[rdl]

The only reason they got the SSL key search warrant was his aggressive noncompliance with the pen register/pen trap. I didn't realize pen register applied to non-CALEA entities (this is a PATRIOT 216 thing); if it didn't, there would have been no justification for 1) forcing his cooperation and 2) getting SSL keys from him.

With Patriot 216 pen trap, they can compel full cooperation to the same standard as a CALEA covered entity, which they knew he couldn't provide as well as their own pen trap device (at least without work; they found $2k unreasonable to implement it!), so they can get a warrant for SSL keys for their pen trap. With that they can do whatever.

There may be a solution in SSL keys which can't be exported (HSMs) into the pen trap; you'd potentially be able to require a secret compatriot offshore (or via a cutout) to assist in adding a new load balancer or front end, so you'd be technically unable to comply. They could require you generate and use new keys, but users could detect that, and you could warn of this when you first set up the system.

[darkarmani]

> The only reason they got the SSL key search warrant was his aggressive noncompliance with the pen register/pen trap.

What does this mean? Don't they have a the legal ability to force compliance?

[rdl]

Yes, but it's not instant. He was asked for pen register, he wasn't 100% helpful (partially due to how the system was set up), so they went back in various ways to get what they wanted (threatening criminal or civil contempt charges, fines, and a warrant for ssl keys).

Then Ladar delayed on the warrant in a variety of ways (trying to quash a warrant, which I didn't know could be done before executing it; trying to claim it was invalid until after the pen trap was set up without it to actually observe it failing, the "little 4 points" trick.)