At 12:55 AM -0600 3/10/2000, John Kelsey wrote:
>[much deleted]
>
>Actually, the subpoena threat means that we need to put the
>entities holding shares of the secret in places where even
>we can't find them. In the extreme case, there's some
>machine somewhere with e-mail access, which may carry some
>cover traffic of some kind, and which holds some secret
>until a specified date. On that date, it sends it out. The
>setup procedure has to establish this machine (or a set of
>such machines) in such a way that ideally nobody ends up
>knowing where they are, and that there's no way for anyone
>to figure out which time-delayed secret is being held on
>which machine.
I agree that something like that would be desirable. The big problem
is how to actually do it. A bounty or threat of legal action might
get a lot of people to sweep their systems. One thought might be very
small (cigarette package sized) lithium-battery powered computers
that could be hidden in walls and clipped onto existing phone wires.
They would be silent until the time came to release their key. Then
they would call a phone number (or several) in the middle of the
night and divulge their secret. The calls might be to computers or
they might be to random individuals who would be read a list of
passphrase words, and told to contact Time-Escrow Inc. for a reward.
I am also starting to like satellite approach more. There is a
technology called nanosatellites that is essentially a small PC board
dumped into orbit. Time escrow would be an ideal nanosatellite
application. Several groups could each be given a satellite to
program. The satellites would then be place in the launch vehicle by
each group and guarded until launch. Actual key generation could be
deferred until after launch. One way to ensure this would be to
select the computation group (e.g. the prime p for DH over Zp or a
particular elliptic curve for ECC) by some public process after the
satellites are in orbit. The nanosatellites would then generate the
key pairs and communicate the public halves to earth. The public
keys would be signed by the nanosatellites using a secret key
inserted by each group in their nanosatellite, insuring that they
were actually computed in space. The private halves of the generated
keys would of course be broadcast when their time came. I think all
this could be done for tens of millions of dollars. Is there a
market that big for time-escrow service?
>
>
>[stuff deleted]
>
>>You may be right in practice, but it seems to me that a
>>major goal of crypto research is to figure out how do do
>>things in a way that does not rely on contract law and other
>>forms of "trust me."
>
>I have mixed feelings about this. On one hand, the legal
>system in the US looks fundamentally broken to me. On the
>other, even massively overworked, corrupt, or incompetent
>judges are *human*. We are on the verge of building
>computer systems which are intentionally outside the reach
>of any human control. We've done this to some limited
>extent now with anonymous remailers and even the internet.
>
>But this means that these systems are really outside human
>control. The trivial example of this is using PGP to
>encrypt all your files with a long, hard-to-guess
>passphrase, and then forgetting the passphrase. If you do
>this, you're just out of luck--your files are gone. In one
>sense, this is much better than storing your files
>unencrypted in a safety deposit box on ZIP disks: you don't
>have to trust that the bank won't drill out your box and get
>at the contents, or that someone won't have made a copy of
>the key before you got it, or that a court somewhere will
>order the box opened so your ex-wife's lawyers can read
>through your private files. But it also means that there's
>no human that can open your files for you when you forget
>the passphrase. It means that if you die, all the
>information you encrypted is forever lost to the world. It
>means that no matter how good a reason exists, nobody can
>get that information without the original passphrase.
>
>In this context, I'm reasonably comfortable with things.
>But when we talk about the general automated contract
>enforcement schemes, I worry a lot about what weird
>unforseen interactions will happen. This is especially
>worrisome when the system is designed so that there's no
>human in the loop to make a judgement about whether there's
>something going wrong. Does the car stop working when
>your payment is a month late? Does this happen even when a
>major terrorist attack has taken down the whole payment
>system for the last month, with the result that half the
>cars on the road stop on the same date? Does the car
>suddenly become yours for free an hour after someone posts
>the recently-compromise top-level key for the payment
>system's CA hierarchy? Do thousands of cars suddenly stop
>an hour after someone starts using the recently-compromised
>top-level key for the bank's e-repo-man division?
>
Scientific research is generally conducted on the premise that
humanity is better off knowing more than less. Certainly many have
questioned this assumption in other contexts, including nuclear
power, germ warfare and DNA research. I don't propose to have that
debate here. I will say that there is a difference between knowing
how to do create a product and deciding to make it. The public should
have some say in the deployment of products like e-repo-man. I
recently saw an op ed piece in the Boston Globe that seriously
proposed equipping all automobiles with a box to let the police
disable them by radio as an alternative to high speed chases. We as
the public crypto community are better able to inform the public
about the risks if we understand the possibilities. Informed market
and political pressure is the best way to keep evil crypto in check.
We won, at least for now and in the US, against key escrow.
On the whole, I think an unbreakable time-escrow service would be a
plus if it could be done (a big "if"). In particular it provides a
solution to the lost key problem. I'd be interested in hearing
arguments to the contrary.
Arnold Reinhold
