[Freedombox-discuss] Fwd: Re: Roadmap / Wishlists

Sandy Harris sandyinchina at gmail.com
Mon Apr 18 12:22:36 UTC 2011

Philip Hands <phil at hands.com> wrote:

> The UK's RIPA (Regulatory and Investigatory Powers Act 2000) makes it an
> offence to refuse to supply one's crypto keys when requested by a
> properly authorised person ...

Yes, and there are plenty of similar problems elsewhere. The US
government demanding Twitter records. Big media subpoenaing
IP addresses, account info, etc.

Probably the only defense against that sort of thing is to be
able to prove you do not have it.

For the media and Twitter attacks "Sorry, but we only keep
logs for two days since that is long enough to diagnose
network problems and block spammers, See, that's right
here in our published policies."

For communications. "Sorry our system is set up for
Perfect Forward Secrecy. Once the short-term keys
are changed, even we cannot recover the old ones."

Some systems do provide PFS. It is an option in IPsec
and built into OTR. I do not know if it is provided in
SSH or SSL. Anyone?

I think PFS can only be done easily in systems where the
two players negotiate a key; it does not apply to things
like PGP where there's no negotiation. This means if
the blue meanies get your PGP private key, they can
read any old messages that you or they have stored.

So discarding logs early and using PFS protect some
things. I have essentially no idea how to protect the
rest and of course They might make it illegal to
discard logs. Europe just passed a data retention
law, for example.

More information about the Freedombox-discuss mailing list