1995-12-06 - Re: Why Netscape employees should not leave

Header Data

From: Adam Shostack <adam@homeport.org>
To: greg@ideath.goldenbear.com (Greg Broiles)
Message Hash: 1c4779ec5269be770d6abad57233541462ab213847cd70e6cbd4db7ded0d601c
Message ID: <199512061633.LAA29559@homeport.org>
Reply To: <199512040002.AA08103@ideath.goldenbear.com>
UTC Datetime: 1995-12-06 16:28:21 UTC
Raw Date: Wed, 6 Dec 95 08:28:21 PST

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Wed, 6 Dec 95 08:28:21 PST
To: greg@ideath.goldenbear.com (Greg Broiles)
Subject: Re: Why Netscape employees should not leave
In-Reply-To: <199512040002.AA08103@ideath.goldenbear.com>
Message-ID: <199512061633.LAA29559@homeport.org>
MIME-Version: 1.0
Content-Type: text


	I think that this logic (below) is off.  GAK is evil.  Pure
and simple.  If the market wants CKE/optional escrow for business
thats one thing.  The recent NIST meeting has shown that any system
promulgated by the government will force on us a system with excessive
kowtowing to the 'interests of law enforcement.'

	If people want CKE, and I think they do, then the government
will get 90% of what it gets with GAK, with none of the fight.  Most
companies will happily turn over keys at the flash of a badge, never
mind a warrant.  (Was it Doug Barnes who pointed out that spying is
more exciting than banking?)  If it was easy, I'd probably have backup
escrowed copies of my secret keyring.  In Lichtenstien.

	This leaves us to ask, why GAK is such a big deal at NIST, if
CKE will get them most of what they want?  First, they haven't
realized that CKE is most of what they want.  Second, they're worried
about the extra 10%.  Drug dealers and terrorists not using it.  (This
points towords an eventual mandate for GAK, even if it starts out
voluntary.  Many have noted this.)  Third, they've invested so much
energy in the fight for GAK that they're emotionally tied to the idea,
and they can't say 'well this would be almost as good.'


Adam

| The last sentence seems backwards to me - mandatory GAK is the real evil, not
| non-mandatory GAK. (non-mandatory GAK is just a special case of voluntary
| key escrow, where some of us might choose to escrow to /dev/null, some to
| their attorney, some to a friend, and some to freeh@fbi.gov.) Non-mandatory
| GAK makes me nervous, because it seems susceptible to back-door coercion
| ("Dear Citizen: We notice that you've turned off GAK. Don't you trust us?
| Please write back and tell us why you're no longer letting us have access
| to your net traffic. Do you have something to hide?") but mandatory GAK
| is the worst-case scenario being implemented immediately.
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume





Thread