HOME OFFICE RESPONDS AGAIN

Kieran Barry cs97ktb at brunel.ac.uk
Wed, 29 Mar 2000 23:01:52 +0100 (BST) 

On Wed, 29 Mar 2000, Nicholas Bohm wrote:

> >We are not insisting that businesses never revoke keys so that they are
> >available for the retrospective decryption of information.  Once again, if
> >there is a problem here, it is one for law enforcement.
> 
> This prompts a question which I hope you will tackle in your next instalment.
> 
> If I am free (as we agree) to revoke a key I have been compelled to
> provide, and (as I hope we also agree) to publish that revocation both
> generally (on the key servers) and specifically (by sending the revocation
> certificate to those who communicate with me using the revoked key), the
> effect is that the key will not decrypt future traffic.  It will decrypt
> past traffic, but you do not need it to do that, as you can compel
> decryption of past traffic directly, and it would not be proportionate to
> demand a key (which gives access to a wide range of traffic) when a notice
> to decrypt specific traffic would do the job.
> 
> The consequential question is, why compel its disclosure?  Please justify.
> 
One of the home office people (Richard Riley?) said at SFS that they did 
not expect to demand keys from "reputable organisations". He seemed to be 
suggesting that most decryption notices were expected to be served on 
organisations.

Do you notice how hard it is for a private citizen to transform 
themselves into a "reputable organisation". The thrust of what was said 
was that they would confirm that the decryption was accurate using the 
key, then chuck it away.

But it does seem to me that their claims that they expected GAK to be 
rarely used is based on the idea of organisations holding keys. But that 
would be encouraging key escrow, now wouldn't it?

So I have a question also: if the LEA asks for decryption, when does the 
Home Office team think that it would reasonable to accept without 
confirmation (read: asking for the key)? 

It seems to me that any order to a private individual _must_ be 
acompanied by a request for the key.

I do hope that Simon has delegated responsibility for this week's 
response. He ducked out of SFS before the end, and now his weekly 
response looks like becoming fortnightly. Wonder where he's gone, that 
they don't have email?

Regards

Kieran