Attention : mauvaises signatures PGP ! (Source du document integral : http://www.jya.com/nai-kra.htm) Date: Sun, 22 Nov 1998 05:27:31 -0800 To: pgp-users@joshua.rivertown.net, cryptography@c2.net From: Dave Del Torto Subject: KRA on ADK vs KR, NAI membership Cc: coderpunks@toad.com, ukcrypto@maillist.ox.ac.uk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary: (1) The Key Recovery Alliance will analyze the viability of PGP's ADK technology as an alternative to escrowing of keying material and intends to publish its position. (2) Network Associates IS a member of the KRA as of July 2, 1998. Note that date is ~6 months after NAI represented itself as having withdrawn. (3) Corporate contacts for KRA member-companies are not public information. I have also inquired about who the KRA contact person is at NAI. dave -----BEGIN PGP SIGNATURE----- Version: PGP 6.0 Comment: Get interested in computers -- they're interested in YOU! iQA/AwUBNlgRApBN/qMowCmvEQLm7wCgx+7sBVgBQsXisQLJswx3w7a16Q0Anii3 XOzJzZxEMqd9YnMlz93U+iXX =eHxw -----END PGP SIGNATURE----- ................................. cut here ................................. My Inquiry to the KRA: To: info@kra.org Subject: request for information -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have some questions about the KRA. 1. In your FAQ , you state that one of the organization's goals is to: "Serve as a focal point for industry efforts to develop commercially acceptable solutions for recovery of encrypted information" This seems to allow that there may be valid encrypted _data_ recovery methods other than _key_ recovery using the KRA's "common key recovery block" (still under discussion). However, I'm not aware of the KRA's public position on the recovery of plaintext using cryptographically sound and ethically responsible alternatives to the escrowing of keys in organizational situations, e.g. PGP's Additional Decryption Key (ADK) mechanism. What is the KRA's public position on PGP's ADK? 2. A public debate has recently arisen because the KRA website's member roster indicates that Network Associates (NAI) is a member of the KRA. NAI representatives, however, have publicly contraindicated this. Can you clarify NAI's membership status in the KRA, specifically: A. On what date (if ever) did NAI apply for membership in the KRA? B. Is the KRA in possession of any evidence (letter, etc) to show that NAI was or is a member of the KRA? C. If NAI was a member of the KRA at any time, on what date did a corporate officer of NAI formally withdraw NAI from the KRA, if ever? D. Regarding KRA membership policy, if a company is not a member itself but acquires another company that is a KRA member, but, does this acquisition automatically confer membership status on the parent company, or is a formal request to "expand" the company's membership necessary? E. If NAI was not a member of the KRA at the time of its Trusted Information Systems (TIS) acquisition, did the KRA receive a request from any NAI representative to expand TIS's membership to all of NAI? 3. KRA member companies are listed with their web URLs, but no individual contact name/phone/email is provided for any of them. Can you supply a complete listing of the designated contacts (corporate representatives) at each of the KRA member organizations, should one want to discuss with them their respective companies' KR positions or proposals? For example, if, in fact, the KRA website is correct to list NAI as a member, then who is NAI's official KRA representative? Thank you in advance for your prompt clarification. dave ____________________________________________________________________________ Dave Del Torto +1.415.334.5533 CSO & VP Security Consulting Level Seven Digital Labs PGP Key: Fingerprint: 9b29 031d 70de f566 e076 b108 904d fea3 28c0 29af / Size: 4096 -----BEGIN PGP SIGNATURE----- Version: PGP 6.0 iQA/AwUBNlUMapBN/qMowCmvEQKt8wCg0i6ZZj1a6aL/TrzM/jqv4wKBEnoAoK4e xkwtQCiBJDHuBUWFRzCRBA/K =fg+B -----END PGP SIGNATURE----- ................................. cut here ................................. The KRA's prompt reply (signed by me to indicate what I received): -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Date: Fri, 20 Nov 1998 06:31:50 -0800 To: Dave Del Torto From: Michael LoBue Subject: Re: request for information Cc: Majdalany@kra.org, Bobbie@kra.org Mr. Del Torto, Thank you for your inquiry about a KRA member company. I am member of the Alliance's secretariat staff addressing their business and administrative needs. This puts me in a position to answer some of your questions directly. Others I will pass along to appropriate Alliance member representatives for response. About the KRA's public position on PGP's ADK, obviously it was not adequately addressed for your needs in the Alliance's existing materials. I will ask a more appropriate and knowledgeable spokesperson to respond to your questions and concerns. Concerning Network Associates membership in the KRA, in response to your question I have verified that our files contain an executed Membership Agreement for Network Associates (dated July 2, 1998), as well as a properly completed Application for Membership of that same date. As an aside, the KRA has retained our firm to manage their business and administrative affairs. Our business is solely the management of industry associations. Thus, we have no conflict of interest as our clients are the 'associations' themselves and not any of the individual member companies. For the management of our client associations (currently 4) we employ certain practice standards. One important practice area is the impartial recognition of membership. Simply put, we exercise no discretionary judgment about whether a company is a member or not. If a company completes the required steps to become a member (execute an agreement, complete an application and pay the appropriate dues) they become a member. In other words, membership is binary...complete all the steps --> become a member; omit any of these steps --> NOT a member. Ever since the the Alliance was formally constituted as a California nonprofit corporation (October 1997), rigorous application processes have been in place. It is true that a number of companies, including NAI I believe, were attending meetings under the name of the KRA during much of 1997. However, until the Alliance was formally constituted, involving membership agreements, applications and payment of dues, it's not entirely accurate to characterize those companies participating in 1997 as 'members' of the Alliance. Indeed, some of this current 'public debate' about NAI's relationship with the KRA goes back to their public statement that they 'withdrew' from the organization. The fact of the matter is that they simply did not choose to become an actual member at the time the organization was formally constituted. When it was reported that they withdrew, there was in fact no entity from which to withdraw. Regarding the listing of individual representatives from member companies, it is the Alliance's policy not to do this. For whatever it's worth, this is a standard practice of industry associations. I am passing your message along to the designated NAI representative and inviting him to respond. At the risk of stating the obvious, it is not uncommon for companies in any industry, especially hi-tech, to have multiple opinions within their management teams. And, to have these opinions expressed in public forums. It has been my experience that it is dangerous to infer corporate and product strategies from a companies membership in industry groups. Companies join industry associations for all manner of reasons, not all of which they share with the market. I'm not suggesting any thing other than the fact that our industry makes for extremely "complex business" and there's no reason to believe that this complexity of actions, strategies and motivations isn't going to appear in a company's involvement in industry associations. Sorry for the length of this reply. However, it's clear that there are a great many concerns behind your questions and I've tried to reach those concerns. I hope this response has been useful to you. Regards, Michael LoBue KRA Secretariat Staff --end KRA response-- -----BEGIN PGP SIGNATURE----- Version: PGP 6.0 iQA/AwUBNlWtuJBN/qMowCmvEQI6WACgv0CZt3KmzptfQxO/2FJ2aqAA/v8An1C6 +q4Uh8H0LuwMKpou5cVS14v6 =ssZt -----END PGP SIGNATURE-----