From: “Willis H. Ware” <willis@rand.org>
To: Michael Froomkin <froomkin@law.miami.edu>
Message Hash: 00cb1783609fd977f1ded1bdcd448e04f315863605c0add05ceb17ba0743b28a
Message ID: <199510181703.KAA29941@conrad.rand.org>
Reply To: N/A
UTC Datetime: 1995-10-18 17:03:53 UTC
Raw Date: Wed, 18 Oct 95 10:03:53 PDT
From: "Willis H. Ware" <willis@rand.org>
Date: Wed, 18 Oct 95 10:03:53 PDT
To: Michael Froomkin <froomkin@law.miami.edu>
Subject: Re: YOUR chat with Goeff Greiveldinger
Message-ID: <199510181703.KAA29941@conrad.rand.org>
MIME-Version: 1.0
Content-Type: text/plain
--
Folder: YES
--
Michael:
Your message was forwarded to me and I presume to address this mail
list although I would normally not.
If you still have time for adjustments to your talk, let me call your
attention to what I believe to be an awkward semantic ambiguity in the
current dialogue about encryption. I quizzed a few people about usage
of "escrow" and "key escrow" so I have some confidence that the
following facts and argument are valid.
The term "escrow", in the context of cryptography, was introduced by
the so-called Clipper Initiative in the United States, April 1993. It
had not previously been associated with cryptography.
As initially used in association with Clipper, escrow implies [1] a
chip-unique key (equivalent to a chip-unique master-key) used only for
law enforcement access, [2] splitting of the chip key into parts held
by [3] extra-organization trusted third parties, [4] automatic
inclusion of the chip key with every use of the encryption but [5]
protected with yet another secret key embedded in the encryption chip
which is itself [6] protected against reverse engineering or external
access to its details. The concept, at the time of its introduction,
was oriented solely to communications intercept and hence, [7] a "law
enforcement access field" would be a required part of every
transmission. The LEAF contains chip identity which in turn allows
law enforcement to solicit components of the master key from escrow
agents, then to recover the session key and eventually the encrypted
traffic.
NOTE first that this use of the word violates the common legal usage in
which the parties who deposit material with an "escrow agent"
themselves have access to it at some point. In the Clipper use, the
parties obviously do not have access to what the escrow agencies hold.
Subsequently the concept of mimicing the hardware-based Clipper
approach in software arose, and the term "commercial key escrow" was
applied to it. Some of the details are the same as Clipper; in
particular, something is to be held by trusted third parties which, in
some proposals, are called Data Recovery Centers. Some proposals plan
to replicate Clipper by depositing split master keys with trusted
third parties; law enforcement with proper authorization can acquire
the parts of the master key, deduce the actual key used for a given
transmission (i.e., the session key) and so decrypt the traffic.
Other proposals depart from Clipper and plan to store split (or not)
actual session keys with the trusted agents.
NOTE that the observation above that using escrow in the context of
encryption by Clipper violates legal usage is generally invalid for
commercial key escrow. The party which deposits keys with a Data
Recovery Center obviously can access to them.
Inevitably, the concept was extended further to include the possibility
that corporations could retain the keys internally in a specially
trusted part of the organization. Legal entities, such as
corporations, would be subject to extant procedures of the law
enforcement court order or subpoenas to provide the keys under
authorized circumstances. As to be expected, such intra-
organizational protective retention of keys was called by some
escrow, or by others self-escrow. However, the departure from Clipper
was even more extensive because:
o There is probably no need for splitting such keys,
o There probably would be no need for a complex master-key
approach such as embodied in Clipper, and
o There might not need to be a "law enforcement access field" in
externally transmitted messages.
As so often is the case in computer-related matters, the terminology
is not clearly established. One way to clarify it would be:
[A] To confine the term "escrow" to situations in which some key,
split or not, master or session, will be stored with
extra-organizational trusted parties who make keys available only
to law enforcement; but
[B] For the intra-organizational situation or the
extra-organizational situation in which the depositing party can
have access to the keys, adopt the term "archive" or "key
archive".
The term "key backup" might be used in the image of conventional
backups of data bases and files; but the term "archive" or "key
archive" would hopefully avoid confusion.
If one were to follow this taxonomy, then "Commercial Key Escrow",
should be called "Commercial Key Archive" and the process of depositing
keys therein should be called "key archiving."
I would not stand strongly for picking "archive" as an appropriate
term but something different from "escrow" is clearly needed to keep
the dialogue leading to a national crypto-policy precise, unambiguous,
and clean.
Obviously it's your call whether you choose to adopt these semantic
views in your conversations with Geof. At minimum, you should be alert
to loose usage of "escrow" as a concept.
Willis
Return to October 1995
Return to ““Willis H. Ware” <willis@rand.org>”