[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Speak of the Devil

Hash: SHA1

On May 19, 2006, at 3:59 AM, Dan Mahoney, System Admin wrote:

On Thu, 18 May 2006, Mike Perry wrote:
I know warrants are difficult, but I come from a law enforcement family.

Thanks to new breakthroughs in Constitutional interpretation, time consuming things like warrants are no longer needed.

There's nothing stopping governments from logging the traffic (possibly at a higher level, like the upstream level)

Very much like telephone calls.

and then getting a subpoena for whatever key was used to encrypt it.

I'm sure that sending you off to some hidden prison around the world for a few months would convince one to hand over the key without a warrant.

The PROBLEM with this method is that once the length of the warrant has expired, 99 percent of people out there DO NOT check CRL's. I myself am guilty of this. I.e. once the government HAS your key, they've got it for the lifetime of your cert -- and while you can certainly retire that cert from use, there's no way to prevent the now-compromised cert and key from being used creatively for the remainder of the validity period.

This makes me rethink validity periods, how short is too long? If something expires in as little as a week, it can still be used for "creative" purposes for a few days. So I don't think that having an expiration does any good, CRLs are the way to go.

British govt just started pushing for Part III of RIPA citing
terrorism and kiddie porn as major reasons to require people to
disclose encryption keys...


Seems we may have a strong ally on our side on this one. International
bankers might not want the local police requiring them to hand over
keys either, though they certainly have enough political influence to
stop investigations before they start I'm sure...

The UK Crypto thread that spawned this article is here:
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2006-May/ 080742.html

One can only hope that the Bill of Rights is enough to keep this
bullshit out of the US, but who knows.


"Don't be so depressed dear."

"I have no endorphins, what am I supposed to do?"

-DM and SK, February 10th, 1999

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin)