Hey Bert-Jaap, I had you down as one of the good guys, what caused you to fold :-) Bert-Jaap Koops <E.J.Koops@kub.nl> writes on cpunks:
We present an alternative that can give law-enforcement agencies access to session keys, without users having to deposit private keys. Unilateral fraud in this scheme is easily detectible.
OK, so I can see how the `binding data' technique acheives a more robust form of keys escrow of session keys, without handing over private keys. (Your wording also implied to me that the problem would not exist if private keys were handed over, but I think this is not the case, if a warrant is required to get the private keys, the stated presumtion is that no speculative decryptions will be tried). Also the proposal (and other proposals which escrow session keys) doesn't really provide any guarantees of protection from LE abuse, as such, because they can decrypt all of the escrowed session keys with their own private key. But then the original clipper proposal had similar supposed safeguards, they claimed to have the decryption keys split across two databases, and they claimed that they would place the key in a tamper resistant device so that it could only be used for the duration of the court approved wiretap. `binding data' combats the problem of people sabotaging key escrow by using garbage for the escrowed session key. Matt Blaze was able to produce compliant capstone/tessera messages which would be accepted by the recipient, and yet would reveal nothing to the LE agent. Your binding data technique would allow a software only implementation of the non-interoperability requirements of clipper III, and combat attacks such as Matt's. However, simpler approaches I think fulfill the requirements given the (stated) voluntary nature of GAK. For instance, if you are using a hybrid RSA/symmetric key system with the session key encrypted with RSA, you can encrypt the session key to a second recipient also (PGP allows this much, Carl Ellison suggested this for PGP, Bill Stewart recently also suggested the same). If the recipient wishes to check that the sender is really escrowing the same session key, this can be acheived by revealing to the primary recipient the random padding of the second recipient's RSA encrypted copy of the session key. The primary recipient can then repeat the encryption, and check. (I proposed this on sci.crypt last year some time, with an anti-GAK caveat :-). As GAK is (stated to be) voluntary, surely the only person who has any business knowing whether the message is honestly GAKked is the recipient. After all you can double encrypt or not use GAK at your option, so this seems to lose nothing for the GAKkers. The description of the paper also says nothing about trust worthiness of the TTPs, from the public's perspective. It would be nice to see a proposal which also resulted in the cryptographic revealing of number of wire taps, as an unavoidable result of the protocol. (Not that I, or anyone else would want to use GAK still, but it would be a gesture of good will on the part of the GAKkers, and would show intentions not to misuse the system. I suggest that they would never agree to such a system because their stated aims are untrue: they *do* want to outlaw non-escrowed encryption for domestic US traffic, and they *do* want to decrypt without warrants, and without public audit. Export control and temporarily `voluntary' GAK is a means, not an end.) Adam -- #!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)