surveillance, Re: long-term GPG signing key

Ed Gerck edgerck at nma.com
Thu Jan 19 20:49:39 EST 2006


Ben Laurie wrote:
> Perhaps this is time to remind people of "Security Against Compelled
> Disclosure": http://www.apache-ssl.org/disclosure.pdf.
> 

Thanks. Survelillance technology is now almost 6 years ahead of April, 1999,
when the cited Report to the Director General for Research of the European
Parliament was issued.

Today, surveillance is not just a political problem or a concern for
someone involved in illegal activities, or just about breaking my own
privacy. Surveillance has become an ubiquitious threat to the right to
privacy and duty of confidence to others whom I have the legal or moral
obligation to protect, dramatically increasing the probability of
disclosure by eliminating the "need to know" block usually applied to
reduce disclosure risk. Untrustworthy individuals exist and are hard to
detect in any organization, including federal and law enforcement agencies
and at any government level. The "need to know" policy, which would be
the #1 barrier to prevent more individuals to be exposed to the critical
information, directly reducing the probability of disclosure, is silently
destroyed by surveillance.

Thinking about IT security needs in the XXI century, the solution of using
encryption and document control to prevent surveillance and secret-disclosure
would seem to impose itself.

Despite the apparent simplicity and widespread availability of public-key
cryptography, PGP and X.509 S/MIME, less than 5% of all email is encrypted.
Banks won't even consider using encryption for sending out monthly statements
and notices. It's not just the mounting problem with email fraud schemes such
as spoofing and phishing. Banks discovered that not even their own employees
were willing to use encryption.

The real security question of the XXI century is easy-of-use -- that the
security solution will actually be used takes precedence over any potential
benefits. In this context, the subject of email security is being discussed at
http://email-security.net/ -- please take a look at the Blog and Papers sections.
Contributions are welcome. A comparison of current email technologies is
presented at http://email-security.net/papers/pki-pgp-ibe.htm

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list