At 03:09 AM 5/23/00 +0200, you wrote:
>At 18.28 +0200 0-05-22, [EMAIL PROTECTED] wrote:
> >I would hope that any software I use, that is able to put
> >my digital signature on some data, would ask me for my
> >pass-phrase every time my private key is used. I would
> >even hope that such software wouldn't be able to use my
> >private key without the pass-phrase, otherwise anybody
> >with access to my computer could easily forge my signature.
>
>It is not easy to design encryption software which cannot
>be corrupted by viruses. A virus could catch your passphrase,
>and then use it itself for nefarious purposes. That is why
>many people want to use smart cards. But I am not sure they
>are secure. A virus could catch the communication to and
>from your smart card. And developers of smart cards seem
>to want to put so much functionality in the card itself,
>that it becomes open to viruses in itself.
First, The idea of a standards committee working to "fight computer crime"
is a pipe-dream. You might as well ask ..... The issue is building
software/firmware/hardware that works and is as secure as possible. We all
have heard the story about secure computing on a network, so we shall be
spared the sophism. One could argue the theoretical flaws to almost any
system -- and not do anything but waste bandwidth.
We are engineers and scientists working to solve technical problems
securely. We are not lawyers to intermix Title 18 Sec. 1030 style codes in
with our IP headers, they pay the "suits" do those things. We can have
strong resolve that these problems mean that work from the groups on secure
time stamping, strong encryption, AAA, etc. etc. make for a more "solid
chain of custody" for a "reasonable prudent man."
In other words, doing those things that we are already chartered to do
would make sense and new work to create secure mechanisms within the
framework of the IETF-IESG-IAB should help to "fight computer crime." And
all this without making changes to "fight computer crime."
Second, The issue of law in today's arena does not provide for a
non-jurisdictional universe. I mean the Jupiter Bureau of Investigations
(JBI) will deal with the Internet within the 10,000 km terrestrial boundary
and within, no one on Earth will have jurisdiction here. Each country, each
state, each county, and each city have different values and mores. The fact
that people from around the world can be your virtual neighbors has
generated a buzz word around eCommerce - The Death Of Distance. The problem
is that while they virtually in proximity; they are really nine time zones
away and are separated by several geographical jurisdictional boundaries
(not to mention diplomatic boundaries).
Finally, I believe it was Steven's comment that it is very difficult to
build a secure system that has selective levels of security; thus allowing
law enforcement more easy access.
To me it is this simple --- Continue to support promising new IP versions
(IPv6). Get IPsec to actually work with current IPv4 systems across all
hardware and software boundaries. Revitalize the use of already existing
secure protocols. Embrace the spread of IETF members from the security area
into other areas of the IETF; or better yet. seek them out and ask them
about possible concerns you have about your latest ID, RFC, thought et al.
WE ARE NOT a part of the United States Justice Department. We (for the most
part) are not lawyers or judges or law enforcement personnel; and we sure
as hell don't play them on TV. Stick with protocols, not attempts to be in
the Justice Department.
Please understand that I am not against the United States Justice
Department and the National Security Agency wanting the ability to obtain
legal wiretap information. I am against becoming the jack-booted thugs of
ambitious bureaucrats, not wanting to do their own dirty work. If they want
this so bad, let them pass-the-laws, obtain the money, and expend the
all-important-political-capital to make a pipe dream like this happen.
Protocols not Codification!!!!!!
Warmest Regards,
Chet Uber
Deputy Director of Operations
Incident Response Team Leader
NEbraskaCERT (c). 7660 Dodge, Omaha, NE 68114
vox 402-498-2673 fax 402-391-3906
[EMAIL PROTECTED] www.NEbraskaCERT.org
"Are you in a Security State of Mind?" © 1998-2000
"Quis custodiet ipsos custodes?"
"Who watches the watchmen?" - Juvenal, Satires, VI, 347
