On Tue, 16 Jan 2007 07:56:22 -0800 Steve Schear <[EMAIL PROTECTED]> wrote:
> At 06:32 AM 1/16/2007, Steven M. Bellovin wrote: > >Disk encryption, in general, is useful when the enemy has physical > >access to the disk. Laptops -- the case you describe on your page -- > >do fit that category; I have no quarrel with disk encryption for > >them. It's more dubious for desktops and *much* more dubious for > >servers. > > As governments widen their definitions of just who is a potential > threat it makes increasing sense for citizens engaged in previous > innocuous activities (especially political and financial privacy) to > protect their data from being useful if seized. This goes double for > those operating privacy-oriented services and their servers. As an > example, when TOR servers were recently seized in German raids (with > the implication that they were being used as conduits for child porn) > the police knew enough to only take the hot-swap drives (which were > encrypted and therefore paper weights after removal) if only for > show. The main loss to the operators was repair to the cage locks. > Legal access is a special case -- what is the law (and practice) in any given country on forced access to keys? If memory serves, Mike Godwin -- a lawyer who strongly supports crypto, etc. -- has opined that under US law, a subpoena for keys would probably be upheld by the courts. I believe that British law explicitly mandates key disclosure. And of course, there's always rubber hose cryptanalysis in jurisdictions where that's acceptable. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]