On Sat, 11 Nov 1995, Robert Hettinga wrote:
In the real world, there's a trustee/nominee of some sort who does this. What's that to keep that from happening on the net, just like our much maligned (guy's gotta make a living, fer chrissake!) assassination-payoff escrow agent...
Nothing really; It would probably be better to do some sort of secret sharing and use a number of somewhat trusted escrow-agents, but the protocols aren't too complex. For the simple case where the release is time based, you could even make the process totally automatic; just have the escrow agents send off their bits of the key when the time has expired, and voila. As for real time-release - how about just using conventional encryption, and require it to be brute-forced? Depending on how fine grained you want the release to be, you could also take the inverse of Moore's law, work out how big a key you need to have it unbreakable in less than the desired time, add in whatever fudge factors you feel like based on how much it would be worth to the opponent to get early access, then lock up the secret and throw away the key. Simon