In message <[EMAIL PROTECTED]>, Declan McCullagh wr
ites:
>
> This followup might be relevant too. Has the FBI ever publicly weighed in
> on an IETF debate before? Are there any implications here in other areas,
> such as taxes, content, or encryption?
There are clearly many aspects to this question. The particular IETF
discussion was triggered by a move in a working group that was concerned with
connectivity to the PSTN; they wanted to add CALEA support to their protocol.
Should that be done in the IETF?
It's clear that such capabilities lower the security of the system. (A
fascinating Wall Street Journal story (Oct 1, front page) describes how a
"data tap" was used to monitor some hackers. Among other things, assorted
hackers found databases of phone numbers being monitored by the FBI. What
will these folks do when they can get to CALEA ports?) But it's also clear
that folks who manufacture this gear for sale in the U.S. market are going to
have to support CALEA, which in turn means that someone is going to have to
standardize the interface -- the FBI regulations at the least strongly urge
that industry-standard protocols be used for such things. (And yes, it's
quite clear that many uses of this particular working group's protocol would
be within the scope of the law.)
So -- how should the back door be installed? In the protocol? In the telco
endpoint? Is it ethical for security people to work on something that lowers
the security of the system? Given that it's going to be done anyway, is it
ethical to refrain, lest it be done incompetently?
--Steve Bellovin
