Commercial Key Escrow?
Does anyone know of a company that provides a commercial key escrow service? Eric
At 11:08 AM -0800 1/20/06, ericm@lne.com wrote:
Does anyone know of a company that provides a commercial key escrow service?
Prolly don't wanna call it that around here :-), but most commercial public key applications have that feature, or the functional equivalent thereof. PGP, for instance, allows for the mandatory secondary-encryption of all messages using a corporate key. Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Fri, Jan 20, 2006 at 03:43:00PM -0500, R. A. Hettinga wrote:
At 11:08 AM -0800 1/20/06, ericm@lne.com wrote:
Does anyone know of a company that provides a commercial key escrow service?
Prolly don't wanna call it that around here :-)
I assume that readers of this list know the difference between commercial key escrow and GAK.
, but most commercial public key applications have that feature, or the functional equivalent thereof.
PGP, for instance, allows for the mandatory secondary-encryption of all messages using a corporate key.
I'm looking for someone who provides an actual commercial key escrow service, not double encryption with a master key. The usual offsite data storage outfits are set up to deal with large volumes of not so sensitive data, not small amounts of very sensitive data. They also disclaim any responsibility for the security of the data, which won't work for this application. Eric
At 1:26 PM -0800 1/20/06, ericm@lne.com wrote:
I'm looking for someone who provides an actual commercial key escrow service, not double encryption with a master key.
One would think that the effect, being the same, creates a distinction without a difference? Cheers, RAH -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
On Fri, Jan 20, 2006 at 04:38:56PM -0500, R. A. Hettinga wrote:
At 1:26 PM -0800 1/20/06, ericm@lne.com wrote:
I'm looking for someone who provides an actual commercial key escrow service, not double encryption with a master key.
One would think that the effect, being the same, creates a distinction without a difference?
In some cases, yes. But not for this application. I really am looking for a commercial trusted third party to hold keys. I've found a bunch of references from ~10 years ago that say that someday commercial key escrow will be prevalent but it appears that someday hasn't yet arrived. My problem is in many ways similar to the problem a CA would face in ensuring business continuity in a business that depends on keeping secrets. What does say Verisign do to back up their root CA private keys? They probably have a bunch of BBN SafeKeypers (or rather the modern equivalent FIPS-140 hardware). What if all of them croak at the same time? Do they keep multiple backups? What happens if the keys/passphrases for those backups are lost? Or secret sharing? What if N-(K+1) shares are destroyed? Do they just quit the CA business then? There presumeably are scenerios under which that is the only answer, and Verisign has judged their possibility to be so remote and/or their solution cost so high that they are not worth defending against. What would Verisign do if they didn't have security experts to decide what's an acceptable risk and what isn't, and instead just wanted to have someone else deal with the problem for them? Eric
participants (2)
-
ericm@lne.com -
R. A. Hettinga