactly that
behind the scenes:

*   http://epic.org/crypto/ban/fbi_dox/impact_text.gif
*
*   SECRET FBI report
*                         
*                   NEED FOR A NATIONAL POLICY  
*                             
*   A national policy embodied in legislation is needed which insures
*   that cryptography use in the United States should be forced to be
*   crackable by law enforcement, so such communications can be monitored
*   with real-time decryption.
*
*   All cryptography that cannot meet this standard should be prohibited.

   Feel free to cite this manipulation when discarding key recovery proposals.

   If you put a key recovery proposal in place, it makes it that much
easier for them to require its use.

   Plus my basic complaint: this proposal is of no use to business
or Internet users.

   None.

   Its only purpose is to allow interception and decoding over the Internet.

   And if you think this would happen only with a court order, check out
this "anytime, anywhere" wording by the US government...
---guy

   Don't be another cog in the ECHELON monitoring machine.



The U.S. asked the OECD to agree to internationally required Key Recovery.

*   What Is The OECD
*
*   The Organization for Economic Co-operation and Development, based in
*   Paris, France, is a unique forum permitting governments of the
*   industrialized democracies to study and formulate the best policies
*   possible in all economic and social spheres.

: From owner-firewalls-outgoing@GreatCircle.COM Wed May 14 18:54:15 1997
: Received: from osiris (osiris.nso.org [207.30.58.40]) by ra.nso.org
:           (post.office MTA v1.9.3 ID# 0-13592) with SMTP id AAA322
:           for <firewalls@GreatCircle.COM>; Wed, 14 May 1997 12:56:13 -0400
: Date: Wed, 14 May 1997 12:58:46 -0400
: To: firewalls@GreatCircle.COM
: From: research@isr.net (Research Unit I)
: Subject: Re: Encryption Outside US
: 
: 
: I was part of that OECD Expert Group, and believe I may shine at least
: some light on what exactly was said and happened at the meetings.
: 
: The main conflict during all sessions was the demand of the US to be
: able to decrypt anything, anywhere at any time versus the European 
: focus: we want to have the choice - with an open end - to maintain
: own surveillance.  The US demand would have caused an immediate
: ability to tap into what the European intelligence community believes to
: be its sole and exclusive territory. In fact the Europeans were not at all
: pleased with the US view points of controlling ALL crypto. Germany and
: France vigorously refused to work with the US on this issue.
:
: The Clipper initiative (at the time not readily developed) was completely
: banned, except for the Australian and UK views that felt some obligation
: from the 1947 UKUSA treaty (dealing with interchange of intelligence).
: 
: With a vast majority the US was cornered completely, and had to accept
: the international views. And actually adopted those as well.  EFF, EPIC and
: other US organizations were delighted to see the formal US views barred,
: but expressed their concern on the development of alternate political
: pressure that would cause the same effects.
:
: As time went by that was indeed what the US did, and up to now with minor
: success.
: 
: Bertil Fortrie
: Internet Security Review
: ==