-- Folder: YES -- Michael: Your message was forwarded to me and I presume to address this mail list although I would normally not. If you still have time for adjustments to your talk, let me call your attention to what I believe to be an awkward semantic ambiguity in the current dialogue about encryption. I quizzed a few people about usage of "escrow" and "key escrow" so I have some confidence that the following facts and argument are valid. The term "escrow", in the context of cryptography, was introduced by the so-called Clipper Initiative in the United States, April 1993. It had not previously been associated with cryptography. As initially used in association with Clipper, escrow implies [1] a chip-unique key (equivalent to a chip-unique master-key) used only for law enforcement access, [2] splitting of the chip key into parts held by [3] extra-organization trusted third parties, [4] automatic inclusion of the chip key with every use of the encryption but [5] protected with yet another secret key embedded in the encryption chip which is itself [6] protected against reverse engineering or external access to its details. The concept, at the time of its introduction, was oriented solely to communications intercept and hence, [7] a "law enforcement access field" would be a required part of every transmission. The LEAF contains chip identity which in turn allows law enforcement to solicit components of the master key from escrow agents, then to recover the session key and eventually the encrypted traffic. NOTE first that this use of the word violates the common legal usage in which the parties who deposit material with an "escrow agent" themselves have access to it at some point. In the Clipper use, the parties obviously do not have access to what the escrow agencies hold. Subsequently the concept of mimicing the hardware-based Clipper approach in software arose, and the term "commercial key escrow" was applied to it. Some of the details are the same as Clipper; in particular, something is to be held by trusted third parties which, in some proposals, are called Data Recovery Centers. Some proposals plan to replicate Clipper by depositing split master keys with trusted third parties; law enforcement with proper authorization can acquire the parts of the master key, deduce the actual key used for a given transmission (i.e., the session key) and so decrypt the traffic. Other proposals depart from Clipper and plan to store split (or not) actual session keys with the trusted agents. NOTE that the observation above that using escrow in the context of encryption by Clipper violates legal usage is generally invalid for commercial key escrow. The party which deposits keys with a Data Recovery Center obviously can access to them. Inevitably, the concept was extended further to include the possibility that corporations could retain the keys internally in a specially trusted part of the organization. Legal entities, such as corporations, would be subject to extant procedures of the law enforcement court order or subpoenas to provide the keys under authorized circumstances. As to be expected, such intra- organizational protective retention of keys was called by some escrow, or by others self-escrow. However, the departure from Clipper was even more extensive because: o There is probably no need for splitting such keys, o There probably would be no need for a complex master-key approach such as embodied in Clipper, and o There might not need to be a "law enforcement access field" in externally transmitted messages. As so often is the case in computer-related matters, the terminology is not clearly established. One way to clarify it would be: [A] To confine the term "escrow" to situations in which some key, split or not, master or session, will be stored with extra-organizational trusted parties who make keys available only to law enforcement; but [B] For the intra-organizational situation or the extra-organizational situation in which the depositing party can have access to the keys, adopt the term "archive" or "key archive". The term "key backup" might be used in the image of conventional backups of data bases and files; but the term "archive" or "key archive" would hopefully avoid confusion. If one were to follow this taxonomy, then "Commercial Key Escrow", should be called "Commercial Key Archive" and the process of depositing keys therein should be called "key archiving." I would not stand strongly for picking "archive" as an appropriate term but something different from "escrow" is clearly needed to keep the dialogue leading to a national crypto-policy precise, unambiguous, and clean. Obviously it's your call whether you choose to adopt these semantic views in your conversations with Geof. At minimum, you should be alert to loose usage of "escrow" as a concept. Willis