[AusNOG] Dutton decryption bill

Paul Wilkins paulwilkins369 at gmail.com
Mon Sep 3 17:47:49 EST 2018


3 - Also in this ideal world, this one government agency issuing the
warrant SSL
 certificates, and collecting warrant data, would have it's DNS DNSSEC
signed ;)

Kind regards
Paul Wilkins


On Mon, 3 Sep 2018 at 16:56, Paul Wilkins <paulwilkins369 at gmail.com> wrote:

> Point taken that the point of insertion is inband as opposed to existing
> procedures for wire taps.
>
> 1 - Having multiple agencies all requiring access (as the bill does) is
> going to create a multitude of possible targets (m x n) to act as vectors.
> This is clearly a vulnerability. An alternate approach would be to have a
> single government agency with access, which would then relay the
> information to the original agency requesting access. Hence content
> providers would be required to allow only 1 VPN from law enforcement to the
> point of insertion.
>
> 2 - In an ideal world, each warrant request could be accompanied by the
> issue of a specific SSL key. An identifier assigned to the warrant could be
> included in the SSL key as an OID Alternate Name. Then any transfer related
> to that warrant could be protected using that specific SSL key. It would
> then be up to this one law enforcement agency to ensure the key remains
> secure. This agency could operate as a CA for all such keys.
>
> Kind regards
>
> Paul Wilkins
>
> On Mon, 3 Sep 2018 at 15:33, Chris Ford <chris.ford at inaboxgroup.com.au>
> wrote:
>
>>
>> Paul,
>>
>> > I think we can envisage that the proposed regime could be made to work
>> by issuing content providers
>> > with Technical Capability Notices that would require the content
>> provider to create asecure channel for
>> > access to the clear text, similar to how secure OOB  can be enabled for
>> remote users. Traditional AAA
>> > mechanisms could be used to ensure that access is secure, logged and
>> audited to ensure all accesses
>> > have been duly authorised.
>>
>> I agree that this is probably one way it might work, but my problem is
>> that the endpoint for this "secure" channel is not hidden in the carrier or
>> CSPs network. It needs to be accessible by the service provider and LEA,
>> and hence is open to the internet. It would only be a matter of time before
>> that is exploited.
>>
>> Chris
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20180903/d82d8688/attachment.html>


More information about the AusNOG mailing list