<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/19/13 12:04, Ben Laurie wrote:<br>
</div>
<blockquote
cite="mid:CAG5KPzwwHfD9CRtq-HXQefy-p4x+ngz70SRZyKeo1KDk=sg_Gg@mail.gmail.com"
type="cite">
<div dir="ltr">On 13 August 2013 07:58, Caspar Bowden (lists) <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:lists@casparbowden.net" target="_blank">lists@casparbowden.net</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hadn't noticed any
commentary on this... ?<br>
<div> <br>
(Feb 28 2013) <a moz-do-not-send="true"
href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/135998/pki-strategy-1.0.pdf"
target="_blank">PKI Strategy</a> and <a
moz-do-not-send="true"
href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/135992/PKI-Implementation-Strategy-1-0.pdf"
target="_blank">Implementation Strategy</a> (occurs
in both)<br>
<ul>
<li>"For example key escrow <b>may be required</b>
for private encryption keys in some services (<b>to
comply with</b> Regulation of Investigatory
Powers Act Section 3)"</li>
</ul>
<p>but <a moz-do-not-send="true"
href="http://www.fipr.org/rip/PR3RHC.htm"
target="_blank">FIPR 9/5/2000</a><br>
</p>
<ul>
<li><a moz-do-not-send="true"
href="http://www.publications.parliament.uk/pa/cm199900/cmhansrd/vo000508/debtext/00508-17.htm#00508-17_spnew2"
target="_blank">Surprisingly Mr.Clarke amended
S.69</a> [Hansard link - at bottom] to exempt
company directors from liability under Part.III -
that is, they are no longer personally liable for
failure of their company to comply with a
decryption notice. This was the chief cause of
FIPR's diagnosis of government strategy as being
that of "key escrow by intimidation" - however it
still leaves individuals and company employees in
the firing line.</li>
</ul>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>PSN is a company with directors?</div>
</div>
</div>
</div>
</blockquote>
<br>
No, but the bit Clarke chopped in response to (largely commercial)
campaigning was the only part containing any express "key escrow by
intimidation" aimed at board-level of organizations<br>
<br>
So the question I am raising is whether there is some other "public
policy" rationale for arguing that escrow is compelled by the
hypothetical necessity to respond to some particular decrypt request
in future (contrast to arguments about "relevance" in PATRIOT 215
metadata). <br>
<br>
AFAIK this falls under Council of Europe R.87 (1987) which forbids
ECHR states from compelling retention of arbitrary data as a matter
of public policy in organs of the state, unless there is a precise
authorizing law. RIPA Part.3 is not that law (but e.g. the EU DRD is
such a law - in that it exists!), and of course compelling escrow in
public sector has huge structural effects on normative practices
(that what R.87 fuss was all about) <br>
<br>
CB<br>
</body>
</html>