Perfect Forward Secrecy: Not So Perfect, Not So Forward

[Roland Perry]

In article <84AA0149-0EC8-4A79-9470-C65BF912942A at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>Communication Data scrutiny report [1], paragraph 92 implies that 
>Google are in a position to retrospectively decrypt SSL sessions.   
>
>ian
>
>92. Many internet services are encrypted; this includes many of the 
>major overseas based communications services such as Gmail. Encryption 
>is the basis of internet security and companies encrypt their services 
>to protect their customers. If these companies are asked directly for 
>communications data and agree to supply it, whether under RIPA or 
>following a request under a Mutual Legal Assistance Treaty (MLAT), then 
>they will decrypt the information, extract the relevant communications 
>data and provide it to the requesting authority in an accessible 
>format. They told us however that if information about their service 
>was collected by another CSP they would not cooperate in helping 
>decrypt it. Sarah Hunter from Google explained:
>
>“From a Google Inc perspective, we are very confident about the 
>security of our encryption. If a valid RIPA request comes in or UK law 
>enforcement goes through the MLAT, receives a court order and in turn 
>gets Gmail user data, we will obviously provide that data decrypted. If 
>it was to use a third-party provider to gather the encrypted data, I 
>think it very unlikely that Google Inc would provide anyone outside 
>Google Inc with that key. That is simply because, as everyone said 
>earlier, security is our most important asset. Our relationship with 
>our users is predicated on trust. Without that, we have no busines

It seems more likely to me that they'll provide the content of the 
communications, residing on their servers. The fact the transmission 
between the client and their server is encrypted is surely a red 
herring?
-- 
Roland Perry