3 - Also in this ideal world, this one government agency issuing the warrant SSL certificates, and collecting warrant data, would have it's DNS DNSSEC signed ;)
Kind regards Paul Wilkins On Mon, 3 Sep 2018 at 16:56, Paul Wilkins <paulwilkins...@gmail.com> wrote: > Point taken that the point of insertion is inband as opposed to existing > procedures for wire taps. > > 1 - Having multiple agencies all requiring access (as the bill does) is > going to create a multitude of possible targets (m x n) to act as vectors. > This is clearly a vulnerability. An alternate approach would be to have a > single government agency with access, which would then relay the > information to the original agency requesting access. Hence content > providers would be required to allow only 1 VPN from law enforcement to the > point of insertion. > > 2 - In an ideal world, each warrant request could be accompanied by the > issue of a specific SSL key. An identifier assigned to the warrant could be > included in the SSL key as an OID Alternate Name. Then any transfer related > to that warrant could be protected using that specific SSL key. It would > then be up to this one law enforcement agency to ensure the key remains > secure. This agency could operate as a CA for all such keys. > > Kind regards > > Paul Wilkins > > On Mon, 3 Sep 2018 at 15:33, Chris Ford <chris.f...@inaboxgroup.com.au> > wrote: > >> >> Paul, >> >> > I think we can envisage that the proposed regime could be made to work >> by issuing content providers >> > with Technical Capability Notices that would require the content >> provider to create asecure channel for >> > access to the clear text, similar to how secure OOB can be enabled for >> remote users. Traditional AAA >> > mechanisms could be used to ensure that access is secure, logged and >> audited to ensure all accesses >> > have been duly authorised. >> >> I agree that this is probably one way it might work, but my problem is >> that the endpoint for this "secure" channel is not hidden in the carrier or >> CSPs network. It needs to be accessible by the service provider and LEA, >> and hence is open to the internet. It would only be a matter of time before >> that is exploited. >> >> Chris >> _______________________________________________ >> AusNOG mailing list >> AusNOG@lists.ausnog.net >> http://lists.ausnog.net/mailman/listinfo/ausnog >> >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog