1995-10-15 - Re: My chat with Goeff Greiveldinger

Header Data

From: s1018954@aix2.uottawa.ca
To: Black Unicorn <unicorn@polaris.mindport.net>
Message Hash: 2330e072faced7c3f6d1779e45b5da7bbe6cfe760cfbc3443698760f41a3c1bb
Message ID: <Pine.3.89.9510151747.D61174-0100000@aix2.uottawa.ca>
Reply To: <Pine.SUN.3.91.951015171748.22497A-100000@polaris.mindport.net>
UTC Datetime: 1995-10-15 23:10:05 UTC
Raw Date: Sun, 15 Oct 95 16:10:05 PDT

Raw message

From: s1018954@aix2.uottawa.ca
Date: Sun, 15 Oct 95 16:10:05 PDT
To: Black Unicorn <unicorn@polaris.mindport.net>
Subject: Re: My chat with Goeff Greiveldinger
In-Reply-To: <Pine.SUN.3.91.951015171748.22497A-100000@polaris.mindport.net>
Message-ID: <Pine.3.89.9510151747.D61174-0100000@aix2.uottawa.ca>
MIME-Version: 1.0
Content-Type: text/plain




On Sun, 15 Oct 1995, Black Unicorn wrote:

> Effectively the potential for misuse is increased by virtue of the 
> increased numbers of officals (commercial and public) who have access to 
> the material.

Does he mean mandatory commercial key escrow (as in clipper keys held
by credit agencies?) Or something totally voluntary but standardized
by the gov? 

*Rant mode on*

I've heard cracking into Equifax and TRW is considered a rite of passage in 
the phreaker crowd. The security would have to *damn* tight (as in forget 
it) for it to be trustworthy. And since it would probably be the big three
credit rating agencies (I forget the other one), their track record is not 
reassuring. I don't see these people securely using crypto throughout the 
entire org (in such a large org) in the future if they don't already.

Seeing my key sold to Son of Blacknet(LD) by Sons of Mitnick is not 
reassuring.

For that matter, what sort of databases would they consider holding this on?
And how easy would it be for the general public to get access to their key,
to verify for accuracy and revoke compromised keys. (big prob with the 
credit rating agencies) Who would be allowed (if anyone) or mandated 
(depending on which scheme) to certify the security? If NSA is 
mentionned, one might also point out the job Matt Blaze did on their 
Clipper. Bad production values don't make for good public security. 
 
Of course it all depends on exactly why they really want the escrow anyway.
If people will encrypt a second time with tomorrow's pgp, why should anyone
care? 

All you'd single encrypt for would be your income tax and the 
financial records you're already required by law to keep (I'm sure I've
misunderstood this. Can't be so useless.). I know that's not a particularily
diplomatic carry-over from the debated-to-death clipper thing, but really,
except as PR, why DO they still take this seriously? (unless you want to 
be paranoid about a ban, hmm, nevermind, debated-to-death)

Speaking of organizational crypto, anyone know what the scheme used in
Notes is? I know there's RSA... This seems rather more useful to examine
than MS's browser, considering corporations are making it a standard for 
groupwork. All you'd get on a browser would be credit no's and maybe e-mail.
Notes nets might carry the entirety of a company's docs and work in progress.
They do export it, right? Weakened foreign version or one 40 bit key version
for everyone? How about novell netware?

(Yeah, I do realize most folks don't have it, neither do I. A free client 
would be very nice, Mr. Gerstner, for everyone.)






Thread