1997-10-15 - Re: FCPUNX:PGP Key Escrow and Congress

Header Data

From: goddesshera@juno.com (Anonymous Remailer)
To: cypherpunks@Algebra.COM
Message Hash: 2d863648192fa017a83d76d6a2bfa5daf6349e0ef572d6c87175e3aa6c2a1279
Message ID: <19971015.140657.9807.7.goddesshera@juno.com>
Reply To: N/A
UTC Datetime: 1997-10-15 20:27:12 UTC
Raw Date: Thu, 16 Oct 1997 04:27:12 +0800

Raw message

From: goddesshera@juno.com (Anonymous Remailer)
Date: Thu, 16 Oct 1997 04:27:12 +0800
To: cypherpunks@Algebra.COM
Subject: Re: FCPUNX:PGP Key Escrow and Congress
Message-ID: <19971015.140657.9807.7.goddesshera@juno.com>
MIME-Version: 1.0
Content-Type: text/plain




On Wed, Oct 15, 1997 at 02:10:54PM -0400, Eli Brandt wrote:
> Bruce Schneier wrote:
> > From: "Barbara Simons" <simons@VNET.IBM.COM>
> >
> > Some of these are old arguments that we've been hearing for a while,
> > but some are newer.  In particular, points 4 and 6 are difficult to
> > refute without getting into some technical details.  Both points also
> > undercut the argument that a key recovery infrastructure potentially
> > weakens security.  After all, the NSA thinks it's secure enough that
it
> > can be used by the government.
> 
> Non-technical point: the NSA (reportedly) has no intention of using
> GAK for classified information.  They know that it weakens security.

You have this wrong.  In fact, NSA *supplies* keys for classified
encryption equipment.  They never told me whether they "escrowed"
copies of the keys they supply -- what do you think?

> Do the privacy of the nation's data and the security of its
> information infrastructure deserve the same consideration as the
> Pentagon's "Confidential" memos?  When you're planning to build in a
> single point of failure, this is a question you have to ask.

In fact, it's much more complex.  People with real classified data
don't trust encryption at all, and they only use it if they absolutely
have to.  They, unlike many cypherpunks, remember well that there are
other ways to get information besides running big computers, and if
you have protections against those in place already, crypto doesn't
buy much. 

But classified data isn't really interesting.  Though by any measure
there are huge amounts of it, it is dwarfed by the amount of
government data that is not classified.  To protect that data
government agencies will use comercial crypto, and "key recovery"
*will* be required in any commercial product purchased by a government
agency.  As use of crypto becomes commonplace business practice, the
government market will be huge, and consequently, commercial products
with key recovery *will* be prevelant.  Any company that doesn't 
supply it will be relegated to niche markets, and, if legal winds 
blow the wrong way, eliminated.

Crow



This message was automatically remailed. The sender is unknown, unlogged,
and nonreplyable. Send complaints and blocking requests to
<goddesshera@juno.com>.






Thread