W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Re: Rule of law

From: Dave Longley <dlongley@digitalbazaar.com>
Date: Thu, 18 Feb 2016 13:29:30 -0500
To: Timothy Holborn <timothy.holborn@gmail.com>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <56C60D8A.7050908@digitalbazaar.com>
On 02/18/2016 12:50 PM, Timothy Holborn wrote:
> So,
> I assume apple[1] can decrypt it.

I think that's a big assumption. Have they said that? I don't know how
they do their encryption, but if they are using symmetric encryption
where the key is derived from a password only the user knows, then, no,
they can't decrypt it. Unless the password is easily guessable, it's not
feasible to brute force attack the encryption.

> So, the issue is how to trust gov? Locally or internationally?
> Couldn't a bunch of approved credentials be used to present something
> at the phone that in-turn allows that device to say, recognise the
> president said - executive orders - open it.

You could do two forms of encryption: one for the user and one using a
public key owned and protected by the government. Of course, then the
government can read everyone's private data.

I suppose you could require a credential from a court (signed by the
court's public key) indicating a court order was granted to the
government in order to use their key to read the data ... but it's all a
little unclear as to whether or not these protections would actually be
followed, or rather, if they weren't, that a violation of them could be
easily detected.

Dave Longley
Digital Bazaar, Inc.
Received on Thursday, 18 February 2016 18:29:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC