Re: RIPE22: Agenda - on escrow in europe - plz ignore if not interested in net security

[Jon Crowcroft <]

 >    Hello All,
 
 >Yesterday I read in "Communications Week International" 
 >(issued 18 Sept 95) the article named "Euro-Clipper chip
 >scheme proposed" by Damian Peachey.

 >   Can somebody comment it more shurely that it is in article ?

 
it is likely that the EC will recommeond that the EU moves to
a) no public domestic use of strong encryption
b) escrow keys held by some EC agency

this is despite the fact that there are NO technical experts that I
know of that agree that
1/ terrorists, drug dealers and  dissemiantion of obscene material
will be affected in the least, or wopuld partioculalry benefit from
wide availability of commercial strong encryption ()seeing as they can
get it for nothing or use phrasebook technology instead)

2/ Key escrow is inherently unsafe since the holders of the escrowed keys
are not part of the users' audit mechanisms - furthermore, it is a
potential invasion of the right to free and private speech, and
represents a direct attempt to exert more (international) state
control than is tolerable by almost all internation commerce.

There is a body of work that analyzes complete security systems (from
banking for example) which shows that most (>90%) of security failures
are due to breach of trust in the people chain, and not in the
technology. [ref CACM Nov 94, Vol 37, No. 11, "Why Cryptosystems
Fail", Ross Anderson] - see also various bboards about the differences
between openly available technology (c.f. pgp) and secretly produced
auth/privacy software (c.f. netscape - 3 failures to date).
see also http://web.cnam.fr/Network/Crypto/

Most large commercial organisations that really need strong crypto
will of course find ways around (e..g SWIFT use DES already for
banking - I am sure that the large financial insitutes will get
special permiossion to use 128bit or larger keys for RSA)

It is very sad that the EC has such incompetent technical advice.

At an IAB security workshop a while back on Internet security, a large
number of US experts were very scathing about the US government
attempt to enfoce clipper. There is only one 'security expert' on
record as supporting i, and that is Dorothy Denning....in my opinion,
her motives are extremely suspect.

For people from countries like yourself it has proved vital to have the 
ability to communicate privately and be highly assured that a governement 
cannot eavesdrop - I cannot understand why the EC which supports
political changes that involve popular movements against governemnt to
increase freedom, should see fit to try to introduce a policy and
mechanism that decreases it.

The ACM (as chair of ACM SIGCOMM I suppose I should say this) has
taken the official position in a policy statement that escrow is
technically flawed, and should not be employed.

regards

 jon crowcroft