[Cryptography] hard to trust all those root CAs

Caspar Bowden (lists) lists at casparbowden.net
Tue Jul 29 01:59:58 EDT 2014 

On 07/28/14 06:02, Peter Gutmann wrote:
> "Caspar Bowden (lists)" <lists at casparbowden.net> writes:
>
>> In UK law, there is a Rumpelstiltskin Defence (and although I am not happy
>> with the result, I caused it to be put there and it is better than nothing)
>>
>> http://www.theyworkforyou.com/lords/?id=2000-06-28a.1006.27#g1007.6
> This is somewhat difficult to follow, it's a discussion of legal minutiae
> around a set of amendments to a law? bill?, could you perhaps provide a brief
> interpretation for us?

this <http://www.fipr.org/rip/burdenproof.html> has more background, but 
not the outcome

In brief, in 2000 the UK legislated the power to demand keys (or 
decryption) of arbitrary (past or *future*) data.

In the original bill, the UK govt wanted to reverse the ordinary burden 
of proof, so that if a defendant is charged with failing to disclose a 
key, the defendant would have to prove they DO NOT have the key/password 
(sic), on a balance of probabilities, to escape conviction (!!!).

The bill was amended during passage, so that if a defendant does not 
know the password (or have the key), they must "adduce sufficient 
evidence to raise the issue", and then the judge ought to direct that 
the prosecution must prove they are lying beyond reasonable doubt (i.e. 
the the case flips back to the usual standard for criminal conviction). 
[These legal gymnastics not my idea BTW, but my briefing on the bleedin' 
obvious problems arising, caused the UK govt. to invent this bodge]

Strangely, the decryption part of the law wasn't activated until 2007, 
and I have never seen a case reported where this defence has been used. 
Nobody knows (AFAIK) what will suffice to "raise the issue", although in 
debate the govt. said going into witness box and making an assertion 
don't have key would be enough

This 
<http://www.newstatesman.com/blogs/the-staggers/2010/10/police-drage-password-sex> 
is a cautionary tale describing one case of how this law is working

CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140729/896ad479/attachment.html>

More information about the cryptography mailing list