Steve Mynott writes:
subject says it all
roll on gpg
NAI rejoining KRAP would be something of a gift for any competitors of PGP producing PGP compabile replacements if there were any serious contenders. Or perhaps for S/MIME vendors, if they weren't already mostly KRAP members, or pretty neutral / prone to be bribed by defense contracts, and if S/MIME and PKIX weren't so hierarchical in design: I'm not sure S/MIME based offerings are much of an alternative because the hierarchical model, and ability of a CA to restrict what the end user can use keys for (not for certification for example), and generally inability to use clients without cert obtained from another KRA member -- verisign, all add up to bad news. The whole mess can be controlled by GAKkers via the CA, and the CAs are the target for example of the UK GAK attempt being led by the DTI (Department of Trade and Industry -- meant to be representing industry, but instead trying it's level best to put GCHQ / ECHELON interests ahead of business interests, as acknowledged by DTI winning Privacy International's hall of shame award.). To expand briefly on the UK (DTI) current proposal: it seems to be that they are trying to stack the deck by giving signatures made with a key certified by a UK government "licensed" CA given better recognition in law than signatures made by an unlicensed CA. The licensed CA doesn't have to escrow signatures keys, but if it does and provides any service relating to confidentiality keys also it must also keep private keys. (Deliverable to GCHQ / ECHELON within 1 hr 24 hours a day 365 days a year -- GAK on steroids). Someone on ukcrypto coined the phrase `licensed to leak' to express the government coerced baggage that goes with a licensed CA. Indeed roll on the GPG. Adam