Will Price (NAI employee) on KRA
This comment on NAI's KRA(P) membership by Will Price <wprice@pgp.com>, a crypto type who works for PGP was forwarded to the ukcrypto list by Ian Goodyer (uk-crypto list admin). Not sure where it was posted originally, or perhaps Will asked Ian to forwarded it. Adam ------- Start of forwarded message ------- Date: Sat, 14 Nov 1998 11:43:07 +0000 To: ukcrypto@maillist.ox.ac.uk From: "Ian D. Goodyer" <goodyer@well.ox.ac.uk> Subject: Re: Escrow - news Here is a response from Will Price who was formally from PGP inc and now of course is with NAI. ian -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've commented about this on this list before I believe. This appears to be a case of really old news suddenly being dredged up for no apparent wholesome reason -- which strikes me as quite odd because Wired was apparently so eager to break this ancient story that they didn't wait to ask anyone from NAI about it. NAI being listed on the KRA page is *solely* a result of our TIS acquisition. I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there". As I have said before, due to the TIS acquisition, NAI now has a bunch of products which contain key escrow features. Eliminating or modifying these features such that they work in a less big brother-like fashion will take significant time -- indeed entire TIS products were based around managing key escrow infrastructures. Don't get me wrong, TIS had a lot of other great products, but it will take time to redesign and rethink some of them in the context of export and key escrow. I'm not sure there's much point in withdrawing from KRA when those products still exist. These issues have no effect whatsoever on the PGP group. As always, we continue to publish full source code which effectively solves all the export issues for us. Robert Guerra wrote:
I just picked this up from another mailing list that I am on. Perhaps the folks at NAI can clarify things?
- ---------- Forwarded message ---------- Date: Fri, 13 Nov 1998 10:55:06 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Reply-To: ukcrypto@maillist.ox.ac.uk To: ukcrypto@maillist.ox.ac.uk Subject: Escrow - news
(1) Network Associates has quietly rejoined the Key Recovery Alliance - - see http://www.kra.org.
- -- Will -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBNkySo6y7FkvPc+xMEQIuygCfYosXGISVrKd4dYWwM8xOrVdd4WAAn3dT XvDG6FMapZpjmvjucF67fwM5 =xa+R -----END PGP SIGNATURE----- Will Price, Architect/Sr. Mgr., PGP Client Products Total Network Security Division Network Associates, Inc. Direct (408)346-5906 Cell/VM (650)533-0399 <pgpfone://cast.cyphers.net> PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0xCF73EC4C> ------- End of forwarded message -------
Date: Sat, 14 Nov 1998 09:57:53 -0800 (PST) : To: jya@pipeline.com From: prz@pgp.com (Philip Zimmermann (via an auto-responder)) Subject: Got your message : Thanks for your message. Sometimes it takes a day or two to get through all my email. I will get back to you, or have someone from our company get back to you, as quickly as I can. Thanks for your patience. If you need to speak with someone immediately, please call our corporate offices at 408 988-3832 [called, got voicemail: closed until Monday.]. If you need to contact me by phone, see the contact information on my web page at http://www.pgp.com/phil. In December 1997 my company, Pretty Good Privacy Inc, was acquired by McAfee Associates, which is now known as Network Associates [ref. kra.org]. If you haven't seen it already, you should take a look at the latest version of PGP, version 6, available in both commercial and freeware forms, for Windows and Mac, available for Web downloading from our company's web site at http://www.pgp.com. The best site with the best all-around information about PGP, including frequently asked questions, is http://www.pgpi.com, which is in Norway. They have information on where to get PGP if you live outside of the US or Canada, for commercial or freeware use. They also provide pointers into our own domestic web site here to help you easily find where to get the latest versions of PGP in the US, for business or freeware. They also tell you how to download the PGP source code for peer review, and where to get the Unix versions. You can also download PGPfone from there. -Philip Zimmermann
Forwarded: To: ukcrypto@maillist.ox.ac.uk Subject: Re: Escrow - news Date: Sat, 14 Nov 1998 15:42:26 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> : Will Price writes:
NAI being listed on the KRA page is *solely* a result of our TIS acquisition
On his most recent speaking tour of Europe, at which he promoted PGP v 6, Phil Zimmermann assured us categorically that NAI had at his insistence withdrawn from the KRA. It now appears that either (1) he lied to us (2) he was himself lied to by NAI management or (3) NAI has rejoined.
