How to proceed? (was What has really changed)

Nicholas Bohm nbohm at ernest.net
Sun, 15 Aug 1999 12:44:02 +0100 

At 03:34 AM 8/15/1999 -0400, nigel hickson wrote:

>RE:  Changes to Bill and How to proceed
>
>Nicholas is right in that drafting changes to Bill (until committee stage)
>are not down to you or us (in DTI).  But there is no harm in suggesting new
>text which accomplishes that which you think it should - in terms of keys
>and plain text.  Clearly the text at present does not prevent waht I think
>you want (ie session keys only) but would also allow other types of "keys"
>(as defined) to be asked for.  Surely  we have to be careful not to\become
>too technology specific here. 

I agree.  

Clause 10(2) depends on it appearing that a person has "a key", and enables
a notice to demand disclosure of "the key".

Where it appears that a person has both a private key and a session key, I
think that the notice could probably specify which had to be disclosed,
although the drafting is not wholly unambiguous.

What amendments would do the trick?  I suggest the following with
explanatory comments [in square brackets]:

1	In subclause 10(1)(a) and (b) delete the words ", or is likely to come,".

[The session key approach fails if future encrypted data is within the
scope of the notice]

2	In subclause 10(3) insert a new paragraph (c) as follows (renumbering
accordingly):

"(c)	must be accompanied by a copy of the protected information in
electronic form;"

[The keyholder may never have received it, or may have deleted it (or not
retained the encrypted form of it)]

3	In clause 11 add a new subclause 11(4) as follows:

"(4)	Where a direction has been given in accordance with subsection (3)
that a requirement to which it applies can be complied with only by the
disclosure of the key to protected information, the person required to
disclose the key shall be taken for the purposes of this Part to have
complied with that requirement if, by the time by which he is required to
disclose it to any person, he has provided that person with any key to that
protected information."

[This ensures that where a key must be given, any key (i.e. including a
session key) will meet the requirement]

[Note that this does not meet the point raised by Brian Gladman, that the
keyholder may not be entitled to see the encrypted information - it may not
yet have been released from a restriction under a confidentiality agreement
for example, despite having come into the possession of law enforcement
bodies.  The only way to deal with that point is to limit my suggested
clause 10(3)(c) so that the notice can be accompanied by just enough of the
encrypted material to enable the session key to be extracted.  This would
complicate the thing a good deal to meet what I feel must be rather a rare
contingency.]

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF