linux security - Mar 1997 - UK Encryption ban legislation {from: [comp.risks] RISKS DIGEST 18.95}

I think this is an issue of serious interest to many of the subscribers
of these lists; it would effectively ban a lot of security-related tools
that many of use now find indispensable, e.g. ssh, pgp.

------- Start of forwarded message -------
Date: 21 Mar 1997 10:11:57 GMT
From: rja14@cl.cam.ac.uk (Ross Anderson)
Approved: R.E.Wolff@BitWizard.nl
Subject: DTI proposals on key escrow

The British government''s Department of Trade and Industry has sneaked
out
proposals on licensing encryption services. Their effect will be to ban PGP
and much more besides.

I have put a copy on http://www.cl.cam.ac.uk/users/rja14/dti.html as
their own web server appears to be conveniently down.

Licensing will be mandatory:

      We intend that it will be a criminal offence for a body to offer
      or provide licensable encryption services to the UK public without
      a valid licence

The scope of licensing is broad:

      Public will be defined to cover any natural or legal person in the UK.

      Encryption services is meant to encompass any service, whether provided
      free or not, which involves any or all of the following cryptographic
      functionality - key management, key recovery, key certification, key
      storage, message integrity (through the use of digital signatures) key
      generation, time stamping, or key revocation services (whether for
      integrity or confidentiality), which are offered in a manner which
      allows a client to determine a choice of cryptographic key or allows
      the client a choice of recipient/s.

Total official discretion is retained:

      The legislation will provide that bodies wishing to offer or provide
      encryption services to the public in the UK will be required to obtain
      a licence. The legislation will give the Secretary of State discretion
      to determine appropriate licence conditions.

The licence conditions imply that only large organisations will be able to
get licences: small organisations will have to use large ones to manage
their keys (this was the policy outlined last June by a DTI spokesman).  The
main licence condition is of course that keys must be escrowed, and
delivered on demand to a central repository within one hour. The mere
delivery of decrypted plaintext is not acceptable except perhaps from TTPs
overseas under international agreements.

The effect of all this appears to be:

1. PGP servers will be outlawed; it will be an offence for me to sign your
   pgp key, for you to sign mine, and for anybody to put my existing signed
   PGP key in a foreign (unlicensed) directory

2. Countries that won''t escrow, such as Holland and Denmark, will be
cut out
   of the Superhighway economy. You won''t even be able to send signed
   medical records back and forth (let alone encrypted ones)

3. You can forget about building distributed secure systems, as even
   relatively primitive products such as Kerberos would need to have their
   keys managed by a licensed TTP. This is clearly impractical.  (The paper
   does say that purely intra-company key management is OK but licensing is
   required whenever there is any interaction with the outside world, which
   presumably catches mail, web and so on.)

There are let-outs for banks and Rupert Murdoch:

  Encryption services as an integral part of another service (such as in
  the scrambling of pay TV programmes or the authentication of credit
  cards) are also excluded from this legislation.

However, there are no let-outs for services providing only authenticity and
nonrepudiation (as opposed to confidentiality) services. This is a point
that has been raised repeatedly by doctors, lawyers and others - giving a
police officer the power to inspect my medical records might just
conceivably help him build a case against me, but giving him the power to
forge prescriptions and legal contracts appears a recipe for disaster. The
scope for fraud and corruption will be immense.

Yet the government continues to insist on control of, and access to, signing
keys as well as decryption keys. This shows that the real concern is not
really law enforcement at all, but national intelligence.

Finally, there''s an opportunity to write in and protest:

  The Government invites comments on this paper until 30 May 1997

Though if the recent `consultation'' about the recent
`government.direct''
programme is anything to go by, negative comments will simply be ignored.

Meanwhile, GCHQ is pressing ahead with the implementation of an escrow
protocol (see http://www.cs.berkeley.edu/~daw/GCHQ/casm.htm) that is broken
(see http://www.cl.cam.ac.uk/ftp/users/rja14/euroclipper.ps.gz).

In Grey''s words, ``All over Europe, the lights are going
out''''

Ross
------- End of forwarded message -------

----------
From: 	Jeff Uphoff
Approved: R.E.Wolff@BitWizard.nl
Sent: 	Monday, March 31, 1997 4:53 PM
To: 	bugtraq@crimelab.com; linux-security@redhat.com
Subject: 	[linux-security] UK Encryption ban legislation {from: [comp.risks]
RISKS DIGEST 18.95}

I think this is an issue of serious interest to many of the subscribers
of these lists; it would effectively ban a lot of security-related tools
that many of use now find indispensable, e.g. ssh, pgp.


[INFO SNIPPED]

This is very worrying! I thought these things only happened in other
countries. How many people know of this - in fact this topic almost
deserves it''s own mailing list!  I''d be willing to host some
kind of
list along this subject if anybody wants one?

