[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The GAK Momentum is Building...

[business key management plans/infrastructures]
>However, making the government a _required_ part of such plans implies a
>motive that is not at all the same as what companies wish (mostly, disaster

the distinction lies in the terminology. what does it mean, "required
part of the plan". if it essentially amounts to nothing more than 
the government saying, "you must give us keys when we present you
with a subpoena/warrant", then that's no different than the system
we have today. again, granted, laws specifically aimed at crypto
can tend to take up a life off their own. but my main point was
that the gloom-and-doom peddled by you and lucky green over clipper
just doesn't mesh with the actual events. the government has 
visibly had to *backpeddle* *numerous* times in all of its 
clipper proposals. I see no evidence that the latest proposals
are going to be any different. what annoys me is people who are
crying wolf all the time, and even when it seems there are no
wolves around, or they have temporarily receded,
they say, "I told you so". "the wolves really are going to
devour you, just you wait and see"

 And, as has been noted so many times by so many of us, whatever
>the motivations for corporate key escrow systems for disaster planning are,
>there are no motivations for key escrow for _communications_. If the sender
>dies, or leaves, or whatever, the company can reconstruct his
>communications from _his_ key. Or the receiving side can reconstruct the
>recipients messages from _his_ side.

this doesn't parse to me. the simple situation that may occur:
employee [x] creates a key on behalf of company [y]. employee
[x] forgets or misplaces the key. company [y] needs to retrieve
key, and cannot go to other company to get it (imagine situations
such as encrypted internal files, for example, although it holds
equally well for communications-- it would be very embarrassing
to ask another company for the key to decode something you sent
them because you misplaced it). 
I think cpunks tend to blur and obfuscate this use of crypto-- 
i.e. nonpersonal use within companies.

what you seem to be saying is that companies should not have to
escrow keys involving communications. i.e. the communications
should be readable only between the communicators. but this makes
no sense to me either. companies wish to have permanent record
of all official correspondence. they don't send messages and then
don't keep them around, like guerilla cypherpunks spend all day
doing. ("YIKES!!! that msg has been on my hard drive 5 minutes!!
better delete it FAST")

>The only party interested in having access to "in transit" communications
>are the wiretappers and SIGINT folks. Think about it. No company I can
>think of is interested in reconstructing messages from the _actual
>communications_, only from the keys of employees.

bzzzt. "actual communications" == records of transactions between
companies. we are talking about everything that companies send back
and forth: bills, contracts, agreements, etc.-- virtually everything
that companies send each other, they keep on permanent record.

 The NSA and FBI, however,
>are _keenly_ interested in reconstructing messages from intercepts, of
>course, and hence are pushing for escrow of _communications_ keys!

hmmmm, this distinction you are now promoting of communication keys,
vs. whatever other kind their are (backups?) is something I've not
noticed you or others emphasize before, I would have to think about it.
frankly I don't see a whole lot of difference between what you are
calling "communication" keys and whatever else crypto is used for.

look, consider this: the government got its tentacles into every
business key database in existence, in the sense they can easily
open them when they get wiretaps/warrants. yet individuals were still free
to send crypto everywhere. how would this be much different than
today's system, other than that the government has more efficient
access once the order is granted?

>Furthermore, the main worry (for me, at least) is that the government hopes
>to get its Clipper IV scheme accepted (by means of export laws) at some
>large fraction of important corporate accounts, not the least of which will
>be Netscape, Microsoft, IBM, Oracle, Qualcomm, and suchlike major players
>in the "infrastructure" business. Once most of these have "bought off" on
>GAK, pressure will be intense to universalize the process, to make it a
>felony _not_ to use a "Key Authority."

that's a big, big leap, the kind that cpunks always love to make to
sell you on the dystopian orwellian nightmare they are always ranting
about.  the things that companies use keys for can be pretty different from
what individuals would use them for. the government can already get
any info it wants through a subpoena or warrant from a company, and
they will comply. how is this different than what you are referring to?
you are making a leap that if companies have internal key infrastructures
to protect their information, that the restrictions on them will automatically
carry over to private communications between individuals such as in
e.g. a telephone like scenario.

look, we already today accept that employee's liberties do not 
necessarily hold within a company. the concepts of "freedom of 
speech," "privacy" etc. do not necessary hold within companies.

>(BTW, I predict that the tainted term "key escrow" is now gone from the
>official lexicon. I haven't seen the Clipper IV proposal, but I surmise
>that the baggage the term "key escrow" carries means that some more
>benign-sounding term will be used in the final proposal. Something like
>"Key Recovery System." You heard it here.)

I hate the misuse and abuse of the english language in Orwellian 
fashion (The Great Plan to Protect the Integrity of Data Communications)
as much as you do, but there are some very significant distinctions
that are being glossed over. the new proposals are radically more
diffused than the original clipper plan imho. the government is
clearly in the process of backpeddaling. it's got all the
signs of desperation imho. if they didn't succeed
with the original clipper, what makes you think the more recent
proposals are all that sinister and likely of succeeding? 

you evade my basic point: perhaps in all the key escrow language
in the bills, it would all boil down in practice to, if we
have a subpoena or a warrant, you have to give us the keys. how
is that different than what we have now?

cpunks -- I am not an apologist for clipper. but I want everyone
to realize that to promote crypto, you have to intrinsically
support some things like a robust key infrastructure. who
is going to provide it? do you think that whoever does will
be *exempt* from warrants and subpoenas? that is not a system
that we have now, nor is it likely we ever will. moreover, few
but only the most ardent extremists would argue such a system
would be incompatible with "freedom" as we understand it in 
this country.

"government == evil" is a very simplistic outlook in life that
can come back to bite you bigtime, imho. there are some people
in government that share cpunk views and could do some good
if they weren't lumped in with the evil spooks who really are
trying to enslave humanity (hee, hee)