1997-10-15 - Re: FCPUNX:PGP Key Escrow and Congress

Header Data

From: goddesshera@juno.com (Anonymous Remailer)
To: cypherpunks@toad.com
Message Hash: 9c6b39ac83af670097181eb577d76dc5cf46696ebaecf853e53e79852aa86b7a
Message ID: <19971015.140657.9807.5.goddesshera@juno.com>
Reply To: N/A
UTC Datetime: 1997-10-15 20:41:55 UTC
Raw Date: Thu, 16 Oct 1997 04:41:55 +0800

Raw message

From: goddesshera@juno.com (Anonymous Remailer)
Date: Thu, 16 Oct 1997 04:41:55 +0800
To: cypherpunks@toad.com
Subject: Re: FCPUNX:PGP Key Escrow and Congress
Message-ID: <19971015.140657.9807.5.goddesshera@juno.com>
MIME-Version: 1.0
Content-Type: text/plain




On Wed, Oct 15, 1997 at 02:10:54PM -0400, Eli Brandt wrote:
> Bruce Schneier wrote:
> > From: "Barbara Simons" <simons@VNET.IBM.COM>
> >
> > Some of these are old arguments that we've been hearing for a while,
> > but some are newer.  In particular, points 4 and 6 are difficult to
> > refute without getting into some technical details.  Both points also
> > undercut the argument that a key recovery infrastructure potentially
> > weakens security.  After all, the NSA thinks it's secure enough that
it
> > can be used by the government.
> 
> Non-technical point: the NSA (reportedly) has no intention of using
> GAK for classified information.  They know that it weakens security.

You have this wrong.  In fact, NSA *supplies* keys for classified
encryption equipment.  They never told me whether they "escrowed"
copies of the keys they supply -- what do you think?

> Do the privacy of the nation's data and the security of its
> information infrastructure deserve the same consideration as the
> Pentagon's "Confidential" memos?  When you're planning to build in a
> single point of failure, this is a question you have to ask.

In fact, it's much more complex.  People with real classified data
don't trust encryption at all, and they only use it if they absolutely
have to.  They, unlike many cypherpunks, remember well that there are
other ways to get information besides running big computers, and if
you have protections against those in place already, crypto doesn't
buy much. 

But classified data isn't really interesting.  Though by any measure
there are huge amounts of it, it is dwarfed by the amount of
government data that is not classified.  To protect that data
government agencies will use comercial crypto, and "key recovery"
*will* be required in any commercial product purchased by a government
agency.  As use of crypto becomes commonplace business practice, the
government market will be huge, and consequently, commercial products
with key recovery *will* be prevelant.  Any company that doesn't 
supply it will be relegated to niche markets, and, if legal winds 
blow the wrong way, eliminated.

Crow



This message was automatically remailed. The sender is unknown, unlogged,
and nonreplyable. Send complaints and blocking requests to
<goddesshera@juno.com>.






Thread