TIS, SKE, & CyberCash Inc.
John Young <jya@pipeline.com> wrote:
Peter Wayner writes in October BYTE on electronic documents in business.
Admirably covers encryption, digital signatures, authentication, digital cash, timestamps and more.
See "EDI Moves the Data", pp.121-128.
The issue has some other mentions of crypto.
Also worthwhile is the article on page 40 which discusses Trusted Information Systems' software-key escrow proposal. After seeing it I decided to hunt down the TIS Software Key Escrow paper at ftp://ftp.tis.com/pub/crypto/ske. It makes for interesting reading on the kinder, gentler, sugar-coated incarnation of key escrow that we're likely to be seeing more of. Sugar-coated or not, it still has poison inside. TIS's proposal is even more noteworthy considering their affiliation with the CyberCash Inc. venture written about in the 09/13/94 WSJ article posted here several days ago (ie. $whois cybercash.com = TIS). So, one of the leading proposals for SKE comes from a company involved with one of the leading digicash ventures. It looks like TIS is a company to watch. The TIS SKE paper asserts that: "Key escrow cryptography has been a controversial topic since it was proposed in 1993. We believe that it is most likely to be accepted for use outside of government if it is authorized by legislation that sets forth the circumstances under which keys may be released and the sanctions for abuse of the escrow process" Well, hell will freeze over before it is accepted by this citizen. Those who have seen how RICO and the Forfeiture Law have run amok in this country have no reason to feel sanguine about the potential future abuses of key escrow. I don't expect the statutory limitations on its misuse to be any more reliable than the search and seizure limitations or due process requirements of the Forth and Fifth Amendments which have been vitiated over the past decade or so. And the prospect that the surveillance state infrastructure which the Friends of Big Brother (FOBBs) are trying to put into place today will be available for potentially more tyrannical leaders that may appear in the future, even more inimical to liberty, privacy and personal sovereignty than the current ones, is not a comforting thought. -Michael
Michael Pierson wrote:
TIS's proposal is even more noteworthy considering their affiliation with the CyberCash Inc. venture written about in the 09/13/94 WSJ article posted here several days ago (ie. $whois cybercash.com = TIS). So, one of the leading proposals for SKE comes from a company involved with one of the leading digicash ventures. It looks like TIS is a company to watch.
I agree that this is a crucial development to watch. Two related (I think) developments: - Al Gore writes a guest editorial in the latest "Discover" magazine. His theme: an expansion of the "National Information Infrastructure" he calls the "Global Information Infrastructure." The New World Order in cyberspace. Wanna bet that this GII will have passports, authorization slips, tax collection capabilities, and is-a-person credentials? - The latest "Internet World" (Oct. '94, p. 11) confirms that Microsoft is building Internet connectivity into upcoming releases of Windows and Windows NT. Given their known involvement in SKE/GAK (confirmed to me in e-mail, and reported here on this list a few months back), this "Microsoft said it will build in suppport for those protocols in the next versions of Windows and Windows NT" statement bears close watching. (The scenario I think is likely: SKE is put in at the OS level, perhaps with these SLIP/PPP/TCP-IP protocols. Ostensibly "voluntary," it actually won't be, because selection of "escrow agents" will be from a list of approved entities. A *truly* voluntary system would allow complete bypassing, or selection of a "bit bucket" as the escrow agent. Fat chance.) (TIS statemen on SKE elided.)
Well, hell will freeze over before it is accepted by this citizen. Those who have seen how RICO and the Forfeiture Law have run amok in this country have no reason to feel sanguine about the potential future abuses of key escrow. I don't expect the statutory limitations on its misuse to be any more reliable than the search and seizure limitations or due process requirements of the Forth and Fifth Amendments which have been vitiated over the past decade or so. And the prospect that the surveillance state infrastructure which the Friends of Big Brother (FOBBs) are trying to put into place today will be available for potentially more tyrannical leaders that may appear in the future, even more inimical to liberty, privacy and personal sovereignty than the current ones, is not a comforting thought.
Agreed. We need to watch carefully this one. A "voluntary" software key escrow system is of course OK (useful for people afraid of forgetting their keys, for companies that don't want the death of employees to cut them off from corporate secrets, etc.). But any system in which the escrow key holders are *not* freely selectable from a list one generates one's self (where the agents may be the company lawyer, one's mother, one's priest, the bit bucket, the machine down the hall, or nothing at all, etc.) is *not voluntary*. The recent conference on international use of crypto, noted by other recenly and by several of us back in July, had an ominous agenda. Did any of you attend? I get the feeling that wheels are turning, that deals are being cut. And given the EFF's recent sell-out on Digital Telephony (which is of course related to this, especially since the OS makers like Microsoft and Apple are negotiating deals with the cable-telco companies, thus presumably making the OS makers partners in the "wiretapping" requirements), I would not be surprised to see similar deals being arranged behind the scenes. Much as I fear direct democracy, I also fear this kind of smoke-filled room trading away of our liberties. Wiretap bills, Software Key Escrow, Government Access to Keys, information superhighways, Data Cops...it's all getting pretty worrisome. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
Timothy C. May says:
(The scenario I think is likely: SKE is put in at the OS level, perhaps with these SLIP/PPP/TCP-IP protocols. Ostensibly "voluntary," it actually won't be, because selection of "escrow agents" will be from a list of approved entities. A *truly* voluntary system would allow complete bypassing, or selection of a "bit bucket" as the escrow agent. Fat chance.)
