[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Microsoft & Key Escrow
this is unfortunate -- key escrow is a very good thing as long
as it is not mandated by law.
any reasonable employer concerned about secrecy and recoverability
of his data should use key escrow solutions for their employees'
encryption.
igor
Blake Coverett wrote:
>
> Following are some of the relevent snippets from
> http://www.microsoft.com/intdev/security/export/exporfaq-f.htm.
> The comments in square brackets are mine.
>
> ---cut here---
> What is Microsoft's position on supporting key escrow?
>
> Key escrow encryption is not a market-driven solution and it raises =
> serious privacy concerns for many customers. It is also new, =
> undeveloped, untested, and uncosted, and it will take a long time to be =
> worked out. Additionally, customers have expressed hesitation about =
> mandatory key escrow, especially if they have to give the keys to the =
> government or a government-selected third party. Therefore, we are not =
> actively adding support for key escrow in our products and technologies. =
>
>
> [About as good as we can ask for. I would, however, like that last =
> sentence
> better if the word 'actively' was missing.]
>
> Shouldn't the U.S. government be able to access information that could =
> prevent terrorist acts and crime?
>
> Strong non-key escrow encryption is already available from retail =
> outlets, foreign companies, and off the Internet. Thus the U.S. =
> government is already having--and will continue to have--a harder time =
> in the future accessing plain text regardless of U.S. export =
> restrictions.=20
>
> [I suppose it would be too much to expect a third sentence
> reading. 'This is a good thing.']
>
> What is key recovery? How does it relate to key escrow?
>
> Market-driven data recovery refers to a product feature that allows =
> users to maintain a spare private encryption key in a safe place. =
> Generally, a data recovery system escrows a copy of the session key with =
> the message or file and the user (or perhaps his employer) controls the =
> decision whether to utilize this feature. With key escrow the U.S. =
> government holds or has access to a user's private encryption key.=20
>
> It is not yet clear whether such systems are exportable. In the October =
> 1 announcement, the U.S. government referred to "key recovery" without =
> defining it; in all likelihood, however, they still have in mind =
> government key escrow, and not market-driven data recovery.=20
>
> [Hmm... it's just possible that Microsoft's spin doctors are
> better than those of the US government. Perhaps they can
> sell the world on their definition of 'key recovery' instead of
> the one we know the TLAs intended.]
> ---cut here---
>
> regards,
> -Blake
>
>
- Igor.