The following text is copyright 1996 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Of Sealing Wax, Kings and Knaves

The Internet is in the postcard stage of evolution. Almost all communication over the Internet are as private as messages written on postcards, anyone who can intercept a message can read it. The Net is not even to the envelope stage in which communication is protected from the casual observer.

This seems a bit strange since the desire to protect communications is not a new one. In days of old paper missives were sealed with wax and an embossed design to both protect against opening and to indicate if the protection failed. The aim was to protect the message from the messenger and from those along the delivery path. The protection was not complete, kings had the right to look and knaves could divert.

People have been trying to protect Net communications since before there was a Net, the first encryption projects started in 1975--even before TCP/IP. Encryption goes one better than wax seals, even intercepted messages can not be read. But this is a feature that worries governments of all kinds and they keep trying to "fix" this feature. The latest effort is detailed by Stewart Baker in an article in the Sept. 1996 WIRED He reports that many governments, including the U.S., are again pushing key escrow (renamed "trusted third party encryption" to protect the guilty) now using the forum of the Organization for Economic Cooperation and Development in Paris.

Key escrow is a real good idea for business, imagine your treasurer encrypting all the company books in a secret key then getting his third dimension revoked by a truck, the business could be in for a real hard time unless that key is hidden away someplace safe, escrowed in a bank, for example. But it can be another story when it comes to individuals, particularly in some parts of the world. Many people in many governments (including the U.S. government) would just as soon ban the use of encryption protocols where a key is not kept by a third party--for the protection of the people.

Along the same line, in recent congressional testimony a government official was quoted as claiming that Certificate Authorities(CAs), which are used as part of particularly promising security infrastructure, need to know the private encryption key of an individual to perform their task. Since this is not true, one can only hope that it was a misunderstanding--the alternative is that messages sent by anyone using such a CA could be read or forged by the people running the CA (or by anyone with power over the CA).

On the other side. The Internet Architecture Board (IAB) and the Internet Engineering Steering Group (IESG) have issued the appropriately numbered RFC 1984 IAB and IESG Statement on Cryptographic Technology and the Internet (ftp://ftp.isi.edu /in-notes/rfc1984.txt) exploring some of the issues.

For any of you worried about the above trend, John Gilmore has started an ambitious project to develop a more secure Internet. The aim of the project is to secure 5% of the Internet traffic against passive wiretapping in 1996, 20% in 1997, (against both active and passive attacks) and 80% in 1998. (http://www.cygnus.com/~gnu/swan.html)

The ability to protect messages has progressed far beyond sealing wax, to the point that the knave can be reliably thwarted. It remains to be seen if the kings will permit the law-abiding to use the technology (the lawless already do).

disclaimer: Some might claim that the lectures of some Harvard professors are already encrypted but I know of no official university position on the issue.