On Sun, 15 Oct 1995, Black Unicorn wrote:
Effectively the potential for misuse is increased by virtue of the increased numbers of officals (commercial and public) who have access to the material.
Does he mean mandatory commercial key escrow (as in clipper keys held by credit agencies?) Or something totally voluntary but standardized by the gov? *Rant mode on* I've heard cracking into Equifax and TRW is considered a rite of passage in the phreaker crowd. The security would have to *damn* tight (as in forget it) for it to be trustworthy. And since it would probably be the big three credit rating agencies (I forget the other one), their track record is not reassuring. I don't see these people securely using crypto throughout the entire org (in such a large org) in the future if they don't already. Seeing my key sold to Son of Blacknet(LD) by Sons of Mitnick is not reassuring. For that matter, what sort of databases would they consider holding this on? And how easy would it be for the general public to get access to their key, to verify for accuracy and revoke compromised keys. (big prob with the credit rating agencies) Who would be allowed (if anyone) or mandated (depending on which scheme) to certify the security? If NSA is mentionned, one might also point out the job Matt Blaze did on their Clipper. Bad production values don't make for good public security. Of course it all depends on exactly why they really want the escrow anyway. If people will encrypt a second time with tomorrow's pgp, why should anyone care? All you'd single encrypt for would be your income tax and the financial records you're already required by law to keep (I'm sure I've misunderstood this. Can't be so useless.). I know that's not a particularily diplomatic carry-over from the debated-to-death clipper thing, but really, except as PR, why DO they still take this seriously? (unless you want to be paranoid about a ban, hmm, nevermind, debated-to-death) Speaking of organizational crypto, anyone know what the scheme used in Notes is? I know there's RSA... This seems rather more useful to examine than MS's browser, considering corporations are making it a standard for groupwork. All you'd get on a browser would be credit no's and maybe e-mail. Notes nets might carry the entirety of a company's docs and work in progress. They do export it, right? Weakened foreign version or one 40 bit key version for everyone? How about novell netware? (Yeah, I do realize most folks don't have it, neither do I. A free client would be very nice, Mr. Gerstner, for everyone.)