Policy-Discussion

[Ian G <iang AT cacert.org>]

I'm well behind on this debate...


On 27/05/2014 20:49 pm, Eva Stöwe wrote:
> Dear Alex, dear List,
>
>>>>> 2.5b Various countries - certainly including UK and US (and I think AU)
>>>>> have legislation in place that can enforce surrender of keys allegedly
>>>>> for anti-organised crime and anti-terrorism reasons in their
>>>>> legislation. Given this, *I'd prefer not to add such a clause*,
> here is another approach for 2.5:
>
> There are a lot of countries - including probably US and UK - that try
> to avoid that business secrets of "their" companies are stolen so that
> business rivals could profit from them.
>
> There are a lot of countries that forbid - including US and UK -
> employees of the state to share secrets they learned during that
> employment. (For US think about Manning or Snowden.) At least I had to
> swear an oath to not share some kind of information to outsiders and it
> was only a student job at the university.
>
> My country - and probably every other country - would not accept any
> other country to just state that they have a right to learn said secrets
> and that one has to provide everything with which one protects those
> secrets. If I would share those secrets I would be legally responsible
> before local courts - (a false oath is worth at least 1 year in jail in
> Germany - I'm not sure if this would apply in this context but there are
> other laws for employees of the state as well that speak about jail).

Yes -- you might be legally responsible.  But that doesn't mean you
would be taken to court.

For example, a company in Belgium handed all the transactions of the
world across to a foreign power.  It was not legally allowed to do
this.  It was never held responsible, to my knowledge.

You might be able to construct an argument that "big companies" should
be able to share .. but I prefer to view it as naked power.  Big
companies can get away with stuff that small people can't.  Which
therefore causes me personally to invoke the anti-discrimination
clause;  so if a big Belgian company can share the world's secrets
without impunity then we have to do something other than just write
empty words which only apply if and when we have small victims.


> Now for another gedankenexperiment. Consider you have a big company who
> issues some certificates to their employees with which those employees
> should communicate to keep the business secrets secure. Than you learn
> that one of your employees has shared his key with an employee of a
> rival and the rival beats you in a competition and you lose big numbers
> of money because of the rival knew what you planned and where your weak
> points where. I think you would sack said employee and you would sue him
> for this. You probably would win this case,

On the facts above, yes.  The security involved protecting the business
secrets.  The act of the employee was designed to defeat that purpose.

It does not meet CCA 2.5-4.


> even if the employee defends
> herself saying that she was told to do so or that she even had to do so
> by the rival.

(These are what we call mitigating circumstances.  They may reverse the
judgement, if found to be true or defensible.  But they don't change the
initial conclusion.)


> So even if one country declares that one has to share everything with
> them, this will be illegal everywhere else and following this can lead
> to quite harsh legal issues everywhere else.
>
> Sharing keys and by this secrets (even "unimportant" details can make a
> big difference) is banned more or less in every context and one has to
> expect harsh punishment for it.

CCA requires you to secure your private keys, and specifically brings in
the risks of others, making this quite broad.  It uses the word 'secure'
because it is tied to the semantics or high level meaning of what you
are trying to really protect.

It doesn't list any particular precautions because that is too hard to
do in CCA.  E.g., there is no requirement in CCA to use a HSM or a
keyfob or a password, even.

For the same motive, it doesn't say "don't share keys" because "sharing"
is a complicated issue.  If I put my key on a HSM and I share the HSM,
have I shared the key?

> Why should it be different within CAcert? Why should we state that we
> allow to do so - with only saying "should not"?

It's not the case that sharing keys is banned under all or even most
circumstances;  indeed there are specific provisions in the CP/CPS where
the sharing should be defined.

For example, mass key provisioning is a popular product with many CAs. 
In this product, a CA creates keys, maybe escrows them and then
populates a company's desktops.  This is considered a form of key
sharing.  CAcert even has code to do that, although hopefully it is
disabled, and it's certainly not allowed to be used because there is no
doco (no policy) that speaks to it.



iang


> If a "must not" would be unfair and unsensible in any given situation
> there is arbitration to help. As people love to have it for more or less
> everything else.
>