Anyone know whether PGP has plans for session key extractor

Richard Clayton richard at turnpike.com
Thu, 27 Jul 2000 01:20:59 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <psapKAANk2f5EwDS@ubik.demon.co.uk>, Anthony Naggs
<cryptlist@ubik.demon.co.uk> writes

>In message <GFniHeGNdyf5EAVD@turnpike.com>, Richard Clayton
><richard@turnpike.com> wrote
>>
>>In article <20000726191025.L19455@djebel.openit.de>, Werner Koch
>><wk@gnupg.org> writes

>>>I guess you need a utility to just extract the session key 
>>
>>yes
>
>[snip Turnpike related stuff]
>
>>>and which
>>>can decrypt a message given the session key?
>>
>>You could write this program if you wished ! However I suspect GTAC have
>>set aside some of their budget for producing this software themselves :)
>
>This would not be good enough.  Remember the user served with the order
>will have to unlock their private key with their password in order to
>decrypt the session key!

Yes indeed, and they can then hand over their session key to the
authorities. For this they will need an extraction utility.

>I think most people receiving such an order would rather use an
>independently written utility, that is preferably open to public review,
>than a program developed by/for GCHQ.

Yes indeed - but I see no requirement for them to provide GTAC (or GCHQ
or whatever) the program that allows GTAC to use the session key they
have just been given.

I think they should indicate the format of the session key (hex,
decimal, ASCII armour encoded to GTAC's public key, or whatever... but
that's it).

>A law enforcement/security agency supplied program may be suspected
>naughty things like: conveying your private key instead of the session
>key; leaking part of your private key; or leaking information about
>other private keys you have in your keyring files.

Yes indeed, which is why I wasn't suggesting that :(

Two separate programs (one written by the community to extract and one
written in Cheltenham to use it) would be just fine.

I was trying to reduce Werner's workload by reducing the spec :-)

- -- 
richard                       writing to inform and not as company policy
     want to have an influence on ICANN ?  http://members.icann.org/
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBOX+Aa+tbVxwhgXFWEQKoGgCgt+iiNxvsZQNwxVEzgjT1yl0jBxEAoOoE
ocpDSgLxmDVFZNtfGncXmj/M
=bQbM
-----END PGP SIGNATURE-----