From: Jon Callas <jon@pgp.com>
To: ietf-open-pgp@imc.org
Message Hash: 81e2d76ed45a01a9b1fd16792843fc8cec33976e80e9419d6bcd8e50ab752eef
Message ID: <3.0.3.32.19971010145353.00ad9330@mail.pgp.com>
Reply To: N/A
UTC Datetime: 1997-10-10 22:07:04 UTC
Raw Date: Sat, 11 Oct 1997 06:07:04 +0800
From: Jon Callas <jon@pgp.com>
Date: Sat, 11 Oct 1997 06:07:04 +0800
To: ietf-open-pgp@imc.org
Subject: Why Corporate Message Recovery isn't Key Escrow
Message-ID: <3.0.3.32.19971010145353.00ad9330@mail.pgp.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A number of people have asserted that the Corporate Message Recovery
feature is
key escrow. From where I sit, the difference is easy to see. My definition of
"key escrow" is that another person or organization keeps a copy of the user's
secret key.
Here's an example, based on actual customers who use key escrow to manage
their
data:
This corporation uses PGP for a number of things. Email, engineering plans,
CAD
drawings, and so on. They've done so at least since the days when we were
Viacrypt, and I believe they even used PGP 2.x.
When an employee arrives at this company, they create a key pair for the new
employee, hand it to them on a floppy, keeping a duplicate floppy with the
keypair on it, which they toss into a safe. Literally. This is key escrow.
They
do this because they can't afford to lose their files and messages. Their
policies require them to keep the secret keys, as if they were the same as
keys
to offices or file cabinets.
I don't know about you, but I'm appalled. Nonetheless, they're our
customers. In
spite of inheriting them, we have a responsibility as businesspeople to at
least
listen to their concerns.
- From our standpoint, the issue gets even touchier. They don't like what
they're
doing, and they want us to give them a better way to manage their data. Does
anyone really believe that only moral response is to flinch and turn away?
I'd like to be in a situation where I didn't have to deal with this. Wanna
trade
positions? I'll sit over there and cluck my tongue about how adding an extra
recipient weakens security while you figure out how to help these folks out of
the mess they're in. While you're at it, I'll pen a few lines about how giving
clean needles to addicts undermines society, and handing out condoms
encourages
kids to have sex. Trust me, it's less nerve-wracking than what we have to
do to
solve this problem, which involves running through hypothetical scenario after
hypothetical scenario, balancing the user's privacy against the organizations
property rights, the privacy and property rights of one organization against
that of another, and so on.
Corporate Message Recovery isn't key escrow for a number of reasons. First, it
doesn't involve keeping a copy the end-user's secret key. I hope that's
obvious
now. Second, the system behaves very differently.
With a key escrow system, there is a superb McGuffin (which is what Alfred
Hitchcock called the crux of a mystery, like the falcon in The Maltese
Falcon) -
it's the safe. Break into the safe, or lend its contents out, and all Hell
breaks loose. Whoever has those keys (which easily fit on a single Zip
disk) has
the company at its mercy. They can decrypt or sign anything they care to.
There
is a great thriller to be written here.
It isn't so with a CMRK. The worst possible way to use the feature is to
have a
single, company-wide CMRK. If that gets lost, the thriller you can write isn't
nearly as interesting. Yup, you can steal any of the plans, read all the mail,
and so on. That's bad. It's deplorable, actually. But it isn't a difference
that
makes no difference. At least there isn't a gang of keys out there that can
sign
anything with anyone's ID.
This is not the only way to use Corporate Message Recovery, it's just the
worst
way. Remember, it's just a notation in the self-signature that states,
"When you
encrypt to me, encrypt to X." That's any X. You can have a different CMRK for
every department, every workgroup, or even every user.
A sophisticated policy might be that every user sets their supervisor's key to
be their CMRK. Another is that everyone in Department X sets their office
mate,
or lab partner, or other person. You can have anything that suits your group,
from Recovery Central, to Recovery Hierarchy, to Recovery Buddy System.
The significant improvement that PGP's web of trust has over a traditional
hierarchical system is that you can set up a top-down system for validity, but
you don't have to (and in our opinion, shouldn't). Analogously, the
significant
improvement that Corporate Message Recovery has over key escrow is that you
can
tailor a recovery system to your needs (including and especially deciding it's
not for you).
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5
iQA/AwUBND6j8H35wubxKSepEQI58gCfQuiMZCyfe7cD1F2nNgFtluQqGXMAoJUh
yHFMApAlDjzwRTCspBi7p9t3
=a2Zo
-----END PGP SIGNATURE-----
-----
Jon Callas jon@pgp.com
Chief Scientist 555 Twin Dolphin Drive
Pretty Good Privacy, Inc. Suite 570
(415) 596-1960 Redwood Shores, CA 94065
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)
Return to October 1997
Return to ““William H. Geiger III” <whgiii@invweb.net>”