I am seeing a lot of messages in a lot of forums from IETF-ers denouncing
the evils of 'key escrow' and 'key recovery'. While these sentiments are
well intentioned, I would like people to be more precise with their
language. In particular, people need to be precise in distinguishing 'Key
Recovery' and 'Mandatory Key Recovery' and especially careful not to
ascribe opinions to the IETF or the IETF security folk.
The issue with key recovery is consent and who has access to the keys, not
whether key recovery is desirable.
If you are going to encrypt your pictures of the children when they were 2,
you really don't want to find out that you can't read them any more because
the decryption key has been lost. For 99.9% of users, the ability to
guarantee access to their data is a vastly higher priority than frustrating
government surveillance efforts.
Looking over the history of the first cryptowar, I think that we made a
massive tactical mistake early on in deciding that the primary objective
was to block Louis Freeh's powergrab at all costs and design technology
accordingly. One consequence of that approach was to make the technology as
incompatible with key recovery as possible, another was to demand
end-to-end encryption or nothing.
The result was a pyrrhic victory. We won the battle, but as we have
recently found out we lost the war, and decisively. Presenting end users
with a choice of perfect security (according to our criteria) or nothing,
the users chose nothing. And yes, I fully accept that I was as much to
blame for that as anyone else.
So over the past couple of years I have been putting together a redesign of
end-to-end secure email (and other applications) and recognizing that real
users demand that there is absolutely no chance of them losing their
precious data, I have built in key recovery at the ground floor. Every
personal profile in the mesh has at least one key recovery key defined.
Every time a keypair for static encryption is created, a key recovery block
is created and escrowed.
If anyone is telling Congress that Key Recovery can't be made to work, they
are completely wrong. I have the code to prove it.
The Mesh supports Key Recovery but it does not meet the goals of mandatory
key recovery. Nor is it possible to meet such goals. While the reference
code always generates a key recovery block when a keypair for static
encryption is created, there is absolutely no way to know if the private
keydata that has been escrowed actually corresponds to the public key that
is in use. Nor is there any way I can extend the system to enforce a
mandatory key recovery system without relying on technology that does not
exist today and is about as likely to exist as technology for teleportation
or telepathy.
This is the reason why it is important to be precise with language, it is
not the 'key recovery' part that is hard, it is the 'mandatory' part.
People can and do leave keys under the mat for themselves, it is being
required to do so for the use of the federal police and intelligence agency
that creates the problems.
In short:
Key Recovery is like sex, you can live without it but you really don't want
to try.
Mandatory key recovery is key recovery without knowledge, consent or
control.