When architecting a system, it is critical that the operator of the system should not have access to the keys at all. You can't be compelled to produce something that you don't have. It is not hard to do if it is part of your initial design.

Backup providers like SpiderOak seem to be doing this right. I have designed a number of systems with this type of security design. 
Rule #1 don't store clear text.
Rule #2 don't store decryption keys
Rule #3 don't do decryption on the server
Rule #4 treat all communications with people not implementing security on THEIR computers as insecure

Email security for systems designed to work with outsiders who don't use the tool are particularly problematic. The operator can use public keys to encrypt traffic as it arrives, but can easily be compelled to reveal the arriving clear text messages before encryption.

Is it the SSL certificate for the SMTP TLS that was being requested? It appears so from the transcripts. If that is the case, they are asking to access content that was stored in the clear on the previous mail server(s). This is hardly highly secured content. The HTTPS sessions might reasonably be considered more sensitive and secure.

-Lance

--
Lance Cottrell
loki@obscura.com



On Oct 3, 2013, at 3:04 AM, coderman <coderman@gmail.com> wrote:

this is perhaps the most interesting aspect of the LavaBit proceedings. See:
 http://cryptome.org/2013/10/lavabit-orders.pdf

in short if you have not designed your system to be amenable to
metadata tapping, particularly all the rich metadata requested by a
"pen register", they're going to demand the encryption keys to access
this metadata.

said again for emphasis:

SSL private keys are demanded under the smallest of justifications,
which need not even show probable cause nor reasonable suspicion!!

(they did later go back with an actual warrant for the keys, but only
after this initial gambit, made repeatedly, failed.)


"""
July 16, 2013
TRANSCRIPT  OF  HEARING
BEFORE  THE  HONORABLE  CLAUDE  M.  HILTON
...
[ED: James Trump is the fed lawyer, Ladar Levinson the LavaBit operator.]
...
THE  COURT:  So  as  I  understand  it,  my  initial  order ordered
nothing  but  that  the  pen  register  be  put  in  place.

MR .  TRUMP :  And  all  technical  assistance,  information, and
facilities  necessary  to  implement  the  pen  register.  And
it's our  position  t hat  without  the  encryption  keys,  the  data
from  the  pen  register  will  be  meaningless.  So  to  facilitate
the actual  monitoring  required  by  the  pen  register,  the  FBI
also requires  the  encryption  keys .

THE  COURT:  Well,  that  could  be,  but  I  don't  know  that I
need  - - I  don ' t  know  that  I  need  to  reach  that  because
I've issued  a  search  warrant  for  that .

MR.  TRUMP :  Correct,  Your  Honor.  That  the  -- to  avoid
litigating  this  issue,  we  asked  the  Court  to  enter  the
seizure warrant.

THE  COURT :  Well,  what  I ' m  saying  is  if  he  agrees  that the
pen  register  be  established,  and  that  the  only  thing  he
doesn't  want  to  do  in  connection  with  the  pen  register  is
to give  up  the  encryption  device  or  code

MR.  LEVISON :  I've  always  maintained  that .

THE  COURT :  -- so  we ' ve  got  no  issue  here .  You're ready  to
do  that?

MR.  LEVISON :  I ' ve  been  ready  to  do  that  since  Agent Howard
spoke  to  me  the  first  time .

THE  COURT:  All  right .  So  that  ends  our  --

MR .  TRUMP :  Well,  then  we  have  to  inquire  of Mr,  Levison
whether  he  ... Jill  produce  the  encryption  keys  pursuant to
the  search  warrant  that  Your  Honor  just  signed.

THE  COURT :  But  I  can't  deal  with  that  this  morning, can  I?

MR .  TRUMP :  Well ,  it ' s  the  same  issue .  You  could  ask
him,  Your  Honor .  We  can  serve  him  with  the  warrant  and  ask
him if he' 5  going  to  comply  rather  than  - -

MR.  LEVISON :  Your  Honor I've  also  been  issued  a subpoena
demanding  those  same  keys,  which  I  brought  with  me  in the
event  that  we  would  have  to  address  that  subpoena .

THE  COURT :  I  don't  know,  Mr .  Trump .  I  don't  think  I want
to  get  involved  in  asking  him .  You  can  talk  with  him  and
see  whether  he ' s  going  to  produce  them  or  not  and  let  him
tell you .  But  I  don ' t  think  I  ought  to  go  asking  what
he's  going  to do  and  what  he's  not  going  to  do  because  I
can ' t  take  any  action about  it  anyway . If he  does  not
comply  with  the  subpoena,  there  are remedies  for  that  one  way
or  another .

MR .  TRUMP:  Well,  the  original  pen  register  order  was followed
by  a  compulsion  order  from  Judge  Buchanan .  The compulsion
order  required  the  encr yption  keys  to  be  produced . So ,  yes,
part  of  the  show  cause  order  is  to  require compliance  both
with  the  pen  register  order  and  the  compulsion order  issued
by  Judge  Buchanan . And  that order,  which  was  attached  to  the
show  cause order,  states,  "To  the  extent  any  information,
facilities,  or technical  assistance  are  under  the  control  of
Lavabit  are  needed to  provide  the  FBI  with  the  encrypted
data,  Lavabit  shall provide  such  information,  facilities,  or
technical  assistance forthwith ."

