gack vs. key escrow vs. key recovery
cpunks, a note about recent developments in "key recovery" initiative. I think cpunks as a group should reconsider very seriously their own positions on cryptography and come up with something more sophisticated than "any government bill or plan associated with crypto is evil" which is the functional equivalent of the ideology behind many recent posts. what is the precise difference between gack, key escrow, and key recovery? TCM has argued that the administration is muddying the issue by manipulating the terminology. perhaps so, but I feel that cpunks are equally guilty, by branding anything that emanates out of the government as inherently orwellian. do you always have to have an enemy? is the government always going to be your enemy, no matter what they do? I have posted here before that many companies find the concept of "key recovery" highly acceptable and even desirable. the basic question is, what does this mean to wiretapping and search warrants and subpoenas? it is clear we are coming to a fork in the road at this moment. there are going to be two types of cpunk opinions based on recent developments. 1. those who feel that wiretapping was illegitimate from the start and are working to make wiretapping impossible. confronted with a legal search warrant/subpoena etc. for personal data, they would not hand over keys. they would "superencrypt" in systems that do etc. 2. those who feel that there is such a thing as a legal warrant or subpoena for information protected by cryptography keys, and would agree that this logically means that governments will be getting access to "key recovery" infrastructures. personally I am leaning toward 2, because I feel that we already live in such a society, and that it is not orwellian. companies are going to lean toward (2). I do agree that the gov't has the potential to twist this process to evil ends, but that has always been true of everything about democratic government, and the recipe for 200+ years has always been and remains "eternal vigilance". in other words, I am in favor of some kind of mechanism by which the government can obtain keys via subpoenas/warrants. cpunks, I think we should try to clarify our terms and come to some conclusions. those who continue to pursue (1) are going to be perceived as more and more radical and extremist, because arguably it is not even a system we have today or one that was ever devised. remember, the constution guarantees freedom from *unreasonable* search and seizure, but never prohibited search and seizure in the first place!! apparently at least our found fathers believed that "reasonable" search and seizure was a wholly legitimate function of government, based on this wording. regarding (2): the government may actually help bring crypto to the masses via the post office and other routes. are cpunks going to continue to hold the simplistic, reactionary, knee-jerk, black-and-white opinion that "anything with the word 'government' in it is evil"? "if the government is doing something, then we must sabotage it"? I'll be watching the debate closely, as the true extremists incapable of compromise (and thereby living in a fantasy world) show their colors....
Vladimir Z. Nuri writes:
cpunks, a note about recent developments in "key recovery" initiative.
[...]
is the government always going to be your enemy, no matter what they do?
It seems to be bent on doing so.
I have posted here before that many companies find the concept of "key recovery" highly acceptable and even desirable. the basic question is, what does this mean to wiretapping and search warrants and subpoenas?
They get served, and the keys are produced. Same with personal crypto- if I'm in court and some encryped file that I have the key for is demanded as evidence, I provide the key or get hit with contempt of court, my choice. No one is arguing about that. The objections to Clipper III are: 1. built-in wiretapping. Clipper III requires that subjects of "key recovery" wiretaps are not notified of the government's "recovery" of their keys. While this _is_ analagous to phone wiretaps, it is not of anything else. The cops have to serve you a warrant, not sneak in and read the papers in your desk. Why should encrypted files be different? 2. Coercion. I don't see anything wrong with key escrow (original meaning, not GAK). I think it's useful for business. Required for some. It's being coerced to implement it that is distasteful. If you think that Clipper III isn't coercion, you're wrong- note that the licenses to export GAKware are reviewed every 6 months and expire after 2 years if GAK isn't in place. That's a clear "you're on our side or your not" from the government. Having the possibility of your product suddenly becoming worthless every 6 months will keep companies in line. 3. It's still too weak. 56 bit DES isn't enough- it can very probably be cracked in < 12 seconds by the NSA. If not real time. 4. It's the camel's nose in the tent. First "key recovery" then full GAK then penalties/jail time for for "terrorists" or "gang members" who use unGAKd crypto. -- Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
Eric Murray wrote:
Vladimir Z. Nuri writes:
cpunks, a note about recent developments in "key recovery" initiative. is the government always going to be your enemy, no matter what they do?
It seems to be bent on doing so.
I have posted here before that many companies find the concept of "key recovery" highly acceptable and even desirable. the basic question is, what does this mean to wiretapping and search warrants and subpoenas?
They get served, and the keys are produced. Same with personal crypto- if I'm in court and some encryped file that I have the key for is demanded as evidence, I provide the key or get hit with contempt of court, my choice. No one is arguing about that. The objections to Clipper III are:
[additional text deleted] Sounds to me like there's a need for a program that can produce secure encryption, yet the output looks like "real junk", i.e., not anything like what one of the *better* programs would produce. Then you can claim (with testimony of experts if necessary) that "I didn't encrypt it, must be just garbage". And even if you got some bozo govt. person testifying against you, you shouldn't have much problem making them look stupid and vindictive in front of a jury.
On Thu, 3 Oct 1996, Vladimir Z. Nuri wrote:
it is clear we are coming to a fork in the road at this moment. there are going to be two types of cpunk opinions based on recent developments.
1. those who feel that wiretapping was illegitimate from the start and are working to make wiretapping impossible. confronted with a legal search warrant/subpoena etc. for personal data, they would not hand over keys. they would "superencrypt" in systems that do etc.
2. those who feel that there is such a thing as a legal warrant or subpoena for information protected by cryptography keys, and would agree that this logically means that governments will be getting access to "key recovery" infrastructures.
If I correctly understand what you are saying, I agree with your thesis that people who are stuck in an antiestablishment frame of mind may just as easily hinder their own cause by acting blindly. But if we make a distinction between two very different levels and types of wiretapping, I believe a sizeable third category becomes apparent: 3. Those who are aware of the existence of large-scale systems of electronic monitoring by the NSA, which does not need any search warrant or subpoena of any kind to collect, archive, index, correlate, interpret & summarize the supposedly private communications of all of us. When presented with an actual search warrant, people who have this awareness would typically cooperate with any law enforcement agencies, since they would also be aware of how impractical noncooperation would be. Far from considering the government as always bad, they may only have a healthy mistrust of those branches of big government which can operate both above the law and behind a cloak of secrecy. People in category 3 may be aware of the pure power of knowledge which can be extracted from large data mines, and simply desire to exclude as much of their personal communications from these mines as possible. They are not comforted by an encryption system where keys could be recovered without one's knowledge, and see this as a threat to the current growth of truly unbreakable systems. Former US Senator Dave Durenburger, while still head of the Senate Select Intelligence Committee, remarked to the press that he wondered if CIA Director William Casey enacted covert plots "just for kicks." If absolute power corrupts absolutely, is it not our civic duty to ensure that the former does not come into being? Douglas B. Renner
In <199610040033.RAA18660@netcom19.netcom.com>, on 10/03/96 at 05:33 PM, "Vladimir Z. Nuri" <vznuri@netcom.com> said:
regarding (2): the government may actually help bring crypto to the masses via the post office and other routes. are cpunks going to continue to hold the simplistic, reactionary, knee-jerk, black-and-white opinion that "anything with the word 'government' in it is evil"? "if the government is doing something, then we must sabotage it"?
Hmmmm.... It seems that your are not familiar with the fact that a false sense of security is WORSE than no security at all. This is exactly what this type of "crypto" provides: a FALSE sense of security. The masses are much better off with out any crypto that some sudo-crypto provided by the government. Atleast when you send messages in the clear the user knows that it is open for everyone to read and not to send sensitive info.
I'll be watching the debate closely, as the true extremists incapable of compromise (and thereby living in a fantasy world) show their colors....
