Backdoor government key escrow?

Arturo Quirantes Arturo Quirantes <aquiran at ugr.es>
Sat, 11 May 2002 10:36:00 +0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hola Joe,

El día 11/05/2002, a las 10:14, escribiste:

JH> Recent measures in the Finance Bill propose large fines to "encourage"
JH> people to file tax returns electronically (see
JH> http://news.bbc.co.uk/hi/english/business/newsid_1975000/1975504.stm )

        Form comparison, electronically-filed tax files can be filed in
Spain since 1998.  The certificate is issued by the FNMT (the government´s
official print, the guys who make banknotes, stams and so on).  The
process goes as follows:

        - You decide you want to do your tax declaration electronically.

        - You then browse the tax guys´ webpage and YOU create your
private/public key pair (you can even choose the size of the RSA key, 512 or 1024
bits).  The public key goes to the FNMT´ CA, along with your DNI
(identification document) number.

        How do they know that it wasn´t your neighbor who did it on your
name?  Because first you have to go to the AEAT (tax ministry), say that
you requested a certificate and show your ID.  They then give you a number
code.  They forward the number code + your ID number to the FNMT, so that
next time you go to the appropiate web page, you punch your code, and get
back your public key, certifice (signed) by the CA.

        When I first did it, all the process took about five days
(including a weekend).  The process was not perfect: the guys at the tax
departmente didn´t even check my ID! (well, I was one of the first, so I
guess they just didn´t have prior experience).

        Please note that it is you who create your own digital
certificate, and an official governmente department signs it for you (if
they´re trustworthy enough to sign banknotes, well, that´s good enough
for me).  One point to make is that the certificate is only valid for one
year (renewable), and so far it´s only valid for fax filing.  No doubt it
will make a good benchmark test for future "e-citizens" initiatives.
Already, a draft Digital Signature Bill is considering issuing electronic
IDs to all citizens.

        I had the chance to talk to some people in the governmente project
to create digital IDs.  They told me that there were plans to keep a copy
of the encryption key (not the signature key) of people for a) backup
purposes at the issuer´s request, and b) criminal investigations with a
court order.  They didn´t feel like wanting to play around with a dabatase
of people´s public keys.  Of course, the politicians think differently to
the tech people, and that was back in 1998...


- --
Salu2.  Arturo Quirantes
(PGP key 0x4E2031EC)

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i

iQA/AwUBPNzJ6NPjg85OIDHsEQKvQwCgip3EdIkwU6MhKQf355mzPebs8FMAnRMq
P7x1COkeBFNaQquUdkRqeOp6
=YwiU
-----END PGP SIGNATURE-----