CDR: RE: Zero Knowledge changes business model (press release)
Carskadden, Rush
carskar at netsolve.net
Wed Nov 1 14:54:55 PST 2000
I remember running into a case where there was a system in place that worked
somewhat like an encrypted CVS system. There was a central document czar,
like you said, and when he left, the company realized how foolish it was to
put a single employee in charge of the key. So then (not seeming to have
truly learned from their mistakes) they gave copies of the new private key
to members of the executive team. Then an executive left. I will not soon
forget hearing of thousands of pages of documentation being systematically
decrypted with the old key, and re-encrypted with a new key. The process
apparently took quite an amount of time. I also remember my squeamishness
about the fact that the CVS-like system was designed to encrypt and decrypt
on the fly based on some cheesy authentication, so as to provide a way to
maintain this system without having to talk to the key holders every time
you needed to make a change. The entire system was a big messy nightmare,
and when considered carefully, really didn't provide much in the way of
security. It would have been much easier for them to put a system in place
that required multiple people to sign off on a document for it to be
encrypted or decrypted. I took a lot of notes at the time on how I thought
this sort of system could be implemented... I should dig it up and see what
I was thinking.
ok,
Rush
-----Original Message-----
X-Loop: openpgp.net
From: Eric Murray [mailto:ericm at lne.com]
Sent: Wednesday, November 01, 2000 3:21 PM
To: Multiple recipients of list
Subject: Re: Zero Knowledge changes business model (press release)
On Wed, Nov 01, 2000 at 03:56:56PM -0500, David Honig wrote:
>
> At 12:13 PM 10/31/00 -0500, Tim May wrote:
> >How about:
> >
> >-- no key escrow, no split keys, no trusted third parties
>
> I don't see any way around the fact that some companies will want to have
> key escrow of some form for employees who disappear, e.g., car accident,
> pickpocket stole the key-carrier, etc. I think companies will want this
> because of the risks of financial damage to the company.
>
> Although its hazardous if done wrong [cf recent PGP problems], is
> tarnished by the Fedz/Denning/etc, and might have no use in a personal
> privacy tool (your diary dies with you), isn't it too dogmatic to rule out
> key escrow for tools intended for use by groups?
>
> Are there equivalent methods which don't use escrowed keys, which I
> am unaware of?
I beleive it was Eric Hughes who at a Cypherpunks meeting about four
years ago, said "the solution isn't key escrow, it's document escrow".
Which makes sense- a business doesn't (or shouldn't) allow employees
to keep a single copy of an important document on their hard drive.
It should be replicated in other known places in case of disaster (drive
failure, stolen computer, employee hit by bus, etc). Just because
documents are encrypted doesn't mean that this practice is abandoned.
One can envision a system where there's a corporate "document czar" who
is regularly given docs from various employees and who then encrypts them
in his own key. When and where the docs get decrypted is determined by
corporate policies. No key escrow required.
I don't know of any existing system like this, but formal corporate
document control isn't my field.
--
Eric Murray Consulting Security Architect SecureDesign
LLC
http://www.securedesignllc.com PGP
keyid:E03F65E5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5259 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/20001101/ed24b334/attachment.txt>
More information about the cypherpunks-legacy
mailing list