In theory you could automate it, but that would require a different architecture.
It's honestly pretty stupid that email is being used for this instead of having a secure portal which could include things like RSA hard tokens, or even just passwords with 2FA would be a step up. Nothing is fool proof, but this sort of stuff is common with other sensitive information like finance.
Honestly, email would do the job too, if it was signed email.
I’m pretty sure the largest deployed PKI system is the US federal government’s - it really feels like we should be able to deploy something for law enforcement agencies. (And in fact that’s what the legislation mentioned at the end of the article appears to do.)
The email server typically does not contain key material. If you’ve ever interacted with the military or related contractors you may recognize this card: https://www.cac.mil/common-access-card/
That’s a smart card, containing a certificate that can be used to sign email, be used as a client cert for web access, etc.
Now, it has moved the problem to some extent, in that now you have to secure the CA that’s issuing these certs.
I'm a little familiar with CAC cards from years ago. I don't believe they were using them to sign emails at that time. Thats different than the signing process I was familiar with. That would work.
The DoD root CAs are pretty damn secure. They're offline in physical vaults on military installations. Compromising one of those is a far cry more difficult than some town of 400's local PD e-mail server.
Granted, you only need to compromise a RAPIDs office to issue yourself a CAC, but that is still offline and on military installations (though often much less secure reserve/guard installations).
Wouldn't the cert need to be specific to the individual for proper identification? So getting one for yourself might not provide the sufficient privilege.
The cert would verify that a specific individual signed the email, with someone having previously verified issuing the credential to the right person (this sort of thing is usually issued as a smart card ID, so it's used for several things, and it's unlikely people lose it without reporting it lost and getting it revoked).
Yeah, issuing themself one through RAPIDS. You need to authenticate against RAPIDS to issue one. So you're looking at stealing a credential, and hoping you can get it done before it's noticed it's gone and revoked, and hoping that they don't go ahead and look at logins between when it was last seen and when it was revoked in order to see if there's any weirdness, at which point your credential gets revoked.
If they did something similar for law enforcement, it would probably have the same sort of restrictions: you need to authenticate to get a credential, but to authenticate you need a credential. So you need to steal one to issue yourself one.
Sorry for the somewhat off-message thought, but perhaps this kind of thing is actually more secure if you _don't_ attempt to automate it?
Maybe the person receiving the request should actually go and look up the phone number of the police department or court who allegedly issued it/approved it, and then call that number (note: not the number mentioned on the request itself).
Surely if that was the SOP, this kind of stuff would just stop?
Where are they looking it up? Is that source secure? If it's just on a website, that could be easily corrupted.
There's a huge number of systems across the US. I am assuming that a centralized system would provide better security overall compared to the many small and often neglected local systems. This would also standardize the process, reducing the possibility of some locales practice insecure processes.
> If it's just on a website, that could be easily corrupted.
Back in the day we had things called "telephone directories" (I'm showing my age somewhat)
Is it beyond the wit of man to have the CIA/FBI/NSA/$TLA publish a "list of places to phone" when you receive an Emergency Data Request?
If the source isn't on the list, you can ignore it. If it is on the list, phone the number on the list to verify it?
This really isn't rocket science. At least not for those of use who grew up in an age where you could step into a phone box and open up a printed directory and look up someone's phone number...
Yeah, I'm baffled by the idea that the internet is the only possible way to convey information about phone numbers.
It's not even that we are old enough to have experienced looking up a number in a phone book and some people here are to young to have that experience. The obvious solution to this seemingly unsolvable problem is to print some numbers on a piece of paper and post it to each company you want to get data from in the future.
So are they issuing a new book every time a department/precinct is created, merged, disbanded, or the number is otherwise changed? This still doesn't solve the issue of authentication of the issuing party since the phone location could be unsecured, or the call rerouted.
That is a possibility. It would likely need to be digital, not printed, to avoid stale data. The identity verification will still be less than what you could do with something certificates or RSA tokens since there's nothing guaranteeing the person on the other end is who they say they are (numbers change, area could be unsecured/unmanned, call redirected, etc).
> It would likely need to be digital, not printed, to avoid stale data
Q: Would one expect police departments to be the kind of places which would change their main telephone number regularly?
Consumers change providers often. Institutions? Maybe not so much. (As an aside, I've just checked, and my old university's phone number is exactly the same as it was 30-odd years ago when I enrolled).
To be frank, I'd prefer a printed version for something like this. Harder to hack a directory that's hard copy and whose entries really ought not to be changing very often. If ever.
For the telephone number of their local police department? Is it supposed to be secret? My point is that it should be public!
> How does it not change often? There are constantly new departments starting, departments/precincts merging, and departments shutting down
There is simply no reason for a newly-started/merged police department to be able to unilaterally issue an Emergency Data Request, and I say this as a father of three young kids.
For $deity's sake, some new and/or newly-merged and/or micro police force must surely have their local, regional and national-level police forces on speed dial on all their phones. If someone is missing and needs to be found quickly, all they need to do is pick up the phone and reach out to "higher authority" (who can be quickly authenticated, because they definitely have been around for decades), not start acting like the local heroes.
"Is it supposed to be secret? My point is that it should be public!"
If I have a list of all the agency numbers, then I can look for organizations that disbanded and use those numbers. Since they could still exist in the book (because it wasn't updated instantly), the other party could think you're legitimate.
"There is simply no reason for a newly-started/merged police department to be able to unilaterally issue an Emergency Data Request, and I say this as a father of three young kids."
How so? For the first year of existence they can't issue anything because they have to wait for the next book to be publish. That's sounds dumb. There's no reason they shouldn't be able to issue anything they have the lawful authority to do so. Have any support/logic for your claim that they have no reason?
"some new and/or newly-merged and/or micro police force must surely have their local, regional and national-level police forces on speed dial on all their phones. If someone is missing and needs to be found quickly, all they need to do is pick up the phone and reach out to "higher authority" (who can be quickly authenticated, because they definitely have been around for decades), not start acting like the local heroes."
Um... so how does this higher level authority authenticate this lower level authority if they aren't in the book we are using for authentication? In some cases, jurisdiction can get in the way of the scenario you just described. And again, how long are you going to prevent a department from doing what they are lawfully allowed to do?
"This isn't a technical problem, folks"
Ok, then how do you solve the authentication issues in my previous comment? So far your system hasn't addressed them.
It's honestly pretty stupid that email is being used for this instead of having a secure portal which could include things like RSA hard tokens, or even just passwords with 2FA would be a step up. Nothing is fool proof, but this sort of stuff is common with other sensitive information like finance.