An open letter from Paul Leyland to John Walker at the DTI

John: This is an open letter with a few questions arising from your
posting to UKcrypto.  It would be helpful if you could give answers.  I
realise that you may not be in a position to make ex cathedra
pronouncements on behalf of the DTI, but I and the list would appreciate
hearing your personal interpretation.

> The following are some of the points, raised in various newsgroups,
> and initial responses sent to us by email, which DTI believe are in
> error.  This list is not exhaustive. It's only purpose is to help
> focus the debate on the issues that are within the DTI paper by
> stating up front that certain elements reported to be either within
> the paper, or on the DTI agenda, are simply unfounded.  The real
> important issues such as individual privacy, legal interception,
> liability etc are, we believe, being somewhat overshadowed by the
> level of debate currently being conducted on certain fronts.

> for example:
 
> 1. That keys used for signing will be escrowed and therefore abused by
> Government:

> Nothing could be further from the truth. There is no requirement to
> deposit signing keys with a TTP. In fact our document recommends that
> private signature keys should never be disclosed.  See Annex E para
> 10.

1) Given that RSA key pairs can be used equally for authentication and
confidentiality, how can this be reconciled in practice?

Here is an example.  I am using exactly the same key pair to generate
the following ciphertext as I will be using to sign the entire posting.
Just to show that the text has meaningful plaintext, it is also
encrypted in Ross Anderson's public key.  I'm sure that if a dispute
arises, Ross will decrypt it and post the plaintext in a signed message.
I trust Ross to act as an escrow agent in this matter.

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

hIwDieRAz0snALkBBACL4R1hWRDL3qHH6Jf3UYK8d313AL8EPA8zskdKGa8zHIU5
i181zN4AN1BLuXkfxyPGbqhCrB/+LTziV1cey7KFMP2NJC6yWc7jVnGgfgNd8a2O
cM9ms253oC7NkAE85aLB+84EyvG4FLv8uVuqBmv+4taBKkPGJN0whRU32u5i8YSM
Azt/x7zOdmsfAQQAwH2lWUUMaMrCcD6hDlX7gDrm8j/Anry0pg9iHVUsPWnUyehX
7Juy/Pk5pTlXDT7QOovEi1agHPuh+5W4QTyUIzhiFMit36G4ypa865JbHgLl4lUS
OQnbjo0muC8VbN2FHRQ1Xi++pn4hlv/A9p5W+E4XCGD/WuHjN2yP1LIrujSmAAAA
dyOBec/BxHrSUJ/5157ts5FBRuN+WP8zg6U2LBqtERPsWS5C6oG+SjKhvHIiyjno
DUOyxgC+4owgrEGkY00CHAK3PbGwfkoWMe1KozHtn8E3gZVw9gkSjtJnGU1kBQ16
rHxmbBHuwUqf0varM7fPDJSutTjaGvFm
=oLTk
-----END PGP MESSAGE-----

> 4. That the Government intends to introduce domestic controls on the
> use of encryption:

> This is not true. It is not the intention of the DTI to regulate for
> the private use of encryption.  Users will remain at liberty to use or
> import any form of encryption, which includes software encryption
> (such as PGP) downloaded from the Internet.

And yet the proposals would appear to make it illegal for anyone to
provide cryptographic services to individuals, at least on my reading of
the regulations.  At the moment, I (really my employers) provide a
number of cryptographic services to all-comers.  I'll give just three
examples.  The anonymous ftp archive at Oxford contains a large number
of cryptographic software packages, including PGP.  We run one of the
PGP public key servers, pgp-public-keys@keys.uk.pgp.net.  I often give
advice and assistance to users and prospective users of cryptographic
tools, inside and outside Oxford University.  These give rise to a
number of questions.

2) Would the University be required to be licensed as a TTP in order
that it can continue to make its ftp archive available?

3a) If so, is that not introducing a de facto control of private use of
encryption, or at the very least, driving suppliers off-shore?  From
where are the private users supposed to download their permitted
encryption/authentication?

(A parenthetical question, because it's nothing to do with the
University: would it become illegal for a magazine to include PGP on a
cover-disk?)

3b) Would the University be required to be licensed as a TTP in order
that it can continue to run a PGP public key server?

Note that there is no way that decryption keys could be made available,
court order or otherwise.  Only the public keys are held; their owners
are the only ones keeping the corresponding private keys.  Note also,
that the PGP keyserver network is explicitly *not* a TRUSTED Third
Party.  Every response specifically states that it does not carry any
guarantee of authenticity.  If you send email to the pgp.net address
given above, the response will include the following disclaimer:

    NOTE!

    This service is here only to help transfer keys between PGP users.
    It does NOT attempt to guarantee that a key is a valid key; use the
    signators on a key for that kind of security.

4) What would my position be under the proposed legislation if I were to
provide assistance, perhaps on how to install and configure SSL, or PGP,
or Kerberos?  At the moment, I feel free to post to Usenet, send email
or answer the phone.  My reading of the proposals has a rather chilling
effect.

> 6. That the Government intends to legislate on the production of
> encryption products:

> Untrue.  Whether vendors produce encryption products for TTPs will
> depend on market demand.  There will be no restriction on the
> production of non key-recovery software.

5) Will market-demand be left to determine whether unlicensed suppliers
of cryptographic services will survive or not?

I note that in the field of medicine, some suppliers are licensed by
law, some are not.  Reflexologists and aroma therapists appear to
satisfy a demand.

> 7. That the legislation will prevent individuals authenticating the
> public keys held by other individuals.

> It will not.  Any ambiguity on this point (with respect to the
> Consultation Paper) will be removed in the prospective draft
> legislation.

6) What about keys held by those who are not individuals?

For example, I head the Oxford University Computer Emergency Response
Team, OxCERT.  We have a PGP key in that name.  All four members of the
team keep a copy so that sensitive email can be sent protected from
on-lookers but readable by any of us.  Our incident records are kept
encrypted in the same key.  The OxCERT key is signed with the public
keys of each of its members.  This leads to:

7) Would our acts of signing that key be illegal if they were to be
repeated after legislation were introduced along the lines of the DTI
proposals?

The OxCERT key has been used, by me, to authenticate the PGP keys of
similar security teams elsewhere.

8) Would that action become illegal, unless OxCERT became a licensed
TTP?

In a study funded by UKERNA last year, Piete Brooks and I proposed that
UK academia should set up a PGP certification heirarchy for the benefits
of the members of academia.  Each institution (deliberately left
undefined, as it depends on local circumstances, but could be a faculty,
Oxbridge college, research lab or entire university) would certify the
PGP keys of its members and its sub-institutions.  Institutions would be
free to certify the certifying keys of other institutions.  Bodies such
as UKERNA and other, non-academic certifying authorities, would be
encouraged to certify institutional keys.

9) Could such a system be set up under the proposed legislation?

10) If so, would each institution be required to be a licensed TTP, with
all the paraphenalia, including compulsory privacy key escrow?

11) If not, presumably under the internal-to-a-company provisions, would
an institution be able to cross-certify other institutions, perhaps
under an explicit disclaimer of liability?


Paul