Lying and RIP

Kieran Barry cs97ktb at brunel.ac.uk
Thu, 16 Mar 2000 15:19:28 +0000 (GMT) 

On Thu, 16 Mar 2000, Brian Gladman wrote:

> [snip]
> > >I very much support your view here. The only justification I can see for
> > >wanting keys is to decode future traffic in near real-time and yet, as
> > >you say, anyone who is properly managing their security will immediately
> > >change keys after a key seizure.
> >
> > I have to disagree here.
> >
> > If you are covertly intercepting the traffic of someone you don't want to
> > tip your hat until you feel that you have all the information that you
> > need. I can very well see the government monitoring communications for
> > months, if not longer, and storing all the data they can't decrypt. Once
> > the feel they have enough they come in and demand the keys and start
> > decrypting what they have. Unless the public keys are changed frequently
> > (something that most people don't do) a wealth of data can be aquired by
> > this method.
> 
> But this can be done with decryption orders so GAK is unecessary.
> 
> In any event, we should not need to speculate - the Home Office should
> explain to us the circumstances in which decryption orders are not
> sufficient and GAK is necessary.
> 
> > I don't see future traffic being a real issue. Even if the person who's
> > keys are confiscated doesn't tell anyone else I seriously doubt that they
> > are going to say anything incriminating once they know that someone is
> > listening. :)
> 
> But with public key cryptography it the person at the other end who is doing
> the talking.
> 
Something else which I can see happening is that the person whose key is 
confiscated is going to be told that he can be prosecuted if he changes 
his key.

I can see a lot of scope for good cop/bad cop happening. I see a lot of 
threats which can be justified due to the vague drafting of the bill. 

For example, does "imposition... of ...obligations as it appears  to him 
reasonable to impose" means that the secretary of 
state can insist that I don't deploy IPsec with perfect forward secrecy? I 
would certainly be very nervous about refusing such a request.

Regards

Kieran