|
24 January 1998
To: ukcrypto@maillist.ox.ac.uk Subject: More on Labour crypto policy ... Date: Sat, 24 Jan 1998 11:32:48 +0000 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Over the last few weeks, crypto policy insiders have been talking to a number of people in industry, floating a proposed policy and testing the response. I heard about this policy from multiple sources in confidence; recently I received a non-confidential version. It appears to be much the same as the previous government's policy except that CAs which license signing keys only won't have to escrow private keys. CAs will be licensed and signatures uttered with keys certified by them will have legal force. This is clearly the carrot. But it's actually a stick. As a recent discussion on this list pointed out, there are already millions of contracts made by email with the signature being no more than an ascii name at the bottom. So a strict interpretation of this policy would compel everyone who does business via email to start using digital signature software. The catch is that the readily available products such as PGP combine signature and encryption functions, and no-one is going to redesign their products for the poxy little UK market, which accounts for maybe 5% of software sales. But if businessmen are compelled to sign email contracts using signature keys which, as they are also decryption keys, must be escrowed, then these signatures will not be valid in Germany as the German digital signature law expressly bars signatures made with an escrowed key. It looks like Hickson and his friends in the West Country and just digging themselves, and New Labour, deeper and deeper into the mire. What's to be done? Well, there are many ways in which this madness might be averted. Our most recent contribution is the Global Trust Register, a CA which we have implemented in a manner which will in practice be impossible for governments to control. For details see: http://www.cl.cam.ac.uk/Research/Security/Trust-Register/index.html Ross