emails snowden and poitras

martijn.list martijn.list at gmail.com
Tue Oct 14 11:25:15 CEST 2014


On 10/14/2014 10:55 AM, Rejo Zenger wrote:
> At <http://www.wired.com/2014/10/snowdens-first-emails-to-poitras/> 
> there are some snippets of the e-mails Snowden sent to Poitras as an 
> introduction. One of those e-mails says:
> 
>   "I would like to confirm out of email that the keys we exchanged were 
>   not intercepted and replaced by your surveillants. Please confirm that 
>   no one has ever had a copy of your private key and that it uses a 
>   strong passphrase."
> 
> Of course, we don't have the full picture, but from the information that 
> has been released, this seems to be surprising question: how would you 
> be able to confirm that the keys are not replaced by asking to confirm 
> that no one has ever had a copy of the private key? If they keys have 
> been obtained by the adversary, the answer may be altered or not. In any 
> case, the answer doesn't prove anything.
> 
> Of course, if Poitras would answer that her private key is in the hands 
> of some other person, I expect her to have revoked to key anyways. 
> 
> So, what's the objective of Snowden, you think?
> 
> And yes, I am aware that Snowden says these steps are not bullet proof. 


Just speculating but this question might help in case of a "gag order".
If Poitras was under a gag order, the best thing to do is to not reply
to that messages. By not replying you are not breaking the gag order
(not sure about that though). The sender however might infer from not
getting a reply that the answer was yes, "my keys were compromised".
Only by actively faking a signed and encrypted email, could the
adversary pretend that the keys were not leaked. It might be that there
are legal reasons why this is not allowed or it might be a little easier
to detect that this message was not from Poitras. Again, all speculation.

Kind regards,

Martijn


-- 
CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.

http://www.ciphermail.com

Twitter: http://twitter.com/CipherMail



More information about the Gnupg-users mailing list