<sigh> another simpleton. Why is it whenever anyone stands up against the "powers that be" to defend their rights and the Consitution they are branded as "extreamist". Just which Article of the Bill of Rights should we "compromise" on next? It is obvious you have no respect for the 1st, 4th & 5th admendments or a clue as to what they stand for or how they relate to this issue. -- ----------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting WebExplorer & Java Enhanced!!! Cooking With Warp 4.0 Author of PGPMR2 - PGP Front End for MR/2 Ice Look for MR/2 Tips & Rexx Scripts Get Work Place Shell for Windows!! PGP & MR/2 the only way for secure e-mail. Finger whgiii@amaranth.com for PGP Key and other info -----------------------------------------------------------
On Thu, 3 Oct 1996, Vladimir Z. Nuri wrote:
what is the precise difference between gack, key escrow, and key recovery? TCM has argued that the administration is muddying the issue by manipulating the terminology.
I don't know if Tim said that as well, but I certainly did. The government's move is ingenious. By appropriating the term "key recovery" for GAK, the government made it almost impossible to discern between key recovery as required in many commercial environments and GAK as required by an Orvelian surveillance state.
perhaps so, but I feel that cpunks are equally guilty, by branding anything that emanates out of the government as inherently orwellian. do you always have to have an enemy? is the government always going to be your enemy, no matter what they do?
Yes. What is good for the government and what is good for the people will always be opposite.
I have posted here before that many companies find the concept of "key recovery" highly acceptable and even desirable. the basic question is, what does this mean to wiretapping and search warrants and subpoenas?
I agree that true key recovery for the corporate environment is often desirable. I do not believe that it will ever have to include an outside 'escow" agent.
it is clear we are coming to a fork in the road at this moment. there are going to be two types of cpunk opinions based on recent developments.
1. those who feel that wiretapping was illegitimate from the start and are working to make wiretapping impossible. confronted with a legal search warrant/subpoena etc. for personal data, they would not hand over keys. they would "superencrypt" in systems that do etc.
That's me. [opposing view elided for brevity only]
those who continue to pursue (1) are going to be perceived as more and more radical and extremist, because arguably it is not even a system we have today or one that was ever devised. remember, the constution guarantees freedom from *unreasonable* search and seizure, but never prohibited search and seizure in the first place!! apparently at least our found fathers believed that "reasonable" search and seizure was a wholly legitimate function of government, based on this wording.
The problem is that what the Funding Fathers considered "reasonable" and what today's courts consider reasonable have *nothing* in common. [...]
I'll be watching the debate closely, as the true extremists incapable of compromise (and thereby living in a fantasy world) show their colors....
Those who believe that the infringements on our rights can continue for all times with impunity are living in a fantasy world. While I am a peaceful, non-violent person, an ever increasing number of others feel differently. If the government continues on the course they are on - and requiring (never mind the 'voluntary') GAK is doing just that - there will be those who will feel that armed resistance is the only option left. I will try everything in my power to not let it come to that. Therefore I must oppose GAK. --Lucky
Vladimir Z. Nuri wrote:
cpunks, a note about recent developments in "key recovery" initiative. I think cpunks as a group should reconsider very seriously their own positions on cryptography and come up with something more sophisticated than "any government bill or plan associated with crypto is evil" which is the functional equivalent of the ideology behind many recent posts.
[some text deleted]
personally I am leaning toward (2), because I feel that we already live in such a society, and that it is not orwellian. companies are going to lean toward (2). I do agree
[more text deleted; (2) is a reference to a legal warrant or subpoena for "information"] I think you will find ultimately that personal communication is just that, i.e., personal. OTOH, the means by which that communication are effected (phones, computers, with or without encryption) are the things that the government wants to control, presumably to get at information that you and I couldn't conveniently communicate in person, in private. The very idea that people don't have the right to hide their private conversations from *anyone*, including police, is ludicrous, and can't possibly be enforced, but the devices (if any) that are used, that's another matter. I hope someone understands what I'm getting at, and can add to this.
participants (6)
-
Dale Thorn -
Douglas B. Renner -
Eric Murray -
Lucky Green -
Vladimir Z. Nuri -
William H. Geiger III