legislating the impossible? (Re: Encrypting to self)

[Adam Back]

I would interpret the requirements for plaintext or the key to be that
you hand over what you are able to hand over or face punitive
measures.

In other words you can't hand over what you don't have.

Communications security is all about minimising the risk that an
attacker will be able to recover keys or plaintext.  It is therefore
good practice for senders and recipients not be able to recover
plaintext if presented with old ciphertext.

Senders can't normally recover sent ciphertext anyway with public key
crypto except for the `encrypt to self' misfeature of PGP.  Don't use
encrypt to self!

Recipients often are unable to recover plaintext either, after the
fact, for example SSH and several SSL ciphersuites use forward secrecy
in the form of Diffie-Hellman, or temporary RSA keys.  Many IP-SEC
protocols also provide forward secrecy, and as this becomes more
widely deployed, the attacker will increasingly face the additional
problem of obtaining ciphertext to start with.  Coerced keys are no
use without ciphertext.

The attacker will then need to become active, and this is a more
costly class of attack.  This is good socially because it exposes the
social cost of pervasive drift net wire-tapping practices.  Military
intelligence agencies and unhealthily snoopy governments and civil
servants then are forced to limit themselves to those wire taps which
are economic to pursue by burglary to place taps, and software
breakins.

Adam