Tim wrote:
"Distribute a key, go to prison."
How does the New World Order limit the use of strong crypto without "key recovery" when so many copies of older, pre-ban crypto are already out there?
Simple, by declaring that public keys themselves are crypto material, as the Brits did in their Trusted Third Parties draft proposal, and hence declaring that distribution of keys after the effective date of the legislation constitutes a violation. Give someone your key, either by placing it on keyservers or even by mailing it to them, and one has just "distributed" crypto.
This will make the public key infrastructure essentially useless, as the public key servers go down, as corporations yank any directories they may have, and (possibly) as individuals stop putting PGP or S/MIME fingerprints or pointers in their messages.
How possible is this? Recall that the British proposal formally classified key material, the keys themselves, as cryptographic products. The language of the current unSAFE and Procto-CODE draconian bills, still changing of course as committees rewrite them to be more Big Brotherish, is vague on what constitutes crypto.
I agree with the gist of this nightmare view, but don't think it describes the British TTP proposal very well. 140 These proposals - aimed at facilitating the provision of secure 141 electronic commerce - are being brought forward against a background ha ha ha 1122 Encryption services_ is meant to encompass any service, whether 1123 provided free or not, which involves any or all of the following 1124 cryptographic functionality - key management, key recovery, key 1125 certification, key storage, message integrity (through the use of 1126 digital signatures) key generation, time stamping, or key 1127 revocation services (whether for integrity or confidentiality), 1128 which are offered in a manner which allows a client to determine a 1129 choice of cryptographic key or allows the client a choice of 1130 recipient/s. My giving you my key does not provide you with 'choice of cryptographic key or ... recipient/s' as I read it. But if I signed your key and distributed it, that would probably be a certification service (to you) in which you had chosen the key to be signed. Also if I gave you 2 keys of mine I think that would be banned, because you'd have a choice. This certainly does discourage effective use, but I don't think the current wording is quite so dire as to outlaw distribution of a single key. I'd also say that when an ISP carries my emailed key to someone they are providing a transport service, and not a cryptographic one. The 'or allows the client a choice of recipient/s' looks to me like a direct reference to remailers. As to signing non-key material; a service would be if someone I know brought something (a photo for me to certify true likeness, a will for me to witness their signature ...) and I signed it for him to indicate something to others. Signing my outgoing letters is not normally considered a service. My checking the signatures on my incoming mail is probably not a service, even if it forms part of the decision on whether to reply. As to self-signing a key; it may be permitted following the model of the above paragraph, or not. I believe the proposal is deliberately vague for FUD - and is bad law, regardless of the bad content. I mentioned the difficulty of deciding exactly what would be banned by this proposed law in my article: "Ruritania Discovers Motor Transport". Check the ar...BANG -- ############################################################## # Antonomasia ant@notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################