return of key-escrow: UK PKI Strategy cites bogus RIPA rationale

Caspar Bowden (lists) lists at casparbowden.net
Mon Aug 19 12:37:26 BST 2013 

On 08/19/13 12:04, Ben Laurie wrote:
> On 13 August 2013 07:58, Caspar Bowden (lists) <lists at casparbowden.net 
> <mailto:lists at casparbowden.net>> wrote:
>
>     Hadn't noticed any commentary on this... ?
>
>     (Feb 28 2013) PKI Strategy
>     <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/135998/pki-strategy-1.0.pdf>
>     and Implementation Strategy
>     <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/135992/PKI-Implementation-Strategy-1-0.pdf>
>     (occurs in both)
>
>       * "For example key escrow *may be required* for private
>         encryption keys in some services (*to comply with* Regulation
>         of Investigatory Powers Act Section 3)"
>
>     but FIPR 9/5/2000 <http://www.fipr.org/rip/PR3RHC.htm>
>
>       * Surprisingly Mr.Clarke amended S.69
>         <http://www.publications.parliament.uk/pa/cm199900/cmhansrd/vo000508/debtext/00508-17.htm#00508-17_spnew2>
>         [Hansard link - at bottom] to exempt company directors from
>         liability under Part.III - that is, they are no longer
>         personally liable for failure of their company to comply with
>         a decryption notice. This was the chief cause of FIPR's
>         diagnosis of government strategy as being that of "key escrow
>         by intimidation" - however it still leaves individuals and
>         company employees in the firing line.
>
>
> PSN is a company with directors?

No, but the bit Clarke chopped in response to (largely commercial) 
campaigning was the only part containing any express "key escrow by 
intimidation" aimed at board-level of organizations

So the question I am raising is whether there is some other "public 
policy" rationale for arguing that escrow is compelled by the 
hypothetical necessity to respond to some particular decrypt request in 
future (contrast to arguments about "relevance" in PATRIOT 215 metadata).

AFAIK this falls under Council of Europe R.87 (1987) which forbids ECHR 
states from compelling retention of arbitrary data as a matter of public 
policy in organs of the state, unless there is a precise authorizing 
law. RIPA Part.3 is not that law (but e.g. the EU DRD is such a law - in 
that it exists!), and of course compelling escrow in public sector has 
huge structural effects on normative practices (that what R.87 fuss was 
all about)

CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20130819/50f5c74c/attachment.html>

More information about the ukcrypto mailing list