Email me leigh@wisper.net and if I get enough replies i''ll get a list
up and running.

[mod: Nettiquette: Please don''t use lines longer than about 76 chars.
-- REW]

--
Leigh Porter
Wisper Bandwidth Plc.

"RW" == Rogier Wolff <R.E.Wolff@BitWizard.nl> writes:
>> I further wonder what hand the [.... CIA]
>> and [.... NSA] have in this.

RW> My guess is "nothing". Really. Here in Holland the government
got in
RW> gear to pass an "encryption is illegal" bill a few years ago.
The
RW> law was written by someone who clearly didn''t understand the
issues.
RW> Someone found out and a big protest was arranged. It was cancelled.
RW>
RW> Similarly, it seems that the English have gotten someone who simply
RW> thinks "Bad guys can use encryption, lets make it illegal" to
write
RW> that law. It seems they sneaked it along a few legislative hurldles
RW> before the masses found out.
RW>
RW> I think it is more a case of incompetetence and not of actual "we
want
RW> to be able to tap everything" motives.
RW>
RW>                                 Roger.

I tend to agree with Rogier, both for the reason(s) he stated and for
another: from some of the rumblings that I''ve heard here in the US, it
may well be the case that domestic law enforcement concerns (DOJ/FBI et
al.) have much more to do with this sort of legislation than the
"classic" national security related agencies.

The NSA, for instance, is quite knowledgeable about encryption (a
whopping understatement); many "movers and shakers" there are no doubt
quite aware that *everyone* that wants strong encryption now has it, and
that domestic legislation to try and keep it under control for national
security purposes is an exercise in futility.

The domestic law enforcement crowd (e.g. Department of Justice), on the
other hand, is relatively new to this game; they appear to think that
the genie can still be stuffed back into the bottle through legislation.
(I just don''t think that the NSA is that naive.)

--Up.

Ok OK! No more email :)

I''ll put a list on here and mail the subscribing info.

[mod: Nettiquette: Please don''t use lines longer than about 76 chars.
-- REW]

Sorry, broken Windoze NT mailer :(

--
Leigh Porter
Wisper Bandwidth Plc.

[mod: Deleted lots-of-junk, yeah I know: Broken NT mailer... -- REW :-]

Jeff Uphoff wrote:
>
> "RW" == Rogier Wolff <R.E.Wolff@BitWizard.nl> writes:
> RW>
> RW> Similarly, it seems that the English have gotten someone who simply
> RW> thinks "Bad guys can use encryption, lets make it illegal"
to write
> RW> that law. It seems they sneaked it along a few legislative hurldles
> RW> before the masses found out.
> RW>
> RW> I think it is more a case of incompetetence and not of actual
"we want
> RW> to be able to tap everything" motives.
> RW>
Actually, It hasn''t gone along ANY legislative hurdles.  The
document that is causing all this fuss is essentially a white
paper.  It was created as a proposal.  The government is saying
that they will try and take this through parliament, as far as
I know this does not constitute any legislative hurdles.

The full document is available on
http://dtiinfo1.dti.gov.uk/pubs/

and they would like people to mail their comments to
ttp.comments@ciid.dti.gov.uk

Now if I''m not branded a trouble maker for that then... :-)

As far as I can see, if you read the full document it does not
ban the use of encryption.  What it bans is encryption
services.  You should be perfectly legal if you manage your
own keys (using PGP or whatever) as long as you are not
managing keys for other people.  This means that the PGP web of
trust is useless (read illegal) as you can''t sign others keys.
But AFAIK you can use your ttp key to sign your pgp key, and
thus use the trusted third parties as a CA for your PGP key...
and use PGP for encryption.

Adam

I just read the linux lists and spotted Leigh setting up a mailing list.

There are several different people approaching this, I myself, setup a mailing
list and Website detailing these proposals some 2 weeks ago along with some
comment.

Most of the Information is at

	http://www.tibus.com/encryptionuk/

including subscription information and mailing list archives.

Also, if may be worth pointing out the Labour Party''s stance on the DTI
proposals:

" It is important that privacy is rigorously protected over the new
networks,
  for both personal and commercial reasons. We do not accept the "clipper
chip"
  argument developed in the United States for the authorities to be able to
  swoop down on any encrypted message at will and unscramble it. "

The full text is available off the above URL.

Comments from the Industry is invited (which I will add to the website
with permission) with a view to developing a joint Industry document
to the DTi before the Fri 30 May deadline for submissions.

Paul Gregg
Technical Director
The Internet Business Ltd
--
 The Internet Business Ltd, Holywood House, Innis Court, Holywood, BT18 9HF
 pgregg@tibus.net                                     http://www.tibus.net/
            Phone: +44 (0)1232-424190  Fax: +44 (0)1232-424709
           Eight out of every five people are math illiterates.