[Cryptography] China doesn't pass law requiring tech firms to hand over encryption keys

[Florian Weimer]

* John Levine:

>>China passes law requiring tech firms to hand over encryption keys
>
> The WSJ says that the law was changed slightly before passage:
>
>  "Telecommunications and Internet service providers should provide
>  technical interfaces and technical support and assistance in terms of
>  decryption and other techniques to the public and national security
>  agencies in the lawful conduct of terrorism prevention and
>  investigation," says a final version of the law, published by the
>  official Xinhua News Agency.
>
> Nobody seems to know exactly what that means.  Maybe it means back
> doors, maybe it just means do what you can do.

It's quite similar to the situation in Germany

“If the obligated party protects the telecommunication entrusted to it
for transmission against unauthorised cognisance by technical measures
on the network side, it must revoke the protective measures used by it
for this telecommunication for the copy of the intercept to be
provided at the handover point.”

<http://www.bmwi.de/BMWi/Redaktion/PDF/Gesetz/TKUEV-deutsch-englisch,property=pdf,bereich=bmwi,sprache=de,rwb=true.pdf>

In both cases, it is unclear if this means that if the obligated party
happens to own a CA in the browser PKI, they must issue interception
certificates and conduct a man-in-the-middle attack to obtain a
clear-text copy of the traffic.