RIPA s 12(7)
zenadsl6186 at zen.co.uk
Sat Jun 21 01:26:40 BST 2014
On 16/06/14 08:04, Caspar Bowden (lists) wrote:
> On 06/16/14 00:26, Peter Fairbrother wrote:
>> On 12/06/14 12:20, Caspar Bowden (lists) wrote:
>>> Wonder opinions if this sufficient for UK to (coercively) "do a
>>> Hushmail" ? Or under Intel Services Act, or RIPA Pt.2 ?
>> I'm not sure what you mean here.
> Actually I had forgotten that this case involved server-side extraction
> of key (read above). This is obviously within RIP Pt.3 - I remain
> worried about trying to find combo of UK powers which could coerce a
> client-side attack (e.g. he provider has to inject back-doored
It seems Hushmail had/have two different products, one a Java-based
behind a TSL connection, but otherwise in plain language, nothing is
hidden from the server - in the case of a sent email, the server then
does the public key encryption for the recipient. In the case of a
received email, the server does the private key decryption, then just
re-encrypts for link TLS.
This of course breaks the end-to-end model, and it is no wonder that
Hushmail could provide plaintext under a warrant - server-side
extraction of key, or just supplying users passwords (if that is what
they did, I'm not clear on that) is just one of many ways in which they
could have made plaintext available.
I don't see any reason why you couldn't operate a real end-to-end
clunky, but I can't see why it wouldn't technically be possible.
your server, could UK Plod force you to backdoor it so you/they could
I think it depends a bit on the situation, eg what you are protecting,
email-type messaging or voip traffic might be different - and it might
also matter whether you are supplying a total service, or just the
On the one hand, if you are just supplying software (and not a telecomms
service) then I don't think they could force you to backdoor the
software - on the other hand, if you are supplying a complete voip
service like Skype (in the UK) then I think they probably could require
you to have the capability to read traffic on 1 in 10,000 conversations
- after all, you can't buy telephone equipment which doesn't have
interception capability these days - even if that requirement meant
installing a backdoor.
Though the lack of non-interception-capable telephone equipment is
actually because there is no market for it, rather than any prohibition
In between these, I'm not so sure. May post more later.
-- Peter Fairbrother
More information about the ukcrypto