On Tue, 17 Sep 1996, Timothy C. May wrote:
However, making the government a _required_ part of such plans implies a motive that is not at all the same as what companies wish (mostly, disaster recovery).
The required part will come later. Meanwhile, many big players in the industry are volunteering to include GAK for you. When I asked the fellow from HP that proposed the CommerceNet position paper how the "voluntary key recovery" he was proposing on his slides could possibly aid law enforcement against criminals who obviously wouldn't "escrow" their keys, he said, and I am not kidding: "There are many possible interpretations of the words voluntary and mandatory." I was the *only* person in a room full of people working in the industry that seemed bothered by this.
Furthermore, the main worry (for me, at least) is that the government hopes to get its Clipper IV scheme accepted (by means of export laws) at some large fraction of important corporate accounts, not the least of which will be Netscape, Microsoft, IBM, Oracle, Qualcomm, and suchlike major players in the "infrastructure" business. Once most of these have "bought off" on GAK, pressure will be intense to universalize the process, to make it a felony _not_ to use a "Key Authority."
That's exactly how it will be.
(BTW, I predict that the tainted term "key escrow" is now gone from the official lexicon. I haven't seen the Clipper IV proposal, but I surmise that the baggage the term "key escrow" carries means that some more benign-sounding term will be used in the final proposal. Something like "Key Recovery System." You heard it here.)
Correct. As I explained in my post from the CommerceNet meeting in D.C., "key recovery" is the new politically correct term for GAK. --Lucky