Let me clarify something, are you in favour of the *results* of key escrow (e.g. state access to private data), so long as something other than key escrow is used to achieve that?
-
-
So let me answer your first question with a question: if Western governments mandate key escrow, will the government of UAE be able to use it under the UAE’s legal regime? If yes, then I *am* objectively uncomfortable with key escrow. If no, hello lucrative 0day market.
2 replies 1 retweet 12 likes -
Replying to @matthew_d_green @rmhrisk and
Let's avoid the slippery slope argument (i.e. if one government has key escrow, then they all must) for the purposes of discussion. Do you agree that fixing vulnerabilities is a good thing, or should they be hoarded so that key escrow isn't necessary?
2 replies 0 retweets 1 like -
It’s not a slippery slope argument. Your thought experiment is that the existence of key escrow could wipe out the 0day demand. I think that won’t happen, and the UAE not having access is one example of why it will not. (And giving access to the UAE seems a bad compromise.)
3 replies 0 retweets 15 likes -
Replying to @matthew_d_green @taviso and
As far as whether hoarding vulnerabilities is “good”, clearly it is not! But I don’t see a plausible mechanism for KE to wipe it out. If we’re just playing “what if” then I still don’t know. It’s an honestly complicated questions with arguments both ways.
1 reply 0 retweets 9 likes -
Replying to @matthew_d_green @rmhrisk and
Sure, we're talking magic-wand stuff. There is a plausible mechanism to meaningfully move the market though, such as tweaking VEP or other policies. You're correct that we can't eliminate exploits, but we *can* increase scarcity.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthew_d_green and
I suppose my question is, to put it bluntly, are you willing to throw people trying to make exploitation harder under a bus to prevent key escrow?
I think some people are, which bothers me. If you're not, then we're probably on the same page (or at least the same chapter!
)3 replies 0 retweets 1 like -
Replying to @taviso @matthew_d_green and
How about a third option: Being OK with the idea that some data might never be accessible to police agencies, even if it means a guilty person might get away with a crime.
2 replies 1 retweet 6 likes -
Replying to @0xMatt @matthew_d_green and
I mean, that is implicitly one of the options, right? The option I'm not willing to accept is "we don't need key escrow, because you can just hoard more vulnerabilities", because I worry that is putting more people at risk.
1 reply 0 retweets 2 likes -
Replying to @taviso @matthew_d_green and
I don't disagree with you, but I do think it's a moot argument because I don't believe any government would stop collecting and using zero days just because they have key escrow. They'll still want 0-days to use for all the corner cases when escrow fails them.
1 reply 1 retweet 2 likes
It's pretty plausible to imagine tweaking VEP or other policies though, for example. A big player like the US government, policy changes like that can move markets.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.