[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X/Open drafting requirements for global PKI


content-type: text/plain; charset=us-ascii

   The PKI TG is collecting the high level PKI Business Requirements
   necessary to balance the needs of government, commerce and private
   individuals in the global PKI infrastructure required to support
   global electronic commerce.

These needs are fundamentally in conflict.  Any single PKI which
attempts to satify all these communities is doomed to leave some or
all of the parties unsatisfied.

As a private individual, I believe that any provisions for
law-enforcement access within the PKI must be strongly voluntary
unless specifically required by law in the individual's jurisdiction.

By "strongly voluntary", I mean that:

	- individuals should be able to choose for each keypair and/or
	  for each message whether or not law enforcement would have
	  access to their communications.

	- individuals should be able to tell whether or not a
	  correspondant's long-term key is escrowed.

In many countries, attempts by persons to keep secrets using strong
cryptography are perfectly legal.
   The global PKI must support multiple governance policy models
   within a single global PKI framework, and must enable the
   enforcement of all existing governance policy mandates.

Without knowing what these "governance policy mandates" are, it's
uncertain how this is attainable.

   . Method of key generation will be discretionary, subject to
   commercial decision and business requirement.

Key generation by individual end users must not be precluded in any event.

   . Law enforcement retrieval (subject to due process of law)

It is important to realize that requirements for key recovery
infrastructure for law enforcement access as opposed to key recovery
for end-user data recovery, as these two applications of key "escrow"
have dramatically different requrirements.  Unfortunately, advocates
of key recovery for law enforcement access tend to blur the line
between these two facilities.

Law-enforcement advocates for key escrow systems want the ability to
decrypt a stream of communications in real-time or near-real-time, and
have thus argued that the escrow agency provide the LEA with the
stored long-term secrets.  I believe that this approach is fraught
with danger, because it raises the possibility that corrupt
law-enforcement agents will have access to communications outside the
scope of the specific wiretap authorization or warrant.  I would much
rather see a scheme similar to the systems proposed by TIS and others
whereby the escrow authority is an implied recipient additional of
each message -- in such a system, only session keys are "escrowed".

In particular, it must not be possible for law enforcement to
*impersonate* a subject under investigation; such a capability would
be too tempting a capability for corrupt law enforcement, and would
make entrapment far too easy.  

Note that this implies that signature keys should not be escrowed
under any circumstances.

   . authentication (mandatory binding PK to Directory Name, discretionary bind
     ing entity to a Directory Name)

I see this as unnecessarily X.500-specific.  Directory Names are
meaningless to applications not closely tied to X.500

In particular, authentication and authorization facilities should tie
application-meaningful attributes (e.g., account names/numbers, mail
addresses, etc.) directly to the subject's keypair.

					- Bill

Version: 2.6.2