1998-11-14 - NAI(L) in PGPs coffin (Re: network associates back in kra)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: stevem@tightrope.demon.co.uk
Message Hash: 8c9b9dba51073212ed0862a0df9eb00090705f9afedaf085b658b2194be706ce
Message ID: <199811140004.AAA27507@server.eternity.org>
Reply To: <19981113201903.A25115@tightrope.demon.co.uk>
UTC Datetime: 1998-11-14 00:38:03 UTC
Raw Date: Sat, 14 Nov 1998 08:38:03 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sat, 14 Nov 1998 08:38:03 +0800
To: stevem@tightrope.demon.co.uk
Subject: NAI(L) in PGPs coffin (Re: network associates back in kra)
In-Reply-To: <19981113201903.A25115@tightrope.demon.co.uk>
Message-ID: <199811140004.AAA27507@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




Steve Mynott writes:
> subject says it all
> 
> roll on gpg

NAI rejoining KRAP would be something of a gift for any competitors of
PGP producing PGP compabile replacements if there were any serious
contenders.  

Or perhaps for S/MIME vendors, if they weren't already mostly KRAP
members, or pretty neutral / prone to be bribed by defense contracts,
and if S/MIME and PKIX weren't so hierarchical in design:

I'm not sure S/MIME based offerings are much of an alternative because
the hierarchical model, and ability of a CA to restrict what the end
user can use keys for (not for certification for example), and
generally inability to use clients without cert obtained from another
KRA member -- verisign, all add up to bad news.  The whole mess can be
controlled by GAKkers via the CA, and the CAs are the target for
example of the UK GAK attempt being led by the DTI (Department of
Trade and Industry -- meant to be representing industry, but instead
trying it's level best to put GCHQ / ECHELON interests ahead of
business interests, as acknowledged by DTI winning Privacy
International's hall of shame award.).

To expand briefly on the UK (DTI) current proposal: it seems to be
that they are trying to stack the deck by giving signatures made with
a key certified by a UK government "licensed" CA given better
recognition in law than signatures made by an unlicensed CA.  The
licensed CA doesn't have to escrow signatures keys, but if it does and
provides any service relating to confidentiality keys also it must
also keep private keys.  (Deliverable to GCHQ / ECHELON within 1 hr 24
hours a day 365 days a year -- GAK on steroids).

Someone on ukcrypto coined the phrase `licensed to leak' to express
the government coerced baggage that goes with a licensed CA.

Indeed roll on the GPG.

Adam





Thread