John Young <jya@pipeline.com> forwards from Cyberia-L: : : Making absolutely no comment on the subject of licensing of certification : authorities, you may be interested in a UK paper entitled LICENSING OF : TRUSTED THIRD PARTIES FOR THE PROVISION OF ENCRYPTION SERVICES - Public : Consultation Paper on Detailed Proposals for=20 : Legislation, March 1997. : : You can obtain a full document at http://www.dti.gov.uk/pubs. Ross Anderson <rja14@cl.cam.ac.uk> posted his interpretation of this to sci.crypt, alt.security.pgp, alt.security today, which I think cypherpunks might find eye opening, I'm off to read the doc myself now. : From: rja14@cl.cam.ac.uk (Ross Anderson) : Newsgroups: alt.security.pgp,alt.security,sci.crypt : Subject: UK Government to ban PGP - now official! : Date: 21 Mar 1997 10:07:22 GMT : Message-ID: <5gtmkq$7ns@lyra.csx.cam.ac.uk> : : : The British government's Department of Trade and Industry has sneaked : out proposals on licensing encryption services. Their effect will be to : ban PGP and much more besides. : : I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as : their own web server appears to be conveniently down. : : Licensing will be mandatory: : : We intend that it will be a criminal offence for a body to offer : or provide licensable encryption services to the UK public without : a valid licence : : The scope of licensing is broad: : : Public will be defined to cover any natural or legal person in the UK. : : Encryption services is meant to encompass any service, whether provided : free or not, which involves any or all of the following cryptographic : functionality - key management, key recovery, key certification, key : storage, message integrity (through the use of digital signatures) key : generation, time stamping, or key revocation services (whether for : integrity or confidentiality), which are offered in a manner which : allows a client to determine a choice of cryptographic key or allows : the client a choice of recipient/s. : : Total official discretion is retained: : : The legislation will provide that bodies wishing to offer or provide : encryption services to the public in the UK will be required to : obtain a licence. The legislation will give the Secretary of State : discretion to determine appropriate licence conditions. : : The licence conditions imply that only large organisations will be able to : get licences: small organisations will have to use large ones to manage : their keys (this was the policy outlined last June by a DTI spokesman). : The main licence condition is of course that keys must be escrowed, and : delivered on demand to a central repository within one hour. The mere : delivery of decrypted plaintext is not acceptable except perhaps from : TTPs overseas under international agreements. : : The effect of all this appears to be: : : 1. PGP servers will be outlawed; it will be an offence for me to sign : your pgp key, for you to sign mine, and for anybody to put my : existing signed PGP key in a foreign (unlicensed) directory : : 2. Countries that won't escrow, such as Holland and Denmark, will be : cut out of the Superhighway economy. You won't even be able to : send signed medical records back and forth (let alone encrypted : ones) : : 3. You can forget about building distributed secure systems, as even : relatively primitive products such as Kerberos would need to have : their keys managed by a licensed TTP. This is clearly impractical. : (The paper does say that purely intra-company key management is : OK : but licensing is required whenever there is any interaction with : the outside world, which presumably catches systems with mail, web : or whatever) : : There are let-outs for banks and Rupert Murdoch: : : Encryption services as an integral part of another service (such as in : the scrambling of pay TV programmes or the authentication of credit : cards) are also excluded from this legislation. : : However, there are no let-outs for services providing only authenticity and : nonrepudiation (as opposed to confidentiality) services. This is a point that : has been raised repeatedly by doctors, lawyers and others - giving a police : officer the power to inspect my medical records might just conceivably help : him build a case against me, but giving him the power to forge prescriptions : and legal contracts appears a recipe for disaster. The scope for fraud and : corruption will be immense. : : Yet the government continues to insist on control of, and access to, signing : keys as well as decryption keys. This shows that the real concern is not : really law enforcement at all, but national intelligence. : : Finally, there's an opportunity to write in and protest: : : The Government invites comments on this paper until 30 May 1997 : : : Though if the recent `consultation' about the recent `government.direct' : programme is anything to go by, negative comments will simply be ignored. : : Meanwhile, GCHQ is pressing ahead with the implementation of an escrow : protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is broken : (see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz). : : In Grey's words, ``All over Europe, the lights are going out'' : : Ross Adam -- print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`