1997-10-16 - Re: Security flaws introduced by “other readers” in CMR

Header Data

From: Greg Broiles <gbroiles@netbox.com>
To: cypherpunks@cyberpass.net
Message Hash: 55bf13d6357f3410a04ce86967a147d3cecd5516717c930d2c3f23dd602cdbc0
Message ID: <3.0.3.32.19971015183740.008cad00@mail.io.com>
Reply To: <19971015173435.26095@rigel.infonex.com>
UTC Datetime: 1997-10-16 01:48:21 UTC
Raw Date: Thu, 16 Oct 1997 09:48:21 +0800

Raw message

From: Greg Broiles <gbroiles@netbox.com>
Date: Thu, 16 Oct 1997 09:48:21 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Security flaws introduced by "other readers" in CMR
In-Reply-To: <19971015173435.26095@rigel.infonex.com>
Message-ID: <3.0.3.32.19971015183740.008cad00@mail.io.com>
MIME-Version: 1.0
Content-Type: text/plain



Tim May <tcmay@got.net> wrote:

>Truly sensitive stuff--stuff about takeovers, foreign production plans, new
>products, etc.--will be encrypted with channels having no nosy security
>guards or Corporate Crypto Compliance Police silently listening in.
>
>Which means we're back to square one. So why does PGP, Inc. bother?

Because they've got customers who will pay for CAKware. 

Why will customers pay for it? Same reason the FBI wants GAK, even though
motivated/well-informed crypto users will superencrypt or otherwise bypass
the enforcement mechanisms. If you're the C in CAK or the G in GAK, access
to some data is better than access to no data - and the possibility of
enforcement radically alters the risk/benefit calculus of even intelligent
actors who see their interests as contrary to those of the [C,G]. 

As Jon Callas confirmed at the recent Cpunks physical meeting, the current
CAK/CAM/whatever system has very weak code re policy enforcement - for
example, it'll allow otherwise forbidden messages to pass through its
filters if even the "--- BEGIN PGP MESSAGE ---" lines are altered or
removed. It won't disassemble tar or zip or uuencode packages, or otherwise
attempt to discover simple attempts to bypass the enforcement mechanisms.
They're not trying to stop determined covert communicators - that's not
their threat model.


--
Greg Broiles                | US crypto export control policy in a nutshell:
gbroiles@netbox.com         | Export jobs, not crypto.
http://www.io.com/~gbroiles | http://www.parrhesia.com






Thread