Re: Buying and selling root certificates

["Stephen Sprunk" <stephen () sprunk org>]

Thus spake "Iljitsch van Beijnum" <iljitsch () muada com>
> On 29-apr-04, at 7:02, Stephen Sprunk wrote:
> > The feds clearly have the power to get through or around encryption
> > suspected criminals are using: the FBI reports that there have been
> > _zero_ cases nationwide over the past several years where the use of
> > encryption has prevented them or other agencies from obtaining the
> > evidence needed, even when "secure" tools like PGP, SSL, or IPsec
> > are used.
>
> I have a hard time believing this...

The DOJ was directed by Congress to collect data and report back each year,
and while I don't trust any law-enforcement types in general, I do trust in
their fear of Congressional inquiries.  Besides, given the FBI's past
position on crypto, especially key escrow, I have a hard time believing
they'd claim crypto wasn't a problem if it actually was -- that's
counter-productive for them.

> So what do they do? Send a team in to retrieve the key from your
> system? Borrow some CPU time from the NSA?

The reasons for the FBI's conclusion were not given.  It's "common
knowledge" that it's cheaper to attack the key-management systems (or the
end systems) than the crypto, so that's one possibility.  Another is that
the existing implementations are flawed in ways that reveal the keys and/or
plaintext.  Last, it's possible that the plaintext was never recovered and
the pattern of communication was enough evidence in itself.

S

Stephen Sprunk        "Stupid people surround themselves with smart
CCIE #3723           people.  Smart people surround themselves with
K5SSS         smart people who disagree with them."  --Aaron Sorkin