PGP "master keys"

note from the corporate side ... is was specifically the
escrow of 
encryption keys for data at rest ... as part of prudent
corporate asset 
protection; it was not escrow of authentication keys nor
escrow of 
encryption keys used for communication.

the internal network was larger than the arpanet/internet
from just 
about the beginning until possibly around summer of 85. at
the time of 
the great change-over to internetworking protocol on 1/1/83,
the number 
of arpanet/internet nodes was approx. 250 (a number that the
internal 
network had passed in the mid-70s, the internal network
passed 1000 
nodes a little later in 83).
http://www.garlic.com/~lynn/subnetwork.html#internalnet

corporate inter-site links had to be encrypted ... which at
the time met 
link encryptors .. there was claims that the internal
network had over 
half of all the link encryptors in the world. there wasn't
any corporate 
escrow issues with link encryptor keys. there were various
problems with 
gov. agencies ... significant problems especially in europe
getting 
gov/ptt authorization for corporate link encryptors (on
corporate links, 
between corporate sites, purely carrying corporate data)
especially when 
the links crossed country boundaries.

issues did start showing up in the mid-90s in the corporate
world ... 
there were a large number of former gov. employees starting
to show up 
in different corporate security-related positions
(apparently after 
being turfed from the gov). their interests appeared to
possibly reflect 
what they may have been doing prior to leaving the gov.


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Anne & Lynn Wheeler wrote:
> issues did start showing up in the mid-90s in the
corporate world ... 
> there were a large number of former gov. employees
starting to show up 
> in different corporate security-related positions
(apparently after 
> being turfed from the gov). their interests appeared to
possibly reflect 
> what they may have been doing prior to leaving