I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there".
You marketed version 6 of your product on the back of a claim that you'd left the KRA. Yet NAI is now listed on the KRA website as a member, and this is clearly doing your product material harm. Either it's not true that you're a member, in which case your lawyers will be able to extract so much money from KRA that it goes out of business, whereupon the world will cheer and buy your product, or it is true, in which case the damage will continue. There is a deeper issue for the community here. For many years we have tended to trust products because we know the technical people involved. This has been the foundation for trust of other kinds. For example, some years ago, a certain country's foreign ministry asked me for a reference on Entrust prior to buying their products; my response was that I knew both Paul van Oorschot and Mike Wiener, and in my opinion they were both very competent. As a result of this, purchasing decisions may have been taken with a significant effect on national intelligence, economic competitiveness and even military preparedness. As the country in question is a NATO member, its diplomatic comsec (or lack of it) affects the UK directly. Now, in one weekend, we have two cases where assurances from credible technical people turned out to be unsatisfactory. Where does that leave us? Since I gave that reference for Entrust, the University here has tightened up on liability. We must take care not to give references that are untruthful or even misleading. We are urged to err on the side of caution. So next time a foreign ministry asks me whether Entrust products are kosher, I probably have to reply: `You cannot prudently trust any third party to sell you trustworthy comsec products. Recall Britain's selling old Enigmas to allies in the Commonwealth; think of the fuss over red-threading; check out the trapdoor in Sesame; and read up on key escrow. The only way you can get good kit is if you build it yourself. If you don't have the skills, then I suggest you get some bright graduates to check out our PhD programme - see <http://www.cl.cam.ac.uk/UoCCL/research/>' A very traditional view of the world. Has nothing really changed since the 1960's? Ross ---------- Date: Sat, 14 Nov 1998 14:55:45 GMT Message-Id: <199811141455.OAA30151@server.eternity.org> From: Adam Back <aba@dcs.ex.ac.uk> To: cypherpunks@cyberpass.net Subject: Will Price (NAI employee) on KRA This comment on NAI's KRA(P) membership by Will Price <wprice@pgp.com>, a crypto type who works for PGP was forwarded to the ukcrypto list by Ian Goodyer (uk-crypto list admin). Not sure where it was posted originally, or perhaps Will asked Ian to forwarded it. Adam ------- Start of forwarded message ------- Date: Sat, 14 Nov 1998 11:43:07 +0000 To: ukcrypto@maillist.ox.ac.uk From: "Ian D. Goodyer" <goodyer@well.ox.ac.uk> Subject: Re: Escrow - news Here is a response from Will Price who was formally from PGP inc and now of course is with NAI. ian -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've commented about this on this list before I believe. This appears to be a case of really old news suddenly being dredged up for no apparent wholesome reason -- which strikes me as quite odd because Wired was apparently so eager to break this ancient story that they didn't wait to ask anyone from NAI about it. NAI being listed on the KRA page is *solely* a result of our TIS acquisition. I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there". As I have said before, due to the TIS acquisition, NAI now has a bunch of products which contain key escrow features. Eliminating or modifying these features such that they work in a less big brother-like fashion will take significant time -- indeed entire TIS products were based around managing key escrow infrastructures. Don't get me wrong, TIS had a lot of other great products, but it will take time to redesign and rethink some of them in the context of export and key escrow. I'm not sure there's much point in withdrawing from KRA when those products still exist. These issues have no effect whatsoever on the PGP group. As always, we continue to publish full source code which effectively solves all the export issues for us. Robert Guerra wrote:
I just picked this up from another mailing list that I am on. Perhaps the folks at NAI can clarify things?
- ---------- Forwarded message ---------- Date: Fri, 13 Nov 1998 10:55:06 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Escrow - news
(1) Network Associates has quietly rejoined the Key Recovery Alliance - - see http://www.kra.org.
