[cryptography] Key escrow 2012

Jon Callas jon at callas.org
Thu Mar 29 18:38:53 EDT 2012

Hash: SHA1

On Mar 29, 2012, at 2:48 PM, mheyman at gmail.com wrote:

> On Tue, Mar 27, 2012 at 1:17 PM, Nico Williams <nico at cryptonector.com> wrote:
>> On Tue, Mar 27, 2012 at 5:18 AM, Darren J Moffat
>>> For example an escrow system for ensuring you can decrypt data written by
>>> one of your employees on your companies devices when the employee forgets or
>>> looses their key material.
>> Well, the context was specifically the U.S. government wanting key
>> escrow.
> Hmm - these are not mutually exclusive.
> Back in the mid to late 90s, the last time the U.S. government
> required key escrow for international commerce with larger key sizes,
> they allowed key escrow systems that were controlled completely by the
> company. Specifically, they allowed Trusted Information System's
> RecoverKey product (I worked on this one, still have the shirt, and am
> not aware of any other similar products available at the time - PGP's
> came later and was more onerous to use).
> RecoverKey simply wrapped a session key in a corporate public key
> appended to the same session key wrapped with the user's public key.
> If the U.S. Government wanted access to the data, the only thing they
> got was the session key after supplying the key blob and a warrant to
> the corporation in question. The U.S. government even allowed us to
> sell RecoverKey internationally to corporations that kept their
> RecoverKey data recovery centers offshore but agreed to keep them in a
> friendly country.

I'd have to disagree with you on much of that.

The US Government never required key escrow for international commerce. Encrypted data was never restricted, what was restricted was the export of software etc. If you were of a mind where you thought that the only way to get cryptographic software was from the US, then you'd think this might be something like effective. In reality, the idea was absurd from the get-go because encrypted data was never restricted.

The people who wanted to push key escrow never had a good way to explain to anyone why they'd want it. They never had a good carrot, either, for it. At one point, they tried to sugar-coat it by offering fast-tracks on export for it, but Commerce granted export easily. Furthermore, Commerce's own rules progressed so fast with so many exemptions that it was all obviated before it could be developed.

Amusingly, I ended up having TIS's RecoverKey under my bailiwick because Network Associates bought PGPi and then TIS. The revenues from it were so small that I don't think they even covered marketing material like that shirt you had. In a very real sense, it didn't exist as anything more than a proof-of-concept that proved the concept was silly.

Also, there wasn't a PGP system. The PGP "additional decryption key" is really what we'd call a "data leak prevention" hook today, but that term didn't exist then. Certainly, lots of cypherpunks called it that at the time, but the government types who were talking up the concept blasted it as merely a way to mock (using that very word) the concept.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii


More information about the cryptography mailing list