I've seen several comments on cypherpunks that misconstrue the UK proposal. E.g. Phillip Hallam-Baker said:
First off the proposals are not intended as a Trojan horse for the Clipper chip "or any other colonial scheme". ... They are emphatically not trying to introduce a Clipper chip proposal.
Unfortunately, I believe he is wrong. It's worse than Clipper, since it outlaws the competition. The proposed legislation would make it illegal to offer the UK public any service related to key management, including simply signing peoples' keys, without being licensed by the state. This licensing scheme includes a GAK requirement, an interoperability requirement, and a whole pile of requirements that may need a little translation. This means that there would only be *one* public-key infrastructure in the UK (they claim this as a feature for end-users, since it provides interoperability -- though they apparently haven't picked *whose* PKI they are going to enshrine as a monopoly). Unfortunately it would be completely subverted by the government. Users would have no choice about whether to use a different infrastructure, say from another country, or by setting it up themselves using PGP, Secure DNS, or whatever. The "trust" they offer is 100% sham, since you yourself don't get to pick who you trust. They do. "It will be necessary to ensure that TTP security personnel are competent, suitably qualified, trusted, & have successfully completed a recognised security vetting procedure." Translation: "Public key certification authorities will need a security clearance." "Checks will need to be undertaken to ensure that the background and other business interests of [TTP company] directors would not compromise the trust placed in a TTP." And later, "Checks will be made to ensure that those who own, or effectively control, an organisation, are suitable candidates for ownership of a TTP." Translation: "We will only license people who we believe will turn over anyone's key on demand. If they show any sign that their customers could actually trust them to keep private keys private, their license will not be approved." It explicitly states: It will be a criminal offence for a body to offer or provide licensable encryption services to the UK public without a valid license. This isn't a requirement on USERS, it's a requirement on OFFERERS. However, what this means for users is that if you want to use digital signatures, you have to use a Traitorous Third Party. It will be illegal for anyone else to offer you a digital signature service. Perhaps you could use encryption without using digital signatures, but you've just lost most of the benefits of public-key cryptography. I believe the proposal outlaws Secure DNS services. Merely signing the keys of sub-domains, for free or for money, would be illegal. You will only be able to secure the Internet if you first subvert the Internet by turning over the keys. And while the government mentions in several places that it isn't interested in access to authentication keys, the proposal still requires that anyone providing authentication services (like signing keys) be a licensed TTP and subject to GAK. John Gilmore