They can build what they like, Tim. The protocols being defined right now by the IETF do not include provisions for escrow. Thus far, no one from the NSA, or even TIS, has come up to me and said that I should change the draft RFCs that I am writing. Any such OS support for SKE in Microsoft software would not be interoperable with anyone else's software. Since the bulk of the internet does not run on Microsoft platforms, and since Microsoft doesn't sell things like routers and the like, even Microsoft has to interoperate if they want their packets to move past the local ethernet. Perry
Perry E. Metzger wrote:
They can build what they like, Tim. The protocols being defined right now by the IETF do not include provisions for escrow. Thus far, no one from the NSA, or even TIS, has come up to me and said that I should change the draft RFCs that I am writing. Any such OS support for SKE in Microsoft software would not be interoperable with anyone else's software. Since the bulk of the internet does not run on Microsoft platforms, and since Microsoft doesn't sell things like routers and the like, even Microsoft has to interoperate if they want their packets to move past the local ethernet.
Good! I'm glad to hear that such developments make a "takeover" of Internet protocols less likely. (Even better might be a heavy international involvement, with folks from countries that are not malleable and controllable by the New World Order Task Force.) Despite my periodic alarms, I'm pretty optimistic about our chances for escaping the "Big Brother Inside" future--my Cyphernomicon should make this optimism clear. Although I'm an admitted extremist in my views, I do try to steer clear of the two extremes: Extreme 1: It's all over. Big Brother is here. Give up. Extreme 2: We've already won. It's all over. They can do nothing to us. I think we're somewhere in between, with some frightening laws on the horizon (look at the War on Drugs, civil forfeiture, tax laws, currency reporting requirements, health care proposals, etc.), but also with some new "degrees of freedom" that make control very difficult. The war isn't over yet. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tcmay
Timothy C. May <tcmay@netcom.com> wrote:
A "voluntary" software key escrow system is of course OK (useful for people afraid of forgetting their keys, for companies that don't want the death of employees to cut them off from corporate secrets, etc.). But any system in which the escrow key holders are *not* freely selectable from a list one generates one's self (where the agents may be the company lawyer, one's mother, one's priest, the bit bucket, the machine down the hall, or nothing at all, etc.) is *not voluntary*.
Of course the State's current interest has little to do with these legitimate issues. All the government rhetoric about "voluntary" encryption standards is a smokescreen. I believe those who don't want to eventually see government *dictated* key escrow, and the outlawing of alternatives should not let themselves be lulled by it. A case in point is Tony Clark's draft legislation proposal for the "Encryption Standards and Procedures Act" from the House Committee on Science, Space, and Technology. In the preamble we have the sole reassuring mention of "voluntary": "To amend the National Institute of Standards and Technology Act to provide for the establishment and management of voluntary encryption standards to protect the privacy and security of electronic information, and for other purposes." Then in the Findings and Purposes section it starts to get at the crux of the real agenda: "(2) The proliferation of communications and information technology has made it increasingly difficult for the government to obtain and interpret, in a timely manner, electronic information that is necessary to provide for public safety and national security." This primary agenda is restated in the Requirements subsection under Federal Encryption Standards: "(C) shall contribute to public safety and national security; (E) shall preserve the functional ability of the government to interpret, in a timely manner, electronic information that has been obtained pursuant to an electronic surveillance permitted by law; (F) may be implemented in software, firmware, hardware, or any combination thereof; and (G) shall include a validation program to determine the extent to which such standards have been implemented in conformance with the requirements set forth in this paragraph." Later on, in the Definitions section, the term "electronic information" for the purposes of the legislation is defined in what I find to be an ominously expansive way: "(8) The term 'electronic information' means the content, source, or destination of any information in any electronic form and in any medium which has not been specifically authorized by a Federal statute or an Executive Order to be kept secret in the interest of national defense or foreign policy and which is stored, processed, transmitted or otherwise communicated, domestically or internationally, in an electronic communications system..." What does "voluntary" really mean in the context of the repeatedly stated need to provide for "public safety and national security"? Does it mean that those who are the putative threats to said "public safety and national security" may volunteer to participate?? I can see them lining up right now. But then, I sure as hell don't plan to volunteer either. Uh oh, I guess that makes me suspect. The more I think about it, the more ludicrous and derisible this pretense of "voluntary" becomes. How can someone not _want_ to volunteer to "contribute to public safety and national security?" If you can succeed in imposing this framework on the issue, then dealing with the heretics is so much easier.
I get the feeling that wheels are turning, that deals are being cut.
I certainly concur with that feeling. The wheels are definitely turning. They are racing to get the fundamentals in place in advance of social and technical developments that might make their job more difficult in the future. I wouldn't be surprized to see some cyberspatial version of the Reichstag fire come along as a goad to stampede the body politic into rash action on this issue. Perhaps a series of such incidents involving a spectrum of the usual bogeymen in a way so as to push the hot buttons of the widest possible demographic. As time goes by the constituency that could oppose their actions grows. Concurrent developments in software and DSP technology are opening the window of opportunity for affordable consumer products that could provide secure, real-time public-key encryption of voice and data communications. Once people have the knowledge and the tools in their hands, they are much less inclined to accept ignorance as strength. Which is why it is urgent that we do what we can to spread the knowledge and forge the tools while the time is ripe.
Wiretap bills, Software Key Escrow, Government Access to Keys, information superhighways, Data Cops...it's all getting pretty worrisome.
It sure ain't my idea of the millennium... -Michael
participants (3)
-
Perry E. Metzger -
tcmay@netcom.com -
wfgodot@iquest.com