RIPA s 12(7)

Caspar Bowden (lists) lists at
Fri Jun 13 16:05:29 BST 2014

On 06/12/14 22:04, Ian Batten wrote:
> On 12 Jun 2014, at 18:39, Caspar Bowden (lists) <lists at> wrote:
>> that looks broad enough to ask for the source code to any client-side Webmail encrypting widget. Quite useful.
> It's also broad enough to get a server's private key if RSA was in use: if you've intercepted encrypted sessions, then
> having the RSA private key allows you to extract the session keys.  There's a proportionality and collateral issue, but
> of course the S.49 notice could be used to demand the CSP decrypt encrypted session keys and provided
> by the agency, and therefore satisfy the needs of the investigator without releasing a long-term key.
> However, I'm not sure whether the police would be overly interested in any of this, because even if the CSP coughs
> all the keys, it's intercept and therefore not admissible.  They'll need other, non-intercept evidence to get the intercept
> warrant, and they'll need other, non-intercept evidence to get a conviction.  Cases where the intercept evidence is
> therefore hugely significant, to the point of it being worth messing around with production orders, are going to be
> thin on the ground.  And stuff which is admissible when decrypted, for example memory sticks seized under search
> warrants or computers with "data at rest" ditto, is much less likely to have keys held by anyone other than the
> putative owner.

Knowing RSA (or D-H?) key from Pt.3, can do lawful cert-spoofing (Pt.2 
?) attack via Quantum, inject bad client-side code (if SSL only code 
authentication), and can lawfully target that in UK in "external" comms 
under s.16

Sounds very useful for JTRIG, "domestic extremists"

For police work, once docs known to exists, can be garnered/gardened by 
other means...


More information about the ukcrypto mailing list