Just say "No" to key recovery concerns...keep OpenPGP pure

Adam Back aba at dcs.ex.ac.uk
Wed Oct 15 00:07:23 PDT 1997




Tim May <tcmay at got.net> writes:
> I'll try a different way of making my points...
> 
> At 9:12 PM -0700 10/14/97, Lucky Green wrote:
> 
> >I can't help but see a difference between enforcing to encrypt to a
> >default key and storing the user's key outright. IMHO, the former entails
> >less potential for abuse.
> 
> All other things being equal, maybe the former is slightly less intrusive
> than the latter. But maybe not even this, as the two give the same results.
> After all, what's the real difference between "all mail, incoming and
> outgoing, must also be encrypted to a CMR key" and "you must deposit a copy
> of your key with us"?

CMR keys are the root of all evil in pgp5.5.  Without them almost any
permutation of recovery care to construct would be less useful to the
GAKkers, for all the organisational, and inconvenience reasons Tim
describes.  Governments have problems handling complexity.  

So make their job complex.  If you were one of the people writing the
IRS tax software back in the 60s, and you were in deep cover, a
proto-cypherpunk, and were bright enough to see the future
possibilites you would have done all you could to fuck up the IRS
system.  You would have obfuscated the code.  You would have put logic
bombs in it.  You would have destroyed the source code
surreptisiously.  (Destroying source code has analogies to destroying
keys at earliest opportunity, you are destroying something which your
enemy needs).

Any bets as to if any of this actually happened on purpose?  I reckon
so.

So, do you all reckon we can make task of fielding GAK impossibly
complex for such a big disorganised government?

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`







More information about the cypherpunks-legacy mailing list