[Laaw]

I mean... you literally can't legislate crypto, can you?

Could someone explain what this would look like, in a practical sense? Would self-signed keys become illegal, and all PKI would have to have a "government" parent key of some kind?

[Spivak]

> If the company cannot meet this standard, it must offer “technical assistance as is necessary to obtain such information or data,” according to the draft.

Based on this it appears not. Here's how I imagine it going.

1. There's something the government wants that you've stored on some SaaS website like Dropbox.

2. But you've encrypted all of your files with your GPG key so Dropbox gives the gov't access to the files and then tells them that's all they can do.

3. Now the government needs your key so they raid your house and take your say, Dell laptop.

4. Now you use FDE and Secure Boot with a custom key so your device is locked tight.

5. The gov't then goes to Dell and demands that they use any exploit they know to unlock your device.

6. So long as you've chosen a good strong passphrase Dell will do their best but ultimately tell the gov't that there's nothing they can do.

[peterwwillis]

They used to legislate crypto, so there's no reason they couldn't now. Back in the day, creating (and "exporting") an SSL library without a license was illegal.

If you're talking TLS, whomever holds the private key would have to use it to decrypt either stored or transmitted data and turn that data over to the feds. If you're talking PGP or something, then either the makers of PGP would have to put in a backdoor, or stop making it.

To implement this all the government would need is to send an NSL to anyone who creates, owns or operates any tool with encryption technology, or anyone who operates a network or service that encryption is going over.

[mjevans]

More to the point, how would this and the 5th amendment interact if it was the end user that created a pass-phrase protected key which no one else knew?