[Top] [All Lists]

Re: Just say NO to key escrow or CMR/ARR revisited

1997-11-04 14:27:41

Gene Hoffman <hoffmang(_at_)pgp(_dot_)com> writes:
On Tue, 4 Nov 1997 mark(_at_)unicorn(_dot_)com wrote:

At the same time, it builds a 'feature' into every copy 
of PGP which could at some point in the future be used to provide
government access to messages by forcing users to encrypt to a government
key. This, to Adam and others (including me), is so great a risk that 
we'd much prefer key escrow or an alternate system. 

Building a key escrow system would do exactly the same thing. Putting in
place the infrastructure for automated enterprise wide key escrow to a
corporate key would mean building a technology infrastructure at exactly
the same risk. 

Jon Callas stated earlier that some pgp 5.0 for business customers
were already escrowing keys (signature keys included ouch!)  All that
needs to be done to fix this is to provide a menu option to copy
backups of only company use encryption keys to floppy (presumably
encrypted to a selected company escrow key).

This could be implemented by PGP Inc or other vendors outside of the
OpenPGP standard.

An international standard which includes support for message recovery
(CMR) is dangerous.  All you would have done with the local recovery
system I discuss above is to minimize the risks of forgery inherent in
escrowing signature keys.  All you would be doing is building support
for what companies will do anyway.  You can minimise privacy risks by
providing a personal use encryption subkey which is not escrowed by
this operation.

Even with CMR companies will probably escrow keys because the
ergonomics of recovering from lost passwords with CMR are poor
(re-encrypt all encrypted files on disk, floppy, backup tapes, etc).
Users frequently forget passwords (as unix sysadmins will confirm).  I
suspect CMR will get you many tech support calls at PGP -- user's
forgotten password, are you seriously telling us we've got to
re-encryt all this data (megabytes scattered over write once CDs,
tapes, harddisk, floppies, inside .ZIP archives etc).  Not pretty.

A government could just as easily say, "Thou shalt escrow to the FBI
key and send it to central storage" as they could corrupt CMR to say
"Thou shalt encrypt to the FBI key."

They could indeed do this.  However local escrow is harder to abuse
than CMR because:

- it is logistically harder to organise collection of millions of keys
  than it is to publish one NSA owned key

- especially when companies use different techniques locally

Mark's point that CMR builds a feature which can be used for escrow
into every copy of PGP is also good.  He's referring to the fact that
all versions of pgp5.x to date (pgp5.0, and pgp5.5 for both personal
and company use) include support to make it easy for users to comply
with demands for escrow.  

For example, say you are using pgp5.0 for personal use in the US, and
you get a message from a French user where the French government have
installed mandatory CMR (I suppose that would be GMR), with the master
CMR key held by SCSSI.  pgp5.0 helps you to comply with that request,
and the CMR design simplifies the French governments task.  If the
French government wants to escrow user keys, let them work out the
logistics of collecting all their citizens keys themselves without any
help from PGP, or the OpenPGP standard.  If you want bonus
crypto-anarchic brownie points build forward secret transport level
security -- that'll slow down governments.

Corporations are going to want central, encrypted escrow if PGP, Inc. 
were to go that way.

If that is the corporations mentality I suspect they will have one
single master CMR key also, and that they will turn on the strict
policy enforcer flag.  I also suspect they will escrow the user
private keys just to ease recovery -- users forgetting passwords is
common, and CMR does not allow easy recovery from this.

Now officially an EAR violation...
Have *you* exported RSA today? -->

print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>