- -- Will -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBNkySo6y7FkvPc+xMEQIuygCfYosXGISVrKd4dYWwM8xOrVdd4WAAn3dT XvDG6FMapZpjmvjucF67fwM5 =xa+R -----END PGP SIGNATURE----- Will Price, Architect/Sr. Mgr., PGP Client Products Total Network Security Division Network Associates, Inc. Direct (408)346-5906 Cell/VM (650)533-0399 <pgpfone://cast.cyphers.net> PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=getsearch=0xCF73EC4C> ------- End of forwarded message -------
To comment on Will Price's comments I forwarded earlier today: Will Price <wprice@pgp.com> wrote:
I've commented about this on this list before I believe. This appears to be a case of really old news suddenly being dredged up for no apparent wholesome reason -- which strikes me as quite odd because Wired was apparently so eager to break this ancient story that they didn't wait to ask anyone from NAI about it.
I didn't heard anything other than speculation as to whether the TIS acquisition would result in NAI rejoining KRA. The news is that it now is listed again (or at least someone noticed that it is now listed). Perhaps I was not paying attention, but I didn't hear anyone from PGP announce that NAI had rejoined (or automatically rejoined) KRA as a result of TIS merger.
NAI being listed on the KRA page is *solely* a result of our TIS acquisition. I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there".
Surely some of your TIS GAKware colleagues know all about KRAP -- being major league GAKkers, and having specifically signed up in the first place, being leading contributers to the KRAP/GAK drive effort.
As I have said before, due to the TIS acquisition, NAI now has a bunch of products which contain key escrow features.
Watch terminology here. TIS stuff contains GAK -- "key escrow" or "message recovery" where the government has the master keys. All commercial PGP versions 5.x and higher contain key recovery in the form of PGP's "Corporate Message Recovery" (CMR) design. Even the personal use versions know how to cooperate in providing corporate backdoors. Now CMR is clearly much less objectionable than TIS stuff, tho' politically debatable I would argue. TIS stuff is outright GAK. But I think part of the point of KRA was to coerce/bribe crypto companies to demonstrate working and workable NSA master key type GAK. The problem people have had with PGP building a CMR / CKE mechanism is you as a side effect demonstrate a method which would be workable as an NSA master key GAK system. Clearly all that is missing is software configuration and the NSA to publish a key, and a law requiring use of it. Yeah, OK so there was always encrypt to self, but giving the NSA ammunition is bad (viz the quotes from US government saying that Key Recovery works and using PGP 5.x as an example). I think that helping the US government claim that GAK is workable is a bad result for a company with PGP's privacy stance to end up contributing to. I am glad that CMR was kept out of the OpenPGP spec.
Eliminating or modifying these features such that they work in a less big brother-like fashion will take significant time -- indeed entire TIS products were based around managing key escrow infrastructures. Don't get me wrong, TIS had a lot of other great products, but it will take time to redesign and rethink some of them in the context of export and key escrow.
Will seems to be saying here that NAI is planning to remove GAK from the TIS products acquired in the NAI purchase of TIS. Firstly this is interesting because I wonder who is pulling the strings inside NAI -- consider: NAI paid a lot more for TIS than they paid for PGP. TIS has lots of US government defense contracts (presumably partly as bribery for assistance to US Government with KRAP/the GAK drive). Secondly he comments that it will take significant time to make the TIS products less big brother like. I don't buy this. You've got the source code -- just release a patch to fill the GAK field with garbage. Sounds like a days work tops.
I'm not sure there's much point in withdrawing from KRA when those products still exist.
Sure there is. The bad PR of being in KRAP alone should make it worth quiting. This was why PRZ arranged the pull out last time around. Secondly pulling out of KRA would be a nice way to back up your claims that NAI intends to remove the GAK from the bought TIS products. If NAI intends to do this, what is the point of being a member of KRA which is all about acheiving the reverse -- about putting GAK into products.
These issues have no effect whatsoever on the PGP group.
Glad to hear it. The effect it does have is in reputation damage due to PR fall out. Some people may prefer not to buy from a company supporting the US government in it's attempts to force key escrow onto users. NAI is pulling in two directions, TIS and KRA membership, and PGP privacy stance. Adam
participants (2)
-
Adam Back -
John Young