[Moderator: Back in town from a 4 day trip, expect some traffic again. :)] Forwarded From: Kjell Wooding <kwoodingat_private> http://www.wired.com/news/news/politics/story/12492.html UK Encryption Wars by Yaman Akdeniz 4:04am 25.May.98.PDT Britain's postal service has announced plans to offer public key recovery services later this year, in an effort to overcome criticism of the government's previously proposed "trusted third party" cryptography initiatives. The UK government has been struggling for two years to find a policy that balances privacy concerns against those of law enforcement agencies. Indeed, Royal Mail's announcement on 19 May comes in the wake of the British government's April introduction of a new encryption policy, the Secure Electronic Commerce Statement. This policy is the third in a series of widely criticized Department of Trade and Industry key recovery documents. Unlike the government's first two plans, this latest policy favors voluntary rather than mandatory licensing of so-called "trusted third parties." But the requirement that third parties be government-approved leaves British privacy advocates jittery about the Royal Mail's announcement. In describing the new plan on Tuesday, Jim Pang, director of Royal Mail)'s Electronic Services, took a conventional -- and unimpeachable -- line on the need for encryption. "Users of the Internet do not have a guarantee of privacy and confidentiality, source of origin, or proof of receipt," he said. "At the moment it is relatively easy either to read someone else's Internet email or to pretend to be someone else sending email." Ian Walker, technical director of Entrust Technologies, which is supplying the software, continued down the same path in an interview: "[Encryption] is a straightforward commercial need, regardless of government desires. It is a separate issue to key escrow." Maybe so, say privacy advocates, but the heart of the Royal Mail proposal is the use of key recovery systems. Critics the world over voice the same concerns: Voluntary or not, third party keys raise unprecedented privacy risks and governments should not be so easily granted a technical capability for mass surveillance. Pang has attempted to pre-empt such fears about privacy by saying that "using advanced cryptographic technology ... will be the electronic equivalent of sending a signed document in a sealed Royal Mail Special Delivery envelope" and "will enable anyone to send and receive data on the Internet in the knowledge that their messages are totally secure." Some privacy advocates, however, remain skeptical. "None of the trusted third parties -- including the very reputable Royal Mail -- will be able to provide confidentiality and privacy of communications with key recovery systems unless their relationships with the law enforcement authorities are clarified and subjected to due process," argues Clive Walker of the CyberLAW Research Unit at the University of Leeds. Other critics, moreover, note that the Royal Mail and Entrust may be promising a service they cannot deliver. Brian Gladman, a former Minister of Defense and technical director for NATO believes that the technical security challenges posed by such a large-scale project well beyond the current state of the art. "These plans will impact on the security and safety of the British public," says Gladman. "It will be important that the Royal Mail provides ... a commitment to support independent, publicly visible scrutiny of their approach." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:21 PDT