nanog mailing list archives
Re: Buying and selling root certificates
From: "Stephen Sprunk" <stephen () sprunk org>
Date: Thu, 29 Apr 2004 17:41:15 -0500
Thus spake "Iljitsch van Beijnum" <iljitsch () muada com>
On 29-apr-04, at 7:02, Stephen Sprunk wrote:The feds clearly have the power to get through or around encryption suspected criminals are using: the FBI reports that there have been _zero_ cases nationwide over the past several years where the use of encryption has prevented them or other agencies from obtaining the evidence needed, even when "secure" tools like PGP, SSL, or IPsec are used.I have a hard time believing this...
The DOJ was directed by Congress to collect data and report back each year, and while I don't trust any law-enforcement types in general, I do trust in their fear of Congressional inquiries. Besides, given the FBI's past position on crypto, especially key escrow, I have a hard time believing they'd claim crypto wasn't a problem if it actually was -- that's counter-productive for them.
So what do they do? Send a team in to retrieve the key from your system? Borrow some CPU time from the NSA?
The reasons for the FBI's conclusion were not given. It's "common knowledge" that it's cheaper to attack the key-management systems (or the end systems) than the crypto, so that's one possibility. Another is that the existing implementations are flawed in ways that reveal the keys and/or plaintext. Last, it's possible that the plaintext was never recovered and the pattern of communication was enough evidence in itself. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Current thread:
- Buying and selling root certificates Sean Donelan (Apr 28)
- Re: Buying and selling root certificates Robert E. Seastrom (Apr 28)
- Re: Buying and selling root certificates Stephen Sprunk (Apr 28)
- Re: Buying and selling root certificates Scott Francis (Apr 28)
- Re: Buying and selling root certificates Iljitsch van Beijnum (Apr 29)
- Re: Buying and selling root certificates Robert M. Enger (Apr 29)
- Re: Buying and selling root certificates David Lesher (Apr 29)
- Re: Buying and selling root certificates Stephen Sprunk (Apr 29)
- Re: Buying and selling root certificates Valdis . Kletnieks (Apr 29)
- Re: Buying and selling root certificates David Lesher (Apr 29)
- Re: Buying and selling root certificates Stephen Sprunk (Apr 28)
- Re: Buying and selling root certificates Robert E. Seastrom (Apr 28)
- Re: Buying and selling root certificates Randy Bush (Apr 28)
- Re: Buying and selling root certificates David Lesher (Apr 28)
- THe Internet is Too Secure Already (was Re: Buying and selling root certificates) Sean Donelan (Apr 28)
- Spam handling joe (Apr 28)
- Re: Spam handling Doug White (Apr 28)
- Re: Spam handling Gregh (Apr 28)
- Message not available
- Re: Spam handling Gregh (Apr 28)