[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Binding cryptography - a fraud!
At 03:00 PM 10/9/96 MET, Bert-Jaap Koops wrote:
>The text is also available at
>http://cwis.kub.nl/~frw/people/koops/binding.htm.
>
>9 October 1996
>Eric Verheul, [email protected]
>Bert-Jaap Koops, [email protected]
>Henk van Tilborg, [email protected]
>(c) 1996 Eric Verheul, Bert-Jaap Koops, Henk van Tilborg
>This message may only be redistributed in its entirety and with
>inclusion of the copyright notice. Credit if quoting.
>
>_Binding Cryptography, a fraud-detectible alternative to key-escrow
>proposals_
[stuff deleted]
>The idea is that any third party, e.g., a network or service provider,
>who has access to components 2, 3 and 4 (but not to any additional
>secret information) can:
>a. check whether the session keys in components 2 and 3 coincide;
>b. not determine any information on the actual session key.
>
>In this way, fraud is easily detectible: a sender that attempts to
>virtually address a session key to the TRP (component 3) that is
>different from the real one he uses on the message (or just nonsense)
>will be discovered by anyone checking the binding data. If such
>checking happens regularly, fraud can be properly discouraged and
>punished.
I am at the same time dismayed and disgusted at the tendency of some people
to want to "detect fraud" on the part of ordinary citizens, as this paper
appears to want to do, but says _nothing_ about preventing fraud
_by_government. How is the average citizen to know if keys are being given
out to government agents for valid reasons?
I am further enraged by the last portion of the paragraph above where he
says, "fraud can be properly discouraged _and_punished_" Why "punished"?
Why call it "fraud"? Why should sending the "wrong" bits become a crime?
The US government, for example, has repeatedly claimed that key-escrow
systems should be "voluntary." Presumably, except for authoritarian and
totalitarian countries, no other country should force their own citizens or
others to use any sort of key-escrow/GAK system.
Maybe I'm biased: I'm a libertarian who believes that sending the wrong
bits shouldn't be considered a crime. The problem we have is with the
politicians, NOT primarily the criminals. Giving the government the ability
to punish people merely for sending the wrong bits (absent some other, REAL
crime) is an enormous step backward. And if they're guilty of a real crime,
why bother about the bits?
Even if I believed in GAK, which I don't, I don't think governments or
anyone else should be able to determine whether the "correct" code is
included with the data until and unless the government has a valid warrant,
with protections against government fraud, and has received the correct
code. That is the only point at which the government (even arguably) has a
legitimate reason to know this.
Jim Bell
[email protected]