From: Robert Hettinga <rah@shipwright.com>
Date: Sat, 5 Dec 1998 08:08:57 +0800
To: cypherpunks@cyberpass.net
Subject: RE: Wassenaar Statement
Message-ID: <v04020a4cb28e2148551f@[139.167.130.246]>
MIME-Version: 1.0
Content-Type: text/plain




--- begin forwarded text


From: "Phillip Hallam-Baker" <hallam@ai.mit.edu>
To: "Robert Hettinga" <rah@shipwright.com>, <dcsb@ai.mit.edu>
Subject: RE: Wassenaar Statement
Date: Fri, 4 Dec 1998 18:02:40 -0500
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Importance: Normal

We have seen this type of press release before. Uncle Sam goes
off to a conference and returns to state that the rest of the
world has committed to its position - only to find out later that
the rest of the world did not. Anyone remembe the time the
crypto Tzar went off to the European Association (a non binding
talking shop) and got a similar 'undertaking'.

It is more likely that the Wassenaar statement reflects what went
on at the meeting. But even then most countries in Europe have a
democratic process in which decisions are made by elected
representatives and not by beaureacrats at closed treaty
negotiations.

Just as the munitions acts under which the ITAR crypto regulations
are purported to be made clearly do not provide the executive with
the powers claimed, neither do most of the European enabling
acts for COCOM.

Nor in a parliamentary system is it quite so easy for the executive
to perform Zimmerman type persecutions. If the same tactics had
been used in the UK the Home secretary would have faced political
consequences for the failure of the prosecution. The Matrix Churchill
affair played a significant part in the collapse of the Major
government in the UK. I doubt Straw would be keen on a repeat.


The UK DTI proposals requiring GAK as a condition of CA licensing
may appear to meet the Freeh objectives but since there is no
proposal to make licensing a requirement of doing business the result
is most likely to be nobody becomes a 'licensed CA'. There is a
legitimate business need for key recovery but nobody offering those
services is going to want access to the customer's private keys.
Doing so would be akin to keeping triffids as pets. It is not
necessary to keep actual private keys to achieve the objective of
controlling access to the private keys.


		Phill

--- end forwarded text


-----------------
Robert A. Hettinga <mailto: rah@philodox.com>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'