Unfinished Business

[Communications Admin]

On Tue, 20 Jun 2000, Quentin Campbell wrote:

> On Mon, 19 Jun 2000, Owen Lewis wrote:
> 
> > > But his key has been compromised, and no-one has any idea how securely
> > > the plods have protected it
> > 
> > Quite so. And that is a matter of concern. Hence, among the suggestions of
> > others,  my suggestion for ensuring the establishment and maintenance of
> > proper standards of due care and of oversight.
> 
> That could be written into the Bill or CoP but will it really count for
> much?
> 
> There is one area of current Police activity (in the UK and elsewhere)
> which results in more deaths through lack "of due care and of oversight"
> than are ever likely to die because of disclosure of private crypto keys
> by LEAs.
> 
> This is the fatal wounding by armed Police of both suspects and innocents.

If they have a hand gun, or what looks like a hand gun, forget suspect or
innocent; the vocal minority ensured that this means they are a criminal
peodophile. Also it is bloody impossible, outside of movies, to 'just
wound'.

> 
> For all the media attention such incidents get there is no suggestion that
> government will disarm Police as a result. It follows that the government
> can live with a few deaths caused by the careless handling of crypto keys.
> Looked at in this cynical light what incentive does the goverment have to
> apply other than "reasonable and cost effective" measures to protect keys?
> 

Killing criminals is cost effective in both the short and long term; it
saves on legal fees and prison costs. The bean counters can live with that
but what your asking is they spend as much as the keys owners; more money
being wasted on criminals.

> At least with a Police shooting in the UK there is a measure of
> independent scrutiny. But when things do go wrong with RIP provisions
> there will be no smoking gun in the hand of a Police officer that can
> become the focus of an Inquest or a Police Complaints Authority
> investigation. Indeed RIP will not allow even that level of scrutiny.
> 
> 
> Quentin
> --
> PHONE: +44 191 222 8209     Computing Service, University of Newcastle
> FAX:   +44 191 222 8765     Newcastle upon Tyne, United Kingdom, NE1 7RU.
> -------------------------------------------------------------------------
> "Any opinions expressed above are mine. The University can get its own."
> 
> 

Your quite correct however in your observation about independant
scrutiny. There does seem to be a cultural problem with
this; traditionally intelligence, military and LEA ( folowing the other
two's best practice) has been to maintain secrecy by 'need-to-know'. This
is actually quite sound as the more people who know the certainty of it
being secret vanishes. The concept of 'Chinese Walls' is used within
organisations to keep information seperated form different functional
areas.

Both of these seem to have gone out with this central data clearing
house. Though such an establishment would make independant scrutiny
possible as there would only be the one palce to check.

The RIP should include a requirment to maintain a clear accurate audit
trail of any individual key that could track its access by named
individuals.

Russ