-----BEGIN PGP SIGNED MESSAGE----- Have spent some time reading over the paper re TTP/CA regulation in the UK. I don't think the paper is exactly a model of clarity, but my impression (from a few passes over it) is that it isn't intended to affect the distribution of software but is intended to affect people acting as CA's (including signing a friend's key) or as key escrow agents. But both this document and two of the three bills in the US Congress (Goodlatte and Leahy) look to me like "first shoes" which precede "the other shoe dropping", e.g., making use of a TTP/key escrow agent mandatory once there's a reasonable infrastructure in place. Regulating essentially informal and private transactions like key signing between associates strikes me as absurd - but not much more absurd than things done on this side of the Atlantic, of course. I do think there are interesting issues around certifying CA's and CA liability, but it seems like they can be addressed using existing legal theories/strategies - some mix of tort law and contract law should be sufficient. Criminalizing a PGP key-signing party is almost as stupid as threatening to criminalize PGP. My hunch is that legislatures in Europe as well as Congress are going to get around to trying that within a few years. All it's going to take is repeating the phrase "legitimate needs of law enforcement" and "a fair balance between law enforcement needs and industry needs" a few thousand more times and it'll all seem perfectly rational. Last week's hearing for the ProCODE bill totally ignored the right of individuals to be free from interception/eavesdropping, and seemed to focus on some sort of compromise between business (who's perceived as wanting to make money from exporting strong crypto, but the argument is structurally the same whether we're talking about export/import controls on wheat or cars or on crypto) and law enforcement (who's perceived as being, at worst, slightly overzealous in their pursuit of safety & tranquility for each and every American, perhaps to the detriment of business interests, apologies to those fine businesses & their investors, etc.) (* I missed the first 20 minutes or so, perhaps that's when this was discussed, but I'll bet not.) I don't think I heard the Fourth Amendment (or any similar concerns) mentioned even once, nor the consistent pattern (across tens of years, subject matter, internal jurisdictions, national boundaries, and ideology of the government in power) by which law enforcement grows contemptuous of the law itself and begins using its power to perpetuate itself and in various flavors of political or personal repression. I suppose it would have been impolite to mention the various Red Squads, the COINTELPRO operation against domestic dissident groups, harassment of antinuclear and anti-Contra activists, local police spying in Pittsburgh and Los Angeles and San Francisco (and surely many other places I haven't heard about, too), Ruby Ridge, Waco, Operation MOVE, and recent revelations that the FBI crime lab has been altering lab reports and offering perjured testimony against criminal defendants. Law enforcement abuses are not "aberrations" nor "unfortunate incidents" which could not be predicted nor are they unlikely to recur. The only real question is whether or not we want to give law enforcement tools which can only be misused in obvious ways (like guns, which make noise, or tanks or helicopters, which are easy to see/hear) or if we're going to give them tools (like secret wiretaps and access to crypto keys) which are very difficult to track or detect when used illegitimately. Between cops who fuck up for political reasons (see above) and spooks/cops who sell out just for money (Ames, Lonetree, and the rest of the sad parade I've already forgotten who've been willing to sell "top secret" material which they knew put their colleagues' lives in danger, as well as street-level corrupt cops who "look the other way", steal from suspects/defendants, "borrow" from evidence lockers, carry "throw-down" guns and the rest), it's hard to feel like this is an institution that deserves any real trust. It may be that society ends up with less net brutality and corruption if we let the SFPD or the LAPD or the FBI drive around with guns & radios than if we allowed the Mafia or the Crips or the Bloods to do that .. but it's really just "more brutality" or "less brutality". The lesser of two evils is still evil. Which is a lot of rant to say that I don't think the sky is falling in the UK just yet. -----BEGIN PGP SIGNATURE----- Version: 4.5 iQEVAgUBMzZU2f37pMWUJFlhAQEO2wf+Lmuc6t8m1pdvcFt3EKsG6UEKoSIV9SUn e8QYrj2FFkCYUMS4Oh/FZ8T+wtgLRZ/z1eZQs5KUU1GMpP58j1KLS6K859Y9rvQs kFZqVwXzoLrD06Dn7Vr9AOxcqx0VC/692jEBoMsuqCjfL9VGDjIPFJFbPN900QQn mbbU5eL5567YGnYYd2Xe25zPDS4UWUiF7HKxgZF+mt619wOBVMRf9h8A853iA9h5 as156RPh1t5R4NGKwfGb+b8S5vmB5+tbTkFNLcPv2gcTl4xUHMnUST0I5BG6ww9C aV1Ove4muVg/Dw/vhbWixjGKI312uWQ+4lcRSaUOJ9j6XsKGUzxFEw== =Gnfa -----END PGP SIGNATURE----- -- Greg Broiles | US crypto export control policy in a nutshell: gbroiles@netbox.com | http://www.io.com/~gbroiles | Export jobs, not crypto. |