On Tue, Mar 27, 2012 at 1:17 PM, Nico Williams <[email protected]> wrote: > On Tue, Mar 27, 2012 at 5:18 AM, Darren J Moffat >> >> For example an escrow system for ensuring you can decrypt data written by >> one of your employees on your companies devices when the employee forgets or >> looses their key material. > > Well, the context was specifically the U.S. government wanting key > escrow. > Hmm - these are not mutually exclusive.
Back in the mid to late 90s, the last time the U.S. government required key escrow for international commerce with larger key sizes, they allowed key escrow systems that were controlled completely by the company. Specifically, they allowed Trusted Information System's RecoverKey product (I worked on this one, still have the shirt, and am not aware of any other similar products available at the time - PGP's came later and was more onerous to use). RecoverKey simply wrapped a session key in a corporate public key appended to the same session key wrapped with the user's public key. If the U.S. Government wanted access to the data, the only thing they got was the session key after supplying the key blob and a warrant to the corporation in question. The U.S. government even allowed us to sell RecoverKey internationally to corporations that kept their RecoverKey data recovery centers offshore but agreed to keep them in a friendly country. ---- -Michael Heyman _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
