[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gack vs. key escrow vs. key recovery



Vladimir Z. Nuri writes:
> 
> cpunks, a note about recent developments in "key recovery" initiative.

[...]

> is the government always going to be your 
> enemy, no matter what they do?

It seems to be bent on doing so.

> I have posted here before that many companies find the concept
> of "key recovery" highly acceptable and even desirable. the 
> basic question is, what does this mean to wiretapping and 
> search warrants and subpoenas?

They get served, and the keys are produced.  Same with personal
crypto- if I'm in court and some encryped file that I have the 
key for is demanded as evidence, I provide the key or get
hit with contempt of court, my choice.
No one is arguing about that.  The objections to Clipper III are:

1. built-in wiretapping. Clipper III requires that subjects of
"key recovery" wiretaps are not notified of the government's
"recovery" of their keys.  While this _is_ analagous to phone
wiretaps, it is not of anything else.  The cops have to serve
you a warrant, not sneak in and read the papers in your desk.
Why should encrypted files be different?

2. Coercion.  I don't see anything wrong with key escrow
(original meaning, not GAK).  I think it's useful for business.
Required for some.  It's being coerced to implement it that is
distasteful.  If you think that Clipper III isn't coercion, you're
wrong- note that the licenses to export GAKware are reviewed every 6 months
and expire after 2 years if GAK isn't in place.  That's a clear
"you're on our side or your not" from the government.  Having
the possibility of your product suddenly becoming worthless
every 6 months will keep companies in line.

3.  It's still too weak. 56 bit DES isn't enough- it can very probably be
cracked in < 12 seconds by the NSA.  If not real time.

4.  It's the camel's nose in the tent.  First "key recovery"
then full GAK then penalties/jail time for for "terrorists"
or "gang members" who use unGAKd crypto.


-- 
Eric Murray  [email protected]  [email protected]  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF