[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TIS--Building in Big Brother for a Better Tommorrow




Steve Walker wrote to John Young:

(large piece snipped; good stuff though.)

   +  Suppose the U.S. government had never thought of placing
      export controls on cryptography...

      We would now have widespread use of encryption, both
      domestically and worldwide; we would be in a state of
      "Utopia," with widespread availability of cryptography
      with unlimited key lengths. But, once in this state, we
      will face situations where we need a file that had been
      encrypted by an associate who is unavailable (illness,
      traffic jam, or change of jobs). We will then realize
      that we must have some systematic way to recover our
      encrypted information when the keys are unavailable.

      When we add a user-controlled key recovery capability to
      our Utopia, we find ourselves in an "Ultimate Utopia,"
      with unlimited key length cryptography, widely available
      through mass market applications, and user-controlled
      key recovery.

The first paragraph here bothered me.  If a user (or an organization)
needs to have access to data that was encrypted by an associate ( or one
of its employees) wouldn't sound practice require that the key not be
entrusted to just one person?  I don't see the need for any fancy
"key-recovery" protocol with any outside entities.  We can handle this
internally in my shop.  Some keys I give a copy to Alice, and down the
hall Bob has some, too.  If I get hit by the bus, they can get my company 
related data back.  We don't need any "service" or "licensee" or "trusted 
third party" or any of that, thank you very much.  And we don't need any 
one developing OTPs for us either, and we don't need government agencies 
keeping copies of any of our keys.

Am I in the state of utopia already, is this what "user controlled key 
recovery" means?  I think it's just common sense and sound management 
practice.  If you know that your co-worker/colleague/summer intern, etc 
is encrypting your business related data, you should make sure you can 
get it back if she doesn't come back from lunch.  Let her keep her own 
PGP passphrase, though. That's her business.
--
I am now going to push a button and cause this to quantumly re-assemble 
in California.  Really two buttons (Ctrl-X). One observes, one measures.
--
send message body: "unsubscribe cypherpunks yourmailbox@domain"  to: 
[email protected] to drop off the list. Don't put it in quotes, tho.