Jon Callas <jon@pgp.com> defends:
One of the downsides of cryptography is that if you lose your passphrase (or token, PIN, smart card, or whatever), you've lost your data. My favorite way of expressing this problem is, "if you lose the keys to your car, then you have to get a new car."
This is true but mainly I think for _storage_ keys. PGP is being discussed as an email communications system. It's probably just as likely that your email will disappear down a black hole as that you forget your keys. Your analogy doesn't fit. All you're encrypting is something sent over a fairly unreliable communications link. If you lose the key, well heck you just get the sender to resend it. Happens every day with or without crypto. (So you generate a new key, and get it certified, and publish your revocation cert., if you have one). This is the same mistake that Freeh and company make in arguing for GAK. It's a flawed argument.
This downside is particularly insidious for a number of reasons. First, without fixing that problem, strong cryptography will be in some sort of limbo. You want to use it to protect your valuable information, but you won't want to use it for any information that's *too* valuable, because it's easily lost. Crypto-protected information is fragile, and this fragility could hurt its widespread deployment.
Email itself is pretty fragile, and email is not commonly used for long term storage. (What are PGP are thinking? "gee, how best can we best archive our master source tree ... I know we'll email it to our colleague over here and delete it before I get confirmation it arrived"?).
When they started mumbling along these lines, the privacy community got their own act together and started describing what we believe to be the real solution. This is called "data recovery."
Way I understand "data recovery" is that you have a recovery mechanism for stored data. Like you have backups of the keys for your hard disk driver level encryption program, or encrypted back up program. You either have misunderstood the data recovery argument, or are attempting to rejig it to fit your argument.
When I was at HIP97 this August, I was amused to hear cypherpunks chanting, "Data recovery good, key recovery bad."
I'm pretty sure said cypherpunks were chanting about storage keys: keys for data stored on your disk, as opposed to the GAKkers wanting access to your communications keys.
The essence of data recovery is that focusing on the keys is a canard. If you've misplaced your data, you want the data back, not the keys.
Bingo. And your data is where? On your disk. Not in limbo being passed around the flaky sendmail/mailserver hodge-podge that is Internet mail.
If you've locked yourself out of your car, you want the use of your car, not the just the key. Thus, the solution to encrypted data being fragile is to let people get to the data.
No, no! The simple solution to fragile encryption on fragile communications data is to keep a copy of the email you sent! Encrypt and backup the keys for that all you want, and you won't get any GAK complaints.
If you don't like data recovery, you aren't going to like what we did in PGP 5.5 -- we built a data recovery system.
No you didn't, you built a GAK system.
Data recovery is useful for a number of things. Perhaps you lost your passphrase. Or data might have been encrypted by an employee or co worker who was in an accident.
Yes, and your archives are going to be where? On backup tapes, on an encrypted partition on his hard disk... not in the email system.
(As an aside, fifteen years ago, the architect of a product I worked on was in a severe car wreck. He was not killed, but suffered brain damage and has never returned to work.)
Sad story. I venture to suggest, however, that the product source code was not stored solely in your email box, nor I expect did the last copy of your source tree happen to be en-route in encrypted email which only he had the key for.
Your spouse might need access to financial records.
She might. In which case you might secret split the key to your encrypted partition, your lawyer and her, or whatever.
What makes data recovery different from key recovery? In my opinion, data recovery allows you to get encrypted data without compromising the key of the person who encrypted it.
Nope, that's not it. Data recovery is being able to recover stored data. "Key escrow" and "key recovery" are newspeak terms defined by the GAKkers which mean that they want access to your communications keys. Your response should be to widely field systems using forward secrecy, not to go along and implement GAK for them. [description of PGP GAKware elided] If any PGP employees want a job working for a company which doesn't do GAK, contact me off list, encrypted mail preferred. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`