1. 23

  2. 2

    I agree but it is also an interesting… “cyber” issue. Cyber in the technical sense of computer + human interaction. What if two government regulated entities want the FBI or the SEC to be able to open their encrypted conversation in case of an investigation in exchange for insurance benefits. In other words, the insurance company would sure like to be able in case of accident to be able to unencrypt something for forensic research. They would offer lower premiums if they new they could count on the key being escrowed somewhere “safe” (which is the operative technical question that’s essentially unanswered) such that in case of a chemical plant blowing up they could go unencrypt the comms between the contractors and the chemical company.

    Interesting stuff, but I’m not sure if we’re ready to play out the possible disaster scenarios that could go wrong if the “safe” space was compromised if we can just say “allow encryption” in general and let the forensic difficulty fall to the future investigators.

    (note this is a devil’s advocate position, but I just wanted to get it off my mind quickly)

    1. 5

      Hey if you want to offer insecurity as a service by all means do so, just make sure to inform your customers that their communications can be handed over to “the FBI or the SEC” (and anyone able to compromise your system) and you’re on ethical high ground.

      1. 1

        I think that’s the argument and almost exactly how it should be phrased, with the addition of anyone able to compromise your or their (fbi,sec) system. I could imagine a lot of use cases for that level of insecurity being codified. Then the question becomes are you doing 1 golden key, 1 key per customer, rotated PKI (who stores the old keys) etc. It’s terrifying and complex and above all insecure, but once again, that’s a possibly useful arrangement for folks who want to be able to prosecute wrongdoing.