Reply With Quote
Who says the records on individuals will be maintained?
Again you have more experience than I ElNono, but wouldn't an encryption scheme with only a public key be one way only? And without the other key to decrypt, the data would be useless.
Ah well, scientists will come up with quantum encryption in the next few years anyways, which will screw the game ALL up...
Who says the records on individuals will be maintained?
White House emails are public records with a retention requirement. I think the Open Records Act -- therefore, Congress -- says they'll be maintained.
But not records on individuals -- just a bunch of emails that were sent in voluntarily.
Subs ute email for record -- because, that's what it is -- and, it seems this section is relevant."(7) maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;"
I don't believe they are sent in voluntarily by the subject of the email.
They are voluntarily sent in by the sender of the email. I'm sure the White House already receives many forwarded emails with political speech on them. You're saying they are obligated to delete any trace of those emails even though they are obligated to keep a record of all the communications under the records act. You'll need to prove this is already being done.
Solicited by the White House.
There was nothing in the laws you posted about that.
Besides, it looks like the Open Records statute you cited expressly allows the keeping of the emails.
I believe a T.V. lawyer would say something like, "speaks to intent, your honor."
I believe it wouldn't hold water in the real world since you provided the statute that allows, no, actually requires the retention of the records.
No doubt you so.
The administration cannot control unsolicited email and its content. Setting up an email account and soliciting emails about the first amendment activities of private citizens is another matter.
You'd have to prove how it is another matter. No law you have posted up to this point says anything about solicitation or intent. You have posted that they are actually required to keep all the emails they receive, which appears to meet the statutory requirement of the "Records Maintained on Individuals" law and haven't provided any exceptions to the Open Records law that would require the destruction of those records.
It's an interesting contradiction. I'm sure there will be a court challenge if your blogger's legal opinion has merit.
Looks like someone already asked some lawyers about this.http://www.washingtonexaminer.com/op...-52571822.html
If there are unique keys, then that's fine. However, if it's software created during the session, and the distant end has to recreate a key, then it can be reverse engineered.
There is a law that e-mails must be retained. Remember the controversy over deleting e-mails?
We're mixing things up. A block cipher only requires a single key, which can be used to encrypt/decrypt. A public key encryption cypher requires a public and private key pair. If you want to communicate two-way with it, then you need one pair on each end, but for SSL is not really necessary.
Without all the details, this is what happens when you open a SSL connection:
- Server sends certificate
- Client gets certificate and verifies: 1) That the host name on the certificate matches the host name it connected to. 2) That the certificate has not expired and 3) That the certificate has been digitally signed by a certificate authority (Verisign, etc). Every browser comes with a list of certificate authorities (which themselves are certificates). If something doesn't match, then this is when the web browser warns you that the certificate is not valid, and asks you wether you want to continue.
- The server certificate also contains an RSA public key. So if everything verified correctly, the client grabs this RSA public key from the certificate.
- Server and client negotiate a block cipher to use and the server provides a cryptographic strong random key for the session (it does this by encrypting the block cipher key with it's private RSA key, and the client decrypts it with the public key it obtained from the certificate before).
- Now you have a secure connection both ways using the block cipher.
To see this in action, if you are using Firefox, go to a secure site, then double click on the little lock at the bottom right.
Under 'Web Site Iden y' you can view the server's certificate, along with the public key, who issued the certificate (the Certificate Authority), the validity, etc. Under 'Technical Details', you can read "Connection Encrypted: High-grade Encryption (<block cipher - key bits>). For example, my bank uses 3DES-EDE-CBC 168 bits.
Last edited by ElNono; 08-07-2009 at 03:26 PM.
Read my previous post.
Are you serious?
How does the distant program unravel the key?
You thing a good programmer cannot do the same?
You have to have unique keys that are input, not computer generated. If computer generated, they have to be delivered with security, and it's not secure under the public key, until the private key is set. I haven't worked with cryptography for several years, but I do know that as fact. Knowing the public key, and monitoring it as the private key is generated, you now also have the private key if you know how to reverse engineer the cryptography.
No private key is generated.
This is how it works:
I generate a private,public key pair. I hand you and 10 other people my public key.
Whenever I want to send you a message, I encrypt it with my private key and send it to you.
You decrypt it with my public key. No private key is generated to do that.
My private key never leaves my computer. You cannot derive my private key from the public key I gave you.
Neat, uh?
Anyone else that has the public key can decrypt it.
Good, I wanted you to get to this point.
Now, we introduce YOUR private,public key pair.
Where you hand me your public key, and you keep your private key.
So the only keys exchanged were the public keys, even through a unsecure channel.
Now, when I want to send a message JUST to you:
I encrypt the message with my private key, then reencrypt it with your public key, then send it to you.
At that point, you decrypt it with your private key, and then one more time with my public key.
Now, even if somebody would have both of our public keys, they couldn't read the message. The private keys never left our computers, and cannot be derived from the public keys.
And this is indeed how public key cryptography works.
I'm with you, except when were the copies of the private key passed? If they were passed over the public key, they could have been copied by anyone else with the public key.
You can only securely transmit a private key to the other user if the encryption is already protected with a private key. We use to update keys that way, but we were already secure.
Now as a bank. The system operates on a public key. Fine. Each user has his own private key, and the bank has a copy of all the private keys. This key would have to be sent by some other method like hand delivered, or by mail and manually entered. Even by disk, USB stick, or any method that is secure, and not transmitted in the public.
If you expect me to trust a private key sent over a system only protected by a public key, then you expect too much. If that's what is happening, and you believe it's secure, then your employer is blowing smoke up your ass. Anyone monitoring the data exchange can decrypt the key with the right know how.If you meant what I said earlier by hand, disk, stick, etc. then yes, the data is secure.Where you hand me your public key, and you keep your private key.
My argument is you cannot securely pass a private key over a public key protected system.
They never were. You don't need to pass the private key.
You don't ever need to transmit the private key.
No. The bank has it's own private key, and a copy of all the public keys.
The private key is never sent. Only the public key is. I can send you my public key over this very forum, and you can send me yours, and we'll be as secure as ever.
You could. You just don't understand at all whatsoever how the system works. But that's ok. Obviously you don't work with this stuff, so I can't expect you to understand.
So the retention would be allowed by statute, meeting the requirement of the Privacy Act.
That is if the White House is counted as a government agency; that isn't at all clear.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
