DTI Policy Response

Dr John Leach leach at eu.tis.com
Wed, 29 Apr 1998 09:06:26 +0100 

At 14:58 28/04/98 +0100, Nicholas Bohm wrote:
>It is not clear whether providing the session
>key instead of your private key will be sufficient.  It is objectionable to
>have to provide your private key and thus give access to all other messages
>sent to you as well as the one the subject of the warrant.
>

The statement is careful not to target a precise key as that would no
longer be technology neutral.  It is fairly clear that it is targeting
"information necessary to decrypt the content of communications or stored
data (in effect, the encryption key)".  I read this to mean they are after
whatever is needed to allow them to decrypt the data.  If you can satisfy
this by giving up the clear-text data, or the message key rather than a
private or master key, all the better for you.

>It is also not clear whether a provider of a certificate for a PGP
>key is "facilitating encryption services" (Statement, para 12)

I think it is fairly clear that it would be.

>The reasoning would be that a
>PGP key cannot be said to be used solely for signature (whatever the
>intentions of its owner, since third parties can use it to encrypt messages
>sent to the owner).

I would imagine that, from the DTI's point of view, this would be one of
the drawbacks for a user of using PGP.  Caveat Emptor they would say, and
that if that's a problem for you, you should move to a product that uses
different keys for the different functions.  Let's hope PGP is upgraded to
work in this way.

>If this is really how it is meant to work, no PGP key user could get a
>licensed CA certificate for the key without submitting to escrow (which
>would undermine the reliability of signatures using the key).

That seems about right.

Regards

JL

__________________________________________________________________________

Dr John Leach	                              leach@eu.tis.com
			  
Trusted Information Systems (UK) Ltd.       Office : +44 (0)118 930 4413
8 Commerce Park                             Fax    : +44 (0)118 930 4412
Theale                                      GSM    : +44 (0)467 417 694
Berkshire  RG7 4AB                     Home Office : +44 (0)1264 332 477
ENGLAND					      Web : <http://www.tis.com>
PGP DH/DSS 2049/1024 public key ID: 0x6B5C E297.
Fingerprint:  EF36 683B ... 6B5C E297
__________________________________________________________________________