RE: [ga] Re: We must move the DNSO server out of France.(was: Proof ofIdentification)

[R.Gaetano@iaea.org]

Roeland,

You wrote:
> 
> > To repeat what Kent and I have both tried to say....
> >
> >     * From both a technological and legal standpoint,
> >     authentication and encrytion are different.
> 
> Wrong on both counts and Kent knows better. The only 
> difference is what you
> encrypt.

I do not have the deep knowledge of the issue to discuss it in general terms
(i.e. neither how this is applied worldwide from the legal POV, nor what are
the deep technological differences between authentication and encription),
but for what regards France I will give my experience below.
 
> 
> >     * Nothing suggested so far on the DNSO lists requres
> >     encryption, nor should such suggestions be necessary.
> >     Encyption is the enemy of "open and transparent"
> 
> Pray tell, how you would validate an authentication with out 
> encryption
> technology? Your last sentence is only an opinion and is 
> unsupportable.

See below.

> 
> >     * While regulations about encryption vary, and will probably
> >     continue to evolve, no country bans strong authentication
> >     techniques.
> 
> France, China, (soon, the UK?) etc.

What France prohibits (for the sake of completeness, I should say "used to
prohibit", as I beleive that the legislation has changed this year and now
the restrictions on encription have been waived) is not the encription
itself as technology, but the transmission of encripted messages, i.e.
messages for which police, army, whatever, cannot determine the contents.

Digital keys used for identigfication only constitute an exception to this
rule, explicitely mentioned in the legislation.

So, while I agree that in order to have a meaningful electronic signature
that serves the purpose of validating the contents of a message you have to
encrypt the message as part of the process to produce the signature, the
message itself will be then transmitted in clear, i.e. not encrypted, and
therefore will compy with the French rules (even the former restrictive
ones).

> 
> > Now, there must be some part of "no restriction on
> > authentication" that is hard to understand, but, if so, would
> > someone explain to us what it is.
> 
> The amount of encryption allowed for authentication makes this a moot
> difference. The authentication allowed in France is 
> ineffectual. It might as
> well be plain-text. There is indeed restrictions, on 
> authentication, in
> France, still.
> 

This was not true, even with the old legislation.

When I was at ETSI, we, as CORE Members, were transmitting to the SRS the
transactions with an electronic signature, and this was perfectly legal.
Where we had the problem, and we needed a special authorization (that had
been granted, BTW) was to perform online payments, because we needed to
transmit data like the credit card number in encrypted form.

I believe that simple authentication of the messages from an individual via
a digital signature will never require any "hard encryption" of data except
the signature itself, and therefore fill fall under the former category.

In other words, no need to move the DNSO Server out of France.

(BTW, even if the French legislation was more restrictive than it is, I
believe that we have far bigger problems than the potential difficulty in
identifying people via digital signature, even if this topic has been
accountable for heavy traffic this last couple of days. The problems and
lack of service associated to a move of the server are far worse and far
more "real" than this "potential" problem).

> I could hide all sorts of messages in a "public key".
> 
> > Otherwise, can we return this particular red herring to the pond?
> 
> Sorry, it's learned how to breath air.
> 

I hope it did not forget how to live in water ;>)

Regards
Roberto