Loyd Blankenship (fnordbox!loydb@cs.utexas.edu) writes:
To: cypherpunks@toad.com Subject: Government Encryption
Recently there was a thread on a public-key program that would involve a central, government-backed-or-authorized agency to issue key pairs and serve as a repository. Could someone please post some details on this --
This "rumor" seems to be the result of two different, but not necessarily better, events. The first is an Usenet posting by Dorothy Denning (anyone have a copy of this posting/report BTW, I seem to have lost mine and only have the 400K or responses in sci.crypt...) and an article in the July 1992 CACM by Ron Rivest that suggested that people be required to register thier _private_ keys with some government authority so that feds with a warrant (and anyone with enough cash to bribe the civil servant sitting at the "private-key desk") can break open messages and files encrypted using PKE. The other is the PEM RFC that talked about certification authorities (and mentioned that government institutions could be one type of, but not the only type of, certification authority. The two seem to have come together into one nifty rumor that gives paranoid people ulcers and causes the rest of us to be a little more vigilant...
I seem to have gotten it into my head that this is how PEM works, and I don't know whether I'm right or just medicated. :-)
No, not really. PEM specifies a standard for exchange of encrypted mail messages, but does not enforce a particular method of key certification. They do talk a lot about certification authorities, but these are not necessarily government institutions. Check out RFC1113-1115 at your friendly neighborhood RFC server. The mrr-password.ps file on soda.berkeley.edu in /pub/cypherpunks goes into a lot of detail about CAs so you might also want to check that one out. jim