European Data Retention and Encryption for Dummies

Tom tom at lemuria.org
Mon Jun 3 07:12:41 PDT 2002 

Hi everyone, I've been on this list before, but didn't have time for it
for a while. Now I'm back because I need some input:


You probably heard that the EU is currently passing data retention
laws. One part of them would require that ISPs keep logs of customer
traffic. It isn't entirely clear what exactly they need to store, but
the discussion goes into URL storage (i.e. what file on which virtual
host) and even full data storage (i.e. copies of the IP packets).

Obviously, at least the later is bullshit. However, it is absolutely
possible that it's just a smokescreen and the usual "compromise" will
be that the ISPs don't have to store the data except on request...


Enter a simple idea to solve the obvious privacy problem, at least in
parts. We do have the infrastructure in place to achieve end-to-end
encryption for the by far most-often-used web services, all we need is
to use it. I am, of course, talking about HTTPS and SMTPS.

Setting up apache so that it does HTTPS instead of HTTP, and all
requests to HTTP pages are redirected to a page pointing to the HTTPS
equivalent and explaining why is trivial.
Getting the various MTAs to use SMTPS isn't too difficult, either.

The problem with both is the need of SSL certificates. So I was
thinking of setting up a "Joe Doe's CA". A simple webpage where you can
request a certificate. It would do two check:

a) check if IP you are using is identical to the IP you are requesting
for, i.e. you'll have to ssh into your webserver and use lynx from
there.

b) the certificate will be mailed to the admin-c of the domain you
requested it for (whois lookup).



This is not 100% secure, but then again how much checking does Verisign
really do on certificates? I believe this is "good enough" in that it
establishes a reasonable safety that you are talking to the right site,
at least much better than regular HTTP can offer.

The purpose of this is to get as many sites to switch to using HTTPS
and SMTPS as possible. Therefore, the required work must be kept
minimal. Once considerable parts of the internet traffic are encrypted,
they can pass as many data retention laws as they please.


Any comments? What did I miss? Where does this idea come apart? Does it
make sense at all?



-- 
New GPG Key issued (old key expired):
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom at lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

More information about the cypherpunks-legacy mailing list