[7451] in cryptography@c2.net mail archive
Re: FBI involves itself in Verio merger
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jul 7 21:18:38 2000
From: "Steven M. Bellovin" <smb@research.att.com>
To: Damien Miller <djm@mindrot.org>
Cc: Bill Stewart <bill.stewart@pobox.com>, Meyer Wolfsheim <wolf@priori.net>,
cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 07 Jul 2000 20:58:28 -0400
Message-Id: <20000708005829.F046A35DC2@smb.research.att.com>
In message <Pine.LNX.4.21.0007080956160.721-100000@mothra.mindrot.org>, Damien
Miller writes:
>On Fri, 7 Jul 2000, Bill Stewart wrote:
>
>> The current UK effort is why we also need "Perfect Forward Secrecy
>> In Everything"; it's hard to force someone to turn over their
>> decryption keys when their equipment doesn't store them past a
>> session, and it's easier to argue that you shouldn't be required to
>> turn over a signature key that can only be used for forgery than a
>> decryption key which could reveal past session keys.
>
>IANAL but wouldn't the UK's proposed legislation make software that
>won't provide access to all keys implicitly illegal?
"Implicit" rarely counts in law -- at least in the U.S., and most
likely in the U.K., given the common foundations of the legal systems.
What matters is what the statute says. If it says "you must turn over
any keys you possess, upon proper demand", there's no problem. If it
says "if you use encryption, you must be able to turn over the keys",
you might have a problem. And if it says "you must keep track of all
keys you use" -- well, yes, that does seem to rule out perfect forward
secrecy...
--Steve Bellovin
