DTI Policy Response

Stefek Zaba sjmz at hplb.hpl.hp.com
Tue, 28 Apr 1998 20:03:56 +0100 

brownrk1@texaco.com said:

> That's interesting. So does that mean if I want to compromise X's private key,
> I send a file encrypted by X's public key to a bad guy who is about to get
> busted? Ok, I know I won't get the key either, but X might be unhappy
> about having to reveal it to someone.
> 
Umm, not really - it would be bizarre to send a message encrypted in X's
public key to anyone but X. No, to cause X's public key to be disclosed
under warranted access - under a reasonable reading of the sketchy policy
proposals - you cause a message to be sent *to* X apparently *from* a bad
guy about to get busted. Since "from a bad guy" does not need to be
cryptographically assured, it may suffice to perform a simple impersonation
in the style of "telnet mxhost.for.good.guy 25\nHELO bad.guy\nMAIL FROM:
<really.bad@mafia.org>\nRCPT TO: <good.guy>\nDATA\nSubject: Drop details\n
\nBEGIN PGP MESSAGE ..."

Should "good.guy" here be for example a major bank, receiving encrypted
information, this can cause encryption-receipt key disclosure on an
economically painful scale. (It'd be a new way for small net-savvy pressure
groups to harass MegaCorp Inc, in fact: first get a reputation for fringe
violence, like some of the animal rights groups, then send encrypted RSA
messages to the Big Bad Corporations. Voila - their encryption-receipt keys
float out of their control to the (utterly trustworthy) central decryption
facility. Yum yum yum. It'd work against other multinationals too - hitech
computer companies, big petrochemical companies, ...)

It's for this reason that the phrases about "recovery of keys" in Paras
12 and 14 of the DTI Statement are worryingly vague: warrants which result
in the disclosure of material allowing a broad range of traffic to be
decrypted, rather than a specific message or piece of stored data, pose
significant operational risk, impose costly re-keying burdens, and are not
technically justified. But the wording of the Statement doesn't enlighten
as to where the proposed warrants lie along a scale from message-specific,
key-owner-aware to all-messages-in-the-last-year, subject-blind... which
is why I equated the pellucidity of the Statement in this regard to that
of the rich Thames mud flowing past the Mother Of Parliaments.

Stefek