MR.  LEVISON :  I  would  object  to  that  statement .  I don't  know
if I'm  wording  this  correctly,  but  what  was  in  that order  to
compel  was  a  statement  that  was  incorrect . Agent  Howard
seemed  to  believe  that  I  had  the  ability to  encrypt  the
e-mail  content  stored  on  our  servers,  which  is not  the  case .
I  only  have  the  keys  that  govern  communications into  and  out
of  the  network ,  and  those  keys  are  used  to secure the
traffic  for  all  users,  not  just  the  user  in  question . So
the  statement  in  that  order  compelling  me  to  decrypt stuff
and  Agent  Howard  stating  that  I  have  the  ability  to  do that
is  technically false  or  incorrect.  There  was  never  an explicit
demand  that  I  turn  over  these  keys .

THE  COURT :  I  don't  know  what  bearing  that  would  have, would
it?  I  mean,  I  don't  have  a  problem  -- Judge  Buchanan issued
an  order  in  addition  to  mine,  and  I'm  not  sure  I  ought  to
be  enforcing  Judge  Buchanan's  order . July  order,  if  he  says
that  he  will  produce  or  allow  the installation  of  the  pen
register,  and  in  addition  I  have  issued a  search  warrant  for
the  codes  that  you  want,  which  I  did  this morning,  that's
been  entered,  it  seems  that  this  issue  is  over as  far  as
I'm  concerned  except  I  need  to  see  that  he  allows  the pen
register  and  complies  with  the  subpoena .

MR .  TRUMP :  Correct .

THE  COURT:  If  he  doesn't  comply  -- if  he  doesn't comply  with
the  subpoena,  then  that  has  -- I  have  to  address that.

MR .  TRUMP :  Right .

THE  COURT:  But  right  now  there's  nothing  for  me  to address
here  unless  he  is  not  telling  me  correctly  about  the  pen
register .

MR.  TRUMP:  Well ,  we  can  -- Your  Honor,  if we  can  talk to  Mr
.  Levison  for  five  minutes,  we  can  ask  him  whether  he  will
honor  the  warrant  that  you  just  issued .

MR.  LEVISON :  Before  we  do  that ,  can  I - -

THE  COURT :  Well,  what  can  I  do  about  it  if  he  doesn't, if
he  tells  you  he's  not  going  to?  You've  got  the  right  to  go
out  and  search  and  get  it .

MR .  TRUMP:  Well,  we  can't  get  the  information  without his
assistance .  He's  the  only  who  knows  and  has  possession  of it
.  We  can't  take  it from  him  involuntarily .

MR .  LEVISON :  If  I  may,  sir,  my  other

THE  COURT :  Wait  just  a  second . You're  trying  to  get  me
ahead .  You're  trying  to  get  me to  deal  with  a  contempt
before  there's  any  contempt ,  and  I  have a  problem  with  that.

MR .  TRUMP:  I'm  trying  to  avoid  contempt  altogether, Your  Honor .

THE  COURT:  I  know  you  are .  And  I'd  love  for  you-all to  get
together  and  do  that.  I  don't  want  to  deal  with  it either.
But  I  don't  think  we  can  sit  around  and  agree  that there's
going  to  be  a  default  and  I  will  address  it before  it
occurs.

MR .  TRUMP:  I'm  just  trying  to  figure  out  whether there's
going  to  be  a  default .  We'll  take  care  of  that,  Judge .

THE  COURT :  You  can .  I  think  the  way  we've  got  to  do this
- - and  I'll listen  to  you .  I'm  cutting  you  off,  I  know, but
I'll listen  to  you  in  a  minute. The  way  we  have  to  do
this,  the  hearing  that's  before me  this  morning  on  this  issue
of  the  pen  register,  that's  been resolved,  or  so  he's  told
me .  I  don't  know  whether  you  want  to continue  this  one  week
and  see  if  he  complies  with  that,  which  I guess  would  be
prudent  to  do,  or  a  few  days  for  him  to  comply with  the
pen  register.  Then  we  Hill  wait  and  see  what  happens with
the  SUbpoena . Because  as  far  as  my  pen  register  order  is
concerned, he  says  he's  going  to  comply  with  it .  So  that
issue's  over  and done  with .  The  next  issue  will  be  ...
whether  or  not  he  complies with  the  subpoena .  And  I  don't
know  and  I  don't  want  to presume,  and  I  don't  want  him  to
represent  to  me  what  he  intends to  do  when  he  can  very  well
go  home  and  decide  he's  going  to  do something  different. When
that  warrant  is  served,  we'll  know  what  he's  going to  do .
I  think  we've  got  - - I  don't  see  another  way  to  do  it .

MR .  TRUMP :  That's  fine,  Your  Honor.  We  will  serve  the
warrant  on  him  as  soon  as  we  conclude  this  hearing,  and
we'll find  out  whether  he  will  provide  the  keys  or  not .