[70110] in North American Network Operators' Group
Re: Buying and selling root certificates
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Thu Apr 29 19:13:44 2004
From: "Stephen Sprunk" <stephen@sprunk.org>
To: "Iljitsch van Beijnum" <iljitsch@muada.com>
Cc: "North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Thu, 29 Apr 2004 17:41:15 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Thus spake "Iljitsch van Beijnum" <iljitsch@muada.com>
> On 29-apr-04, at 7:02, Stephen Sprunk wrote:
> > The feds clearly have the power to get through or around encryption
> > suspected criminals are using: the FBI reports that there have been
> > _zero_ cases nationwide over the past several years where the use of
> > encryption has prevented them or other agencies from obtaining the
> > evidence needed, even when "secure" tools like PGP, SSL, or IPsec
> > are used.
>
> I have a hard time believing this...
The DOJ was directed by Congress to collect data and report back each year,
and while I don't trust any law-enforcement types in general, I do trust in
their fear of Congressional inquiries. Besides, given the FBI's past
position on crypto, especially key escrow, I have a hard time believing
they'd claim crypto wasn't a problem if it actually was -- that's
counter-productive for them.
> So what do they do? Send a team in to retrieve the key from your
> system? Borrow some CPU time from the NSA?
The reasons for the FBI's conclusion were not given. It's "common
knowledge" that it's cheaper to attack the key-management systems (or the
end systems) than the crypto, so that's one possibility. Another is that
the existing implementations are flawed in ways that reveal the keys and/or
plaintext. Last, it's possible that the plaintext was never recovered and
the pattern of communication was enough evidence in itself.
S
Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin
