« Special circumstances requiring disclosure of a key paras 6.3 to 6.8 | Main | KEEPING OF RECORDS paras 7.1 to 7.3 »

Notices requiring disclosure of a key paras 6.9 to 6.15

Notices requiring disclosure of a key

6.9 Where a direction has been given that a notice can be complied with only by disclosure of a key, the notice must clearly state that the person on whom the notice is served may choose which key to disclose. The only requirement is that the key is capable of rendering the protected information intelligible.

6.10 Where a disclosure requirement is imposed on any person by a section 49 notice and:

  • that person is not in possession of the information (either because they do not have the information, have not acquired the information or cannot be given possession);
  • that person is incapable, without the use of a key that is not in his (or her) possession, of obtaining access to the information and of disclosing it in an intelligible form (or so disclosing it), or
  • the notice states that it can only be complied with by the disclosure of a key to the information

the effect of imposing that disclosure requirement is that the person given the notice shall be required, in accordance with the notice imposing the requirement, to disclose any key to the protected information that is in his (or her) possession at a relevant time, that is the time when the notice is given or any subsequent time before the time by which the disclosure requirement has to be complied with.

6.11 Where a person has been given notice requiring that a key be disclosed, he (or she) may choose which key or keys to disclose together with any other requested relevant details of the cryptographic methods in use, including the relevant algorithm. The information given should be sufficient to allow the person giving the notice or the person to whom disclosure is required to be made to put the protected information described in the notice into intelligible form.

6.12 The recipient of a notice may disclose an alternative key such as a 'session key' if it enables the same access or functionality as an underlying true key would have enabled

6.13 No person shall be required to disclose any key or keys other than those which are sufficient to enable the person giving the notice or the person to whom disclosure is required to be made to put the protected information described in the notice into intelligible form - even if the person given notice to disclose a key is in possession of more than one key to that information.

6.14 The person given notice is able to comply with a requirement to disclose a key without disclosing all of the keys in his (or her) possession and where there are different keys, or combinations of keys, that would enable compliance with the notice, the person given notice may choose which key or combination of keys to disclose.

6.15 Where a person is required by a section 49 notice to make a disclosure in respect of any protected information and that person:

  • has had possession of the key to the protected information but no longer has possession of it;
  • would have been required by the notice to disclose the key if it had continued to be in his (or her) possession, and
  • when given the notice, or within the time by which the notice must be complied with, is in possession of any information that would facilitate the obtaining or discovery of the key or the putting of the protected information into an intelligible form;

the effect of the disclosure requirement is that he (or she) shall be required to disclose all such information to the person to whom he (or she) would have been required to disclose the protected information in an intelligible form or the key. In other words to disclose anything they have that assists putting the protected information into an intelligible form.

Comments

Most people will never be able to disclose a "session key", which is, for the most part, something that happens automatically, and invisibly to most users of cryptographic programs and transport protocols.

Post a comment