On 12/10/14, Eleanor Saitta <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 2014.12.10 14.57, Jacob Appelbaum wrote: >> On 12/10/14, Eleanor Saitta <[email protected]> wrote: >>> On 2014.12.10 13.56, Mike Hearn wrote: >>>> From a privacy perspective the rationale is fairly clear. >>> >>> Has anyone ever seen a case where cryptographic deniability was >>> accepted by a judge? As far as I can tell, its legal value is a >>> fiction from the cryptographic community. >> >> Yes, I think so. The lack of signatures ensures that a text log is >> just that - a text file without cryptographic assurances. It is >> subject to tampering. If I recall correctly, this issue came up a >> bit in Anakata's recent trials. > > No, I want specific case law that directly addresses deniability. > Because this still doesn't frankly pass the laugh test from any lawyer > I've seen asked about it, and yet we keep bending over backwards for it. >
A digital signature is binding. A lack of a digital signature on a text file certainly leaves room for assertion of tampering and of repudiation of the statements contained in the text file. As I understand the legal case in Denmark, at least one of the two people in Anakata's case declared denied the contents of what appears to be a logged OTR conversation. If they had used PGP encrypted/signed mails, I think the prosecution would have made a very strong argument about PGP signatures. Does that count as a reference to case law? I've requested transcripts of the trial but after over a month of waiting, I'm not sure when they will be delivered. >> Furthermore, the inverse is accepted routinely - digital signature >> laws in some US states. Washington State in the United States seems >> to be an example. If you have a PGP signed email, I'd expect some >> binding laws to apply for statements made in the signed portion of >> the text. Without a signature, I don't it will fall under the same >> digital signature statutes. > > That the inverse is accepted does not provide any predictive > properties about the value of the supposed forgability in allowing the > value of a police evidence chain to be called into question. If recall some of the things from the Danish case involving Anakata and another person, they specifically raised the issue of plausible tampering with the logs. > > It's worth noting, further, that the *only* argument in question here > is whether there is any value of deniability during a trial. It is > clear that there is zero operational security value* to deniability in > any plausible case, something rather more critical to the life-safety > use of such systems. > I think Anakata's case, at least in Denmark, might be one measure of the value of this line of argumentation. I'm not totally sure how well it worked out for either of them though. >> Repudiation and non-Repudiation are real properties that they have >> contextual value. > > Deniability is not the same as repudiation in practice; conflating > them is not reasonable. I'm not sure that I follow. Why isn't it reasonable to link deniability to repudiation? One of the goals of OTR's deniability property is to ensure that any log is simply a he-said-she-said text file game rather than a cryptographic certainty. That allows in practice for repudiation - the efficacy as a legal strategy is not completely clear to me and it seems case by case to require analysis. A signature system that has non-repudiation as a property seems to leave little room for anything except an argument of some other kind of deniability such as "bob took my PGP key." Why not have both options, legally and cryptographically? All the best, Jacob _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
