Forwarded: To: ukcrypto@maillist.ox.ac.uk Subject: Re: Escrow - news Date: Sat, 14 Nov 1998 15:42:26 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> : Will Price writes:
NAI being listed on the KRA page is *solely* a result of our TIS acquisition
On his most recent speaking tour of Europe, at which he promoted PGP v 6, Phil Zimmermann assured us categorically that NAI had at his insistence withdrawn from the KRA. It now appears that either (1) he lied to us (2) he was himself lied to by NAI management or (3) NAI has rejoined.
I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there".
You marketed version 6 of your product on the back of a claim that you'd left the KRA. Yet NAI is now listed on the KRA website as a member, and this is clearly doing your product material harm. Either it's not true that you're a member, in which case your lawyers will be able to extract so much money from KRA that it goes out of business, whereupon the world will cheer and buy your product, or it is true, in which case the damage will continue. There is a deeper issue for the community here. For many years we have tended to trust products because we know the technical people involved. This has been the foundation for trust of other kinds. For example, some years ago, a certain country's foreign ministry asked me for a reference on Entrust prior to buying their products; my response was that I knew both Paul van Oorschot and Mike Wiener, and in my opinion they were both very competent. As a result of this, purchasing decisions may have been taken with a significant effect on national intelligence, economic competitiveness and even military preparedness. As the country in question is a NATO member, its diplomatic comsec (or lack of it) affects the UK directly. Now, in one weekend, we have two cases where assurances from credible technical people turned out to be unsatisfactory. Where does that leave us? Since I gave that reference for Entrust, the University here has tightened up on liability. We must take care not to give references that are untruthful or even misleading. We are urged to err on the side of caution. So next time a foreign ministry asks me whether Entrust products are kosher, I probably have to reply: `You cannot prudently trust any third party to sell you trustworthy comsec products. Recall Britain's selling old Enigmas to allies in the Commonwealth; think of the fuss over red-threading; check out the trapdoor in Sesame; and read up on key escrow. The only way you can get good kit is if you build it yourself. If you don't have the skills, then I suggest you get some bright graduates to check out our PhD programme - see <http://www.cl.cam.ac.uk/UoCCL/research/>' A very traditional view of the world. Has nothing really changed since the 1960's? Ross ---------- Date: Sat, 14 Nov 1998 14:55:45 GMT Message-Id: <199811141455.OAA30151@server.eternity.org> From: Adam Back <aba@dcs.ex.ac.uk> To: cypherpunks@cyberpass.net Subject: Will Price (NAI employee) on KRA This comment on NAI's KRA(P) membership by Will Price <wprice@pgp.com>, a crypto type who works for PGP was forwarded to the ukcrypto list by Ian Goodyer (uk-crypto list admin). Not sure where it was posted originally, or perhaps Will asked Ian to forwarded it. Adam ------- Start of forwarded message ------- Date: Sat, 14 Nov 1998 11:43:07 +0000 To: ukcrypto@maillist.ox.ac.uk From: "Ian D. Goodyer" <goodyer@well.ox.ac.uk> Subject: Re: Escrow - news Here is a response from Will Price who was formally from PGP inc and now of course is with NAI. ian -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've commented about this on this list before I believe. This appears to be a case of really old news suddenly being dredged up for no apparent wholesome reason -- which strikes me as quite odd because Wired was apparently so eager to break this ancient story that they didn't wait to ask anyone from NAI about it. NAI being listed on the KRA page is *solely* a result of our TIS acquisition. I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there". As I have said before, due to the TIS acquisition, NAI now has a bunch of products which contain key escrow features. Eliminating or modifying these features such that they work in a less big brother-like fashion will take significant time -- indeed entire TIS products were based around managing key escrow infrastructures. Don't get me wrong, TIS had a lot of other great products, but it will take time to redesign and rethink some of them in the context of export and key escrow. I'm not sure there's much point in withdrawing from KRA when those products still exist. These issues have no effect whatsoever on the PGP group. As always, we continue to publish full source code which effectively solves all the export issues for us. Robert Guerra wrote:
I just picked this up from another mailing list that I am on. Perhaps the folks at NAI can clarify things?
- ---------- Forwarded message ---------- Date: Fri, 13 Nov 1998 10:55:06 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Escrow - news
(1) Network Associates has quietly rejoined the Key Recovery Alliance - - see http://www.kra.org.
- -- Will -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBNkySo6y7FkvPc+xMEQIuygCfYosXGISVrKd4dYWwM8xOrVdd4WAAn3dT XvDG6FMapZpjmvjucF67fwM5 =xa+R -----END PGP SIGNATURE----- Will Price, Architect/Sr. Mgr., PGP Client Products Total Network Security Division Network Associates, Inc. Direct (408)346-5906 Cell/VM (650)533-0399 <pgpfone://cast.cyphers.net> PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=getsearch=0xCF73EC4C> ------- End of forwarded message -------