So let me answer your first question with a question: if Western governments mandate key escrow, will the government of UAE be able to use it under the UAE’s legal regime? If yes, then I *am* objectively uncomfortable with key escrow. If no, hello lucrative 0day market.
-
-
Replying to @matthew_d_green @rmhrisk and
Let's avoid the slippery slope argument (i.e. if one government has key escrow, then they all must) for the purposes of discussion. Do you agree that fixing vulnerabilities is a good thing, or should they be hoarded so that key escrow isn't necessary?
2 replies 0 retweets 1 like -
It’s not a slippery slope argument. Your thought experiment is that the existence of key escrow could wipe out the 0day demand. I think that won’t happen, and the UAE not having access is one example of why it will not. (And giving access to the UAE seems a bad compromise.)
3 replies 0 retweets 15 likes -
Replying to @matthew_d_green @taviso and
As far as whether hoarding vulnerabilities is “good”, clearly it is not! But I don’t see a plausible mechanism for KE to wipe it out. If we’re just playing “what if” then I still don’t know. It’s an honestly complicated questions with arguments both ways.
1 reply 0 retweets 9 likes -
Replying to @matthew_d_green @rmhrisk and
Sure, we're talking magic-wand stuff. There is a plausible mechanism to meaningfully move the market though, such as tweaking VEP or other policies. You're correct that we can't eliminate exploits, but we *can* increase scarcity.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
I suppose my question is, to put it bluntly, are you willing to throw people trying to make exploitation harder under a bus to prevent key escrow?
I think some people are, which bothers me. If you're not, then we're probably on the same page (or at least the same chapter!
)3 replies 0 retweets 1 like -
I’m not willing to make any tradeoffs like that at all. I’m hoping that people like you will make things more secure, and along the way governments learn how to police the way they did in 1990 before smartphones.
2 replies 0 retweets 13 likes -
Replying to @matthew_d_green @taviso and
Even if I believed in tradeoffs, there’s no party to make the deal with.
1 reply 1 retweet 8 likes -
Replying to @matthew_d_green @rmhrisk and
Sure there is, you're a notable voice in cryptography, If you argue key escrow isn't necessary because the government can just hoard more exploits, that would be heard. It sounds like you don't argue that, so luckily it's not a problem
1 reply 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
They're not listening to notable voices in cryptography. They're listening to notable voices in boot-licking.
1 reply 0 retweets 8 likes
well okay haha
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.