[7453] in cryptography@c2.net mail archive
Re: FBI involves itself in Verio merger
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sat Jul 8 09:23:38 2000
Message-ID: <396712E0.4E891F00@algroup.co.uk>
Date: Sat, 08 Jul 2000 12:39:12 +0100
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Damien Miller <djm@mindrot.org>, Bill Stewart <bill.stewart@pobox.com>,
Meyer Wolfsheim <wolf@priori.net>, cryptography@c2.net
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
"Steven M. Bellovin" wrote:
>
> In message <Pine.LNX.4.21.0007080956160.721-100000@mothra.mindrot.org>, Damien
> Miller writes:
> >On Fri, 7 Jul 2000, Bill Stewart wrote:
> >
> >> The current UK effort is why we also need "Perfect Forward Secrecy
> >> In Everything"; it's hard to force someone to turn over their
> >> decryption keys when their equipment doesn't store them past a
> >> session, and it's easier to argue that you shouldn't be required to
> >> turn over a signature key that can only be used for forgery than a
> >> decryption key which could reveal past session keys.
> >
> >IANAL but wouldn't the UK's proposed legislation make software that
> >won't provide access to all keys implicitly illegal?
>
> "Implicit" rarely counts in law -- at least in the U.S., and most
> likely in the U.K., given the common foundations of the legal systems.
> What matters is what the statute says. If it says "you must turn over
> any keys you possess, upon proper demand", there's no problem. If it
> says "if you use encryption, you must be able to turn over the keys",
> you might have a problem. And if it says "you must keep track of all
> keys you use" -- well, yes, that does seem to rule out perfect forward
> secrecy...
There's no requirement in RIP to keep track of keys, you are merely(?)
required to hand over keys you have kept.
Ian Brown, Adam Back and I are in the process of writing an I-D for
perfect forward secrecy in OpenPGP, if people are interested in
commenting: http://www.cs.ucl.ac.uk/staff/I.Brown/openpgp-pfs.txt.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
