1996-10-04 - Re: gack vs. key escrow vs. key recovery

Header Data

From: Eric Murray <ericm@lne.com>
To: vznuri@netcom.com (Vladimir Z. Nuri)
Message Hash: 1c6846573592f918cf3a26a53b0ddfe0cbc2158b728a49e1a09d5fb1e5b1bb20
Message ID: <199610040153.SAA24250@slack.lne.com>
Reply To: <199610040033.RAA18660@netcom19.netcom.com>
UTC Datetime: 1996-10-04 05:06:51 UTC
Raw Date: Fri, 4 Oct 1996 13:06:51 +0800

Raw message

From: Eric Murray <ericm@lne.com>
Date: Fri, 4 Oct 1996 13:06:51 +0800
To: vznuri@netcom.com (Vladimir Z. Nuri)
Subject: Re: gack vs. key escrow vs. key recovery
In-Reply-To: <199610040033.RAA18660@netcom19.netcom.com>
Message-ID: <199610040153.SAA24250@slack.lne.com>
MIME-Version: 1.0
Content-Type: text/plain


Vladimir Z. Nuri writes:
> 
> cpunks, a note about recent developments in "key recovery" initiative.

[...]

> is the government always going to be your 
> enemy, no matter what they do?

It seems to be bent on doing so.

> I have posted here before that many companies find the concept
> of "key recovery" highly acceptable and even desirable. the 
> basic question is, what does this mean to wiretapping and 
> search warrants and subpoenas?

They get served, and the keys are produced.  Same with personal
crypto- if I'm in court and some encryped file that I have the 
key for is demanded as evidence, I provide the key or get
hit with contempt of court, my choice.
No one is arguing about that.  The objections to Clipper III are:

1. built-in wiretapping. Clipper III requires that subjects of
"key recovery" wiretaps are not notified of the government's
"recovery" of their keys.  While this _is_ analagous to phone
wiretaps, it is not of anything else.  The cops have to serve
you a warrant, not sneak in and read the papers in your desk.
Why should encrypted files be different?

2. Coercion.  I don't see anything wrong with key escrow
(original meaning, not GAK).  I think it's useful for business.
Required for some.  It's being coerced to implement it that is
distasteful.  If you think that Clipper III isn't coercion, you're
wrong- note that the licenses to export GAKware are reviewed every 6 months
and expire after 2 years if GAK isn't in place.  That's a clear
"you're on our side or your not" from the government.  Having
the possibility of your product suddenly becoming worthless
every 6 months will keep companies in line.

3.  It's still too weak. 56 bit DES isn't enough- it can very probably be
cracked in < 12 seconds by the NSA.  If not real time.

4.  It's the camel's nose in the tent.  First "key recovery"
then full GAK then penalties/jail time for for "terrorists"
or "gang members" who use unGAKd crypto.


-- 
Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF





Thread