[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My chat with Goeff Greiveldinger





On Sun, 15 Oct 1995, Black Unicorn wrote:

> Effectively the potential for misuse is increased by virtue of the 
> increased numbers of officals (commercial and public) who have access to 
> the material.

Does he mean mandatory commercial key escrow (as in clipper keys held
by credit agencies?) Or something totally voluntary but standardized
by the gov? 

*Rant mode on*

I've heard cracking into Equifax and TRW is considered a rite of passage in 
the phreaker crowd. The security would have to *damn* tight (as in forget 
it) for it to be trustworthy. And since it would probably be the big three
credit rating agencies (I forget the other one), their track record is not 
reassuring. I don't see these people securely using crypto throughout the 
entire org (in such a large org) in the future if they don't already.

Seeing my key sold to Son of Blacknet(LD) by Sons of Mitnick is not 
reassuring.

For that matter, what sort of databases would they consider holding this on?
And how easy would it be for the general public to get access to their key,
to verify for accuracy and revoke compromised keys. (big prob with the 
credit rating agencies) Who would be allowed (if anyone) or mandated 
(depending on which scheme) to certify the security? If NSA is 
mentionned, one might also point out the job Matt Blaze did on their 
Clipper. Bad production values don't make for good public security. 
 
Of course it all depends on exactly why they really want the escrow anyway.
If people will encrypt a second time with tomorrow's pgp, why should anyone
care? 

All you'd single encrypt for would be your income tax and the 
financial records you're already required by law to keep (I'm sure I've
misunderstood this. Can't be so useless.). I know that's not a particularily
diplomatic carry-over from the debated-to-death clipper thing, but really,
except as PR, why DO they still take this seriously? (unless you want to 
be paranoid about a ban, hmm, nevermind, debated-to-death)

Speaking of organizational crypto, anyone know what the scheme used in
Notes is? I know there's RSA... This seems rather more useful to examine
than MS's browser, considering corporations are making it a standard for 
groupwork. All you'd get on a browser would be credit no's and maybe e-mail.
Notes nets might carry the entirety of a company's docs and work in progress.
They do export it, right? Weakened foreign version or one 40 bit key version
for everyone? How about novell netware?

(Yeah, I do realize most folks don't have it, neither do I. A free client 
would be very nice, Mr. Gerstner, for everyone.)