Nightmare Scenario: Public Key Distribution Controlled
"Distribute a key, go to prison." How does the New World Order limit the use of strong crypto without "key recovery" when so many copies of older, pre-ban crypto are already out there? Simple, by declaring that public keys themselves are crypto material, as the Brits did in their Trusted Third Parties draft proposal, and hence declaring that distribution of keys after the effective date of the legislation constitutes a violation. Give someone your key, either by placing it on keyservers or even by mailing it to them, and one has just "distributed" crypto. This will make the public key infrastructure essentially useless, as the public key servers go down, as corporations yank any directories they may have, and (possibly) as individuals stop putting PGP or S/MIME fingerprints or pointers in their messages. How possible is this? Recall that the British proposal formally classified key material, the keys themselves, as cryptographic products. The language of the current unSAFE and Procto-CODE draconian bills, still changing of course as committees rewrite them to be more Big Brotherish, is vague on what constitutes crypto. If language is inserted making keys part of the bills, or if "interpretations" by Defense, Commerce, etc. make this determination, then there goes the infrastructure, even for already-distributed keys. Sure, underground use will continue. And those with PGP, and keys, may well have a reasonable defense in court, arguing that the program *and* the keys they used were already in their possession prior to the effective date of the legislation. But the effect would be chilling to almost any normal use of these programs. This is my latest nightmare scenario. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
This proposal is perhaps the most terrifying thing I've read. Mostly because such a proposal could pass quite easily by a small change -- one sentence -- to the definition of "cryptographic product" in a bill. You can bet that members of Congress would vote for it, too. -Declan On Sat, 13 Sep 1997, Tim May wrote:
Sure, underground use will continue. And those with PGP, and keys, may well have a reasonable defense in court, arguing that the program *and* the keys they used were already in their possession prior to the effective date of the legislation.
But the effect would be chilling to almost any normal use of these programs.
This is my latest nightmare scenario.
-----BEGIN PGP SIGNED MESSAGE----- In <v03102805b04065bf320b@[207.167.93.63]>, on 09/13/97 at 08:56 AM, Tim May <tcmay@got.net> said:
This will make the public key infrastructure essentially useless, as the public key servers go down, as corporations yank any directories they may have, and (possibly) as individuals stop putting PGP or S/MIME fingerprints or pointers in their messages.
Oh it would effectivly kill PGP but expect S/MIME to florish. My last reading of the S/MIME specs had direct reference to supporting GAK. If this legislation becomes law you will see very shortly N$, IBM, HP, M$ all with shinny new logos on thier products announcing that they are using government approved crypto. None of these companies are run by cypherpunks, they are run by "suits" who would sell out their own country and it's citizens if they could turn a profit doing so. - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNBts7Y9Co1n+aLhhAQEq5gQAxACW/0N+B98+F5db7F8B/aZGlves9lls zi76zpnXiiq6POuYM4WeeX4xOfrpkGNC+WhetHkyzuEyweV9YM3+3EfiswN+j/CV RCRQXVWsDEQR7fzzMz6g7NZjCWEx2ZTv/brW+fEfDYU4nHU/e42dJrqHDHPTFmxF WMF6hVlONjo= =ZxRC -----END PGP SIGNATURE-----
At 4:03 PM -0700 9/13/97, Declan McCullagh wrote:
This proposal is perhaps the most terrifying thing I've read. Mostly because such a proposal could pass quite easily by a small change -- one sentence -- to the definition of "cryptographic product" in a bill.
You can bet that members of Congress would vote for it, too.
-Declan
I brought this up at yesterday's meeting, and those who commented agreed that "cryptographic keys" will likely be covered by the final language (next year's version, if one believes the consensus of our meeting). The U.K. TTP thing I cited is very long and detailed, in contrast to the brief language now circulating for the unSAFE bill. The Brits were more detailed in their planning process. Kelly Baugh had a great line. I hope my quoting of it here does not get her into trouble. Paraphrasing: "The FBI would rather get legislation passed without much planning, and then worry about the implementation later." (Her version may have been blunter, about thinking vs. acting, but my paraphrase captures the idea.) Antonomasia (sp?) made some points about whether or not the TTP draft really would cover key distribution. Recall we had many such discussions around the time the TTP thing was first being circulated, circa earlier this year. The archives may produce analyses on both sides. I believe the TTP draft would certainly cover the keyservers, and possibly even key-signing parties (under RICO, the Racketeer-Influenced and Cryptography Organizations Act). And whether the British TTP draft directly bans such things is not really the point. The U.S. version (and the versions eventually adopted, lapdog/OECD/Wasenaar/NWO style by other nations) could easily have explicit language to cover this. Like I said, I think the "key management...key certification...digital signatures...." stuff in the TTP draft is *already* sufficient to, if passed in the U.S., outlaw key servers. Whether contacting a key server in a foreign location is also illegal is another issue. Recall, though, that the TTP also had language about the illegality of using offshore cryptographic services (even non-U.K. services in general!). I believe the excitement we're now seeing is just Act One of the "Scare Them 'till they Beg for Big Brother" show. Act Two will commence in 1998. Probably with more detailed language, along the lines of the OECD/French/British legislation. The climax may not come until some Tragic Event: an airliner shot down by crypto-using terrorists, a major Child Terrorism or Nuclear Pornography ring is uncovered, another truck bombing, a nerve gas attack, a war in the Middle East, etc. Then the legislation will make it out of committee and be passed overwhelmingly. Exit, stage left. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
participants (3)
-
Declan McCullagh -
Tim May -
William H. Geiger III