[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[coderpunks et al.] NAI/PGP & KRA

FYI.  PGP-Signaturen herausgenommen.


----- Forwarded message from Dave Del Torto <ddt@LSD.com> -----

Old-Content-Type: text/plain; charset="us-ascii"
Date: Sun, 22 Nov 1998 05:27:31 -0800
To: pgp-users@joshua.rivertown.net, cryptography@c2.net
From: Dave Del Torto <ddt@LSD.com>
Subject: KRA on ADK vs KR, NAI membership
Cc: coderpunks@toad.com, ukcrypto@maillist.ox.ac.uk


(1) The Key Recovery Alliance will analyze the viability of PGP's ADK
    technology as an alternative to escrowing of keying material and intends
    to publish its position.

(2) Network Associates IS a member of the KRA as of July 2, 1998. Note that
    date is ~6 months after NAI represented itself as having withdrawn.

(3) Corporate contacts for KRA member-companies are not public information.
    I have also inquired about who the KRA contact person is at NAI.


................................. cut here .................................
My Inquiry to the KRA:

To: info@kra.org
Subject: request for information


I have some questions about the KRA.

1. In your FAQ <http://www.kra.org/FAQS1209.html>, you state that one of the
organization's goals is to:

  "Serve as a focal point for industry efforts to develop commercially
   acceptable solutions for recovery of encrypted information"

This seems to allow that there may be valid encrypted _data_ recovery
methods other than _key_ recovery using the KRA's "common key recovery
block" (still under discussion). However, I'm not aware of the KRA's public
position on the recovery of plaintext using cryptographically sound and
ethically responsible alternatives to the escrowing of keys in
organizational situations, e.g. PGP's Additional Decryption Key (ADK)
mechanism. What is the KRA's public position on PGP's ADK?

2. A public debate has recently arisen because the KRA website's member
roster indicates that Network Associates (NAI) is a member of the KRA. NAI
representatives, however, have publicly contraindicated this. Can you
clarify NAI's membership status in the KRA, specifically:

 A. On what date (if ever) did NAI apply for membership in the KRA?
 B. Is the KRA in possession of any evidence (letter, etc) to show that NAI
    was or is a member of the KRA?
 C. If NAI was a member of the KRA at any time, on what date did a
    corporate officer of NAI formally withdraw NAI from the KRA, if ever?
 D. Regarding KRA membership policy, if a company is not a member itself
    but acquires another company that is a KRA member, but, does
    this acquisition automatically confer membership status on the parent
    company, or is a formal request to "expand" the company's membership
 E. If NAI was not a member of the KRA at the time of its Trusted
    Information Systems (TIS) acquisition, did the KRA receive a request
    from any NAI representative to expand TIS's membership to all of NAI?

3. KRA member companies are listed with their web URLs, but no individual
contact name/phone/email is provided for any of them. Can you supply a
complete listing of the designated contacts (corporate representatives) at
each of the KRA member organizations, should one want to discuss with them
their respective companies' KR positions or proposals? For example, if, in
fact, the KRA website is correct to list NAI as a member, then who is NAI's
official KRA representative?

Thank you in advance for your prompt clarification.


 Dave Del Torto        +1.415.334.5533          CSO & VP Security Consulting
                       <mailto:ddt@lsd.com>         Level Seven Digital Labs
 PGP Key:  <http://pgp.ai.mit.edu:11371/pks/lookup?op=get&search=0x28C029AF>
 Fingerprint: 9b29 031d 70de f566 e076 b108 904d fea3 28c0 29af / Size: 4096

................................. cut here .................................
The KRA's prompt reply (signed by me to indicate what I received):

Date: Fri, 20 Nov 1998 06:31:50 -0800
To: Dave Del Torto <ddt@lsd.com>
From: Michael LoBue <LoBue@kra.org>
Subject: Re: request for information
Cc: Majdalany@kra.org, Bobbie@kra.org

Mr. Del Torto,

Thank you for your inquiry about a KRA member company. I am member of the
Alliance's secretariat staff addressing their business and administrative
needs. This puts me in a position to answer some of your questions directly.
Others I will pass along to appropriate Alliance member representatives for

About the KRA's public position on PGP's ADK, obviously it was not
adequately addressed for your needs in the Alliance's existing materials. I
will ask a more appropriate and knowledgeable spokesperson to respond to
your questions and concerns.

Concerning Network Associates membership in the KRA, in response to your
question I have verified that our files contain an executed Membership
Agreement for Network Associates (dated July 2, 1998), as well as a properly
completed Application for Membership of that same date. 
As an aside, the KRA has retained our firm to manage their business and
administrative affairs. Our business is solely the management of industry
associations. Thus, we have no conflict of interest as our clients are the
'associations' themselves and not any of the individual member companies.
For the management of our client associations (currently 4) we employ
certain practice standards. One important practice area is the impartial
recognition of membership. Simply put, we exercise no discretionary judgment
about whether a company is a member or not. If a company completes the
required steps to become a member (execute an agreement, complete an
application and pay the appropriate dues) they become a member. In other
words, membership is binary...complete all the steps --> become a member;
omit any of these steps --> NOT a member.

Ever since the the Alliance was formally constituted as a California
nonprofit corporation (October 1997), rigorous application processes have
been in place. It is true that a number of companies, including NAI I
believe, were attending meetings under the name of the KRA during much of
1997. However, until the Alliance was formally constituted, involving
membership agreements, applications and payment of dues, it's not entirely
accurate to characterize those companies participating in 1997 as 'members'
of the Alliance. Indeed, some of this current 'public debate' about NAI's
relationship with the KRA goes back to their public statement that they
'withdrew' from the organization. The fact of the matter is that they simply
did not choose to become an actual member at the time the organization was
formally constituted. When it was reported that they withdrew, there was in
fact no entity from which to withdraw. 

Regarding the listing of individual representatives from member companies,
it is the Alliance's policy not to do this. For whatever it's worth, this is
a standard practice of industry associations. I am passing your message
along to the designated NAI representative and inviting him to respond. 

At the risk of stating the obvious, it is not uncommon for companies in any
industry, especially hi-tech, to have multiple opinions within their
management teams. And, to have these opinions expressed in public forums. It
has been my experience that it is dangerous to infer corporate and product
strategies from a companies membership in industry groups. Companies join
industry associations for all manner of reasons, not all of which they share
with the market. I'm not suggesting any thing other than the fact that our
industry makes for extremely "complex business" and there's no reason to
believe that this complexity of actions, strategies and motivations isn't
going to appear in a company's involvement in industry associations. 

Sorry for the length of this reply. However, it's clear that there are a
great many concerns behind your questions and I've tried to reach those
concerns. I hope this response has been useful to you. 
Michael LoBue
KRA Secretariat Staff

  --end KRA response--

----- End forwarded message -----

Thomas Roessler  74a353cc0b19  dg1ktr  http://home.pages.de/~roessler/
     2048/CE6AC6C1  4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1