Re: proposal: commercial data recovery

[Will Price <wprice@pgp.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam:

First, let me state some overriding design goals of a data recovery system
required to ensure privacy: the sender must know and consent to every key
that will be able to read the message during its lifetime, the encryption
must be end-to-end, and the recipient must know exactly who else can
decrypt the message.  The sender's privacy is paramount as it is their data
which is being trusted to the system.  These are basic principles not only
of a data recovery system, but for any cryptosystem.

The design you have been espousing for the last week or so in your many
messages takes the power out of the hands of the sender and encourages
automated violations of the sender's privacy by the recipient (perhaps even
unbeknownst to the recipient).  In your model, the recipient automatically
decrypts and then re-encrypts to a data recovery key -- even though
end-user computers are likely to be insecure thus making this decrypt &
reencrypt step rather specious at best.  The only information the sender
has before sending the message is "your message might be able to be read"
by someone else, or more likely no information whatsoever as there is no
need to put such information in the protocol as far as the format is
concerned.  Either way, the sender is thus easily led into a false
assumption of security.  The encryption is not end-to-end but rather is
completely unwrapped in the middle and then rewrapped introducing serious
security flaws, and the sender has no idea to whom the message will be
auto-reencrypted by the receiver.

As an actual data recovery system, it also fails fundamental tests.  If I
encrypt critical data to a colleague wiping it from my system after
sending, then the colleague is incapacitated before receipt and processing
of the message, the data can never be retrieved.  A data recovery system
must solve this kind of issue -- data recovery here means that from
end-to-end the data is recoverable in case of emergency.  One cannot ignore
message transit time in this -- it can take days for a message to travel
from AOL to the outside world.  If you don't need data recovery, don't use
it, but at least respect the people who do need it and need it to actually
work at all points.

>With these three principles you still have lots of flexibility because
>you can escrow storage keys

I'm truly amazed that you would attack in such a spiteful fashion a simple
system which adds a recipient-requested, sender-approved extra recipient
which is end-to-end wherein all recipients are under the sender's control
and each recipient knows who can read the message with no key escrow using
the same old PGP message format we all know and love without change, and
yet you propose a much less secure system which allows hiding critical
information from the sender and does not adequately perform its stated
purpose of data recovery.

- -Will


Will Price, Architect/Sr. Mgr.
Pretty Good Privacy, Inc.
555 Twin Dolphin Dr, Ste.570
Redwood Shores, CA 94065
Direct (650)596-1956
Main   (650)572-0430
Fax    (650)631-1033
Pager  (310)247-6595
wprice@pgp.com
Internet Text Paging: <mailto:1333485@roam.pagemart.net>
<pgpfone://clotho.pgp.com>
<http://www.pgp.com>

PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x5797A80B>


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5

iQA/AwUBNESODay7FkvPc+xMEQIVuACfZwywDZSvGlsxefZuTyO6A+TFxlUAn39a
0FkpIVd4jcAIYpVNpIpofdSB
=nj0q
-----END PGP SIGNATURE-----