lmccarth@cs.umass.edu risks violating the terms of his PC probation by writing:

I just sent this to the remailer operators' list, but it may be of interest here too. I think Tim or Lucky or someone suggested something like GAI (Government Access to Identities) here a while back....

Forwarded message:

...

Lance writes:

...

I hypothesize that the Strassmann & Marlow paper is meant to lay the groundwork for some sort of eventual Government Access to Identities proposal (which would more likely be termed "identity escrow" by the Feds). It's about the only way I can reconcile statements like the following (juxtaposed by me, not them):

Indeed, several of us have written extensively about the rationales for "is-a-person" credentialling by government, what I have quipped is a kind of "identity escrow" (further abusing the term "escrow"). I lack the time to write a concise summary, so will instead mention a bunch of points. Searching the archives for mentioned terms may yield more comprehensive articles. * "Internet Driver's License." This is not just a joke, although the reported systems are not called this. But the idea is the same. A credential, probably a signed key certificate, that is granted after proof of age is presented. (For example, one might show a passport or conventional Driver's License at a Post Office and they'd issue a signed key....something they'd like to get into the business of doing, from various reports.) * An age credential such as this is essentially going to be necessary, in the worst case, for accessing the Net and Web. If the CDA is upheld--which may take several years to decide for sure--then sites will probably have to take positive steps to verify that users are not minors. Unless they carry only G-rated Barney material (but no Barney jokes, as children might be traumatized). * This age credential obviously cannot be just the "I swear that I am old enough to view adult images" sort of click button. (Although it mostly works with ordering adult material through the mail to immunize a provider, except in this case there is the additional "check" of mail delivery, where a postal carrier may may informal inquiries about the age of the recipient. Plus the parents can intercept the subscription to "Hustler" that 14-year-old Johhny ordered.) * The various schemes for signature authorities, which I admit to not following very closely, all the stuff about Verisign and whether Netscape will or will not accept signatures of rogue signers....all this suggests a worrisome situation in which all messages must be signed by the True Name (see above) of the message originator. (For a good fictional treatment of this, see John Brunner's "The Shockwave Rider.") * Remailers and Web proxies obviously represent an end-run around the CDA and key escrow, in various ways, so I think it likely that these will come under attack. The legal means of attacking them may be one or more of the following: - holding the remailer site operator legally responsible for what can be traced back to his system, especially if in plaintext. (This would make the last site in a chain of otherwise-encrypted messages especially vulnerable if the message is delivered in plaintext to the recipient. Of course, with wider use of crypto, the message can be delivered in encrypted form. I see more and more remailers insisting on encrypted (high entropy) messages.) - for sites that charge any kind of fee for remailing, extensions of the business laws to require that logs be maintained ("so that customers can dispute bills"!!). These logs could then be subpoenaed to aid in tracing messages back to origins. (Sure, it gets hard when hops outside the country are involved...I'm not saying this'll be easy or effective, just a possible avenue of attack on remailers.) - finally, outlawing of remailers and proxies. Or extensive registration of them. (We've had this debate a couple of times, about whether mail-forwarding services really have to register, get proof of ID, send records along to the government, etc.) * Identity Escrow obviously fits in closely with key escrow in general. In closing, I think the next couple of years will see increasing pressure to require some kind of "Internet Driver's License," at least within the U.S. Other countries will jump at this (Germany, China, France, the usual suspects). Call it an "Internet Passport." For some interesting insights into the thinking of some in the crypto community, go back to around 1986-8 in the "Crypto" Conference Proceedings and you'll find some papers, by Fiat and Shamir I believe, on the "problem" of "rogue governments" (they cited Libya for their example) issuing "false passports." (I have commented in the past that the U.S. government has a reported 50,000 or more people in the Witness Security (aka Protection) Program, under the U.S. Marshal's Service, and reserves the right to create completely fake "legends" (dossiers) for these people, including false credit records, false education records, and false employment records. Not to mention their various secret agents. Clearly the government would want "back doors" into any Internet Passport system!) --Tim May Boycott espionage-enabled software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."