New Policy: where is the trapdoor?

[Nicholas Bohm]

The exact implications of the new policy cannot be examined until
legislation is published.  Within the scope of the Statement, what do we
need to watch for?  This is how I think it could be made to go wrong:

1   By giving exaggerated support to digital signatures supported by a
licensed CA's certificate, undermine the validity of signatures made with
self-certified PGP keys.

2   Treat CAs offering certificates for PGP keys as offering encryption
services, on the ground that PGP keys cannot be said to be used solely for
signature purposes.

3   Oblige licensed CAs which provide encryption services to provide key
recovery (i.e. make them insist on holding private keys).

Point 1 is foreshadowed in paragraph 11 of the Statement.  Point 3 appears
from the last sentence of paragraph 12.  Point 2 is tucked delicately away
in the first sentence of paragraph 12, behind the words "for example".

I do not say that what I have outlined is the DTI's agenda:  it is merely
one of the possible butterflies which could emerge from the Statement as it
proceeds from caterpillar onwards.  

Keep the bugspray handy.

	Regards,

		Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 870285	(+44 1279 870285)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF