My chat with Goeff Greiveldinger
I will be appearing with Goeff Greiveldinger, he of the Justice Dept, at a discussion of commercial key escrow next Thursday in Bethesda. Anyone with fun questions I should throw at him should contact me... Please note that the ostensible topic of this discussion is *commerical* key escrow, not Clipper per se, so I have to be diplomatic.... A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | New address, but it's still just as hot here.
Michael Froomkin <froomkin@law.miami.edu> writes: I will be appearing with Goeff Greiveldinger, he of the Justice Dept, at a discussion of commercial key escrow next Thursday in Bethesda. Anyone with fun questions I should throw at him should contact me...
Please note that the ostensible topic of this discussion is *commerical* key escrow, not Clipper per se, so I have to be diplomatic....
You might try addressing the areas of liability for escrow agents. If private escrow agents can be sued for loss of information due to theft or other authorized or unauthorized release of keys, their liability could be horrendous, depending on the value of the compromised data. Gillogly Software certainly will not be a commercial keyholder! Jim Gillogly 24 Winterfilth S.R. 1995, 20:20
On Sun, 15 Oct 1995, Jim Gillogly wrote:
Michael Froomkin <froomkin@law.miami.edu> writes: I will be appearing with Goeff Greiveldinger, he of the Justice Dept, at a discussion of commercial key escrow next Thursday in Bethesda. Anyone with fun questions I should throw at him should contact me...
Please note that the ostensible topic of this discussion is *commerical* key escrow, not Clipper per se, so I have to be diplomatic....
You might try addressing the areas of liability for escrow agents. If private escrow agents can be sued for loss of information due to theft or other authorized or unauthorized release of keys, their liability could be horrendous, depending on the value of the compromised data. Gillogly Software certainly will not be a commercial keyholder!
Jim Gillogly 24 Winterfilth S.R. 1995, 20:20
You also might point out that commercial escrow is in a way MORE prone to compromise because it effectively doubles the number of entities entitled to demand release of the keys. Instead of JUST government, you now have to face the possibility of key forfeiture by BOTH government and the commercial escrow agent, the escrow agent being, as it is, subject to the whim of governmental coercion to release keys as well as the agent's own reasons for doing so. Effectively the potential for misuse is increased by virtue of the increased numbers of officals (commercial and public) who have access to the material. I would like to hear the answer to this dilemna, which I am sure will include something about commercial key escrow easing the perceptions of the public, to which the obvious response will be, "Then this is a public relations move to avoid the perception of potential government abuse and a move which infact increases the level of risk, is that right?" Perhaps I should attend. Where and when is this precisely? --- "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information
You also might point out that commercial escrow is in a way MORE prone to compromise because it effectively doubles the number of entities entitled to demand release of the keys.
Actually, any publically known escrow system opens your communications to any lawyer who gets a blanket discovery subpoena. These are very popular these days and often include third parties to any lawsuit. Anyone who can convince a judge to issue an order... DCF
On Sun, 15 Oct 1995, Black Unicorn wrote:
Effectively the potential for misuse is increased by virtue of the increased numbers of officals (commercial and public) who have access to the material.
Does he mean mandatory commercial key escrow (as in clipper keys held by credit agencies?) Or something totally voluntary but standardized by the gov? *Rant mode on* I've heard cracking into Equifax and TRW is considered a rite of passage in the phreaker crowd. The security would have to *damn* tight (as in forget it) for it to be trustworthy. And since it would probably be the big three credit rating agencies (I forget the other one), their track record is not reassuring. I don't see these people securely using crypto throughout the entire org (in such a large org) in the future if they don't already. Seeing my key sold to Son of Blacknet(LD) by Sons of Mitnick is not reassuring. For that matter, what sort of databases would they consider holding this on? And how easy would it be for the general public to get access to their key, to verify for accuracy and revoke compromised keys. (big prob with the credit rating agencies) Who would be allowed (if anyone) or mandated (depending on which scheme) to certify the security? If NSA is mentionned, one might also point out the job Matt Blaze did on their Clipper. Bad production values don't make for good public security. Of course it all depends on exactly why they really want the escrow anyway. If people will encrypt a second time with tomorrow's pgp, why should anyone care? All you'd single encrypt for would be your income tax and the financial records you're already required by law to keep (I'm sure I've misunderstood this. Can't be so useless.). I know that's not a particularily diplomatic carry-over from the debated-to-death clipper thing, but really, except as PR, why DO they still take this seriously? (unless you want to be paranoid about a ban, hmm, nevermind, debated-to-death) Speaking of organizational crypto, anyone know what the scheme used in Notes is? I know there's RSA... This seems rather more useful to examine than MS's browser, considering corporations are making it a standard for groupwork. All you'd get on a browser would be credit no's and maybe e-mail. Notes nets might carry the entirety of a company's docs and work in progress. They do export it, right? Weakened foreign version or one 40 bit key version for everyone? How about novell netware? (Yeah, I do realize most folks don't have it, neither do I. A free client would be very nice, Mr. Gerstner, for everyone.)
