
-----BEGIN PGP SIGNED MESSAGE----- [I'm sure all the points I'm making are really old news, but the fact remains that I do not see distributed private key escrow applications, infrastructure, or advocacy, and I think there should be some.] On Fri, 26 Jan 1996, Lynne L. Harrison, Esq. wrote:
The following was posted to another list. Has anybody heard about this? [Gee, I _wonder_ if there will be escrowed keys...]
******Begin Forwarded Message*********
I just read in "legal.online" that the Postal Service plans to provide secure email service. It will include encryption plus offer U.S. mail fraud protection. Of course there is no estimate on cost.
Of course it will be escrowed. It will probably have other back doors too. The customers will demand it. Most normal people don't want unescrowed strong cryptography. If they forget their password, they want a way to get their stuff back. If they die, they don't want their thoughts to die with them. They don't plan to commit a major felony or, worse, run for public office, so the prospect that a government (or someone else) will subpoena or strong-arm the keys isn't a serious problem. I see no problem with this. The problem is *government* key escrow, especially *exclusive* government key escrow, which has none of the recoverability benefits that the average clueless user would want associated with key escrow. I'd like to see strong crypto that supports distributed key escrow by default (of course there should be a way to turn it off). Give parts of your key to, say, ten people, and require that eight must concur in order to break into your stuff. I would have few objections to a *properly drafted* law requiring widely distributed key escrow *for certain applications*. It's certainly bad to require escrow in two Federal clearing houses, and we'd have to think hard about requiring that key escrow agencies be licensed and regulated. In order to intercept my private communications, the government would need to subpoena the people I trust, not itself. I'd feel secure, and in fact *better* than I feel about unescrowed strong crypto, if my private stuff could be cracked by either myself in good mind and body, or a combination of at least eight of: 1. My boss 2. My best friend 3. My parents 4. The FBI (they get *one*, and the reason is to make it tougher for nasty non-government bodies to strong-arm enough parts of my key) 5. The California Department of State (as above) 6. The Cypherpunk Escrow Agency in Berkeley 7. The Cypherpunk Escrow Agency in the Cayman Islands 8. The corner 7-11 9. Mail-order Escrows-R-Us 10. TRW Gives a whole new meaning to the term "web of trust." By offering a piece of your key, you're entrusting a part of your life; and by accepting a piece of someone's key, you're agreeing to defend it with yours (life or key, whatever -- presumably you would encrypt the keys you're escrowing in your own escrowed key, which can be brute-forced in several ways). I'd like to see spring up a whole industry of both mom & pop and institutional key escrow agents. In a way, it's kinda like those silly cryogenics people who freeze their heads in the hopes of rising from the dead. The only way my private thoughts can survive my death, senility, or a really sharp blow to the head is escrow. And *I* think that at least some of the things I would normally keep to myself are worth preserving. Sure the world would survive without them, but we're talking about my ego here. - -rich -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQmiWo3DXUbM57SdAQEHMwQAoKZp0z7vEEGc9tPaXHfjcWGTu5kX4ImD xMCcOvZK73GSPzqLhHGi0fiC41mGi9tueCpqVDyzoSSrzhqxE9xepUw+LFU2sypJ KOMAVxC3AcKcRLru8Qb0WBTSZqtzvWxGBrBUq3xRnMt5FUz/RqDKtsOb2iC2F6gI PlLmhki4wvI= =KKyf -----END PGP SIGNATURE-----