On Sun, 15 Oct 1995 s1018954@aix2.uottawa.ca wrote:
On Sun, 15 Oct 1995, Black Unicorn wrote:
Effectively the potential for misuse is increased by virtue of the increased numbers of officals (commercial and public) who have access to the material.
Does he mean mandatory commercial key escrow (as in clipper keys held by credit agencies?) Or something totally voluntary but standardized by the gov?
The problem exists in both these examples.
Of course it all depends on exactly why they really want the escrow anyway. If people will encrypt a second time with tomorrow's pgp, why should anyone care?
When you see a glaring hole in argument for a government program, you should smell the stench of fish in the air. That is the section of the puzzle that is being hidden until a politically "ripe" time to stick it in place. Here that piece is, obviously, banning tomorrow's pgp.
All you'd single encrypt for would be your income tax and the financial records you're already required by law to keep (I'm sure I've misunderstood this. Can't be so useless.). I know that's not a particularily diplomatic carry-over from the debated-to-death clipper thing, but really, except as PR, why DO they still take this seriously? (unless you want to be paranoid about a ban, hmm, nevermind, debated-to-death)
I'm not so sure it's paranoid. You have trial baloons floating all over. Freeh is a prime example, and no one is screaming loudly enough to shoot down his blump. That's a big'ole green light for regulators.> --- "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information
Those seeking more info on the conference will find it at: Http://www.multicorp.com/wec. They are asking over $500 in registration fees, which strikes me as wildly excessive, so I'm not advocating attendence. The third member of my panel, Frank Sudia of Banker's Trust has pulled out, so don't believe everthing you read either. I might post the outline of my talk in a day or two if I get around to translating my cryptic jottings into ASCII. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin@law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid.
On Sun, 15 Oct 1995, Black Unicorn wrote:
in place. Here that piece is, obviously, banning tomorrow's pgp.
Frankly I think that's what it would take for everyone to start using it (not that I would on this multiuser account, that's what winsock and my pc are for). Just look at lsd, until it became illegal, only researchers and psychiatric patients took it. Strange things like crypto really become popularized (even through notoriety) when they "shouldn't" be had. Also seems like the only way to get any mainstream press. Bad press is better than next to none. BBrother schemes like clipper also generate lotsa mainstream press. I can't wait for Freeh and Clinton to start making sweet releases about the sequel. Big ones. What's going on on that front anyway?
except as PR, why DO they still take this seriously? (unless you want to be paranoid about a ban, hmm, nevermind, debated-to-death)
I'm not so sure it's paranoid. You have trial baloons floating all over. Freeh is a prime example, and no one is screaming loudly enough to shoot down his blump. That's a big'ole green light for regulators.>
Being paranoid is a prerequisite for being on this list in the first place :-) But seriously, yes I do agree with you. We know just how much they'd love to get rid of it. That being said, wasn't legal protection for crypto the reason EFF caved on the dreaded DT bill? (sorry, DT law. Yech, that's tough) First they're going to have to get rid of that. How strong is the protection anyway? *Begin flogging dead horse* (not a Unicorn) Flog Fine, let's just say I don't think I it can stick, we could argue this back and forth and I'm sure it's been done before. We benefit from any move towards a ban through a measure of publicity. We benefit once again from a ban due to programmers like Phil Z. getting terrified and outraged enough to write code. PGP is the product of a previous attempted ban. We'd be have PEM or RIPEM otherwise (with no-one using them). Flog If there is a market to avoid american anti-privacy and subpeona regs, openly or in the black, this is where it will get its start. I understand that key signing parties are all the rage at ietf meetings. I think a lot of those people would be angry enough to go for a strong privacy IP before any ban went into effect. Remember the US is not the whole of the world. Go to Anguila or Vancouver or Montreal or Baja Cali...with those thoughts in your head, and you can have your cpunk ietf meeting and implement and distribute the code. Flog Flog Flog And then there's the courts... I think any ban of a "desirable" product is self defeating. Just look at how little popular and even police support the marijuana ban has. Even Newt admits to having tried. Unlike crypto, marijuana has a physical presence and requires transportation, even then it's also totally unenforceable (even though it lands a very large amount of people in jail). A lot of people OTOH support the ban on cocaine, yet somehow, supposedly crack only costs $5/vial in NYC, and is available in every city in the world. A crypto ban would be even harder than making people pay for all their software. Pirate software is illegal in most of the world. Are the fine legislators of North America, where practically all the software is written, totally innocent of this heinous crime? It can't stick. Either outcome puts crypto and anonymity ahead in some way. End of dead horse flogging. Sigh. Sorry for an overlong post.
participants (5)
-
Black Unicorn -
Duncan Frissell -
Jim Gillogly -
Michael Froomkin -
s1018954@aix2.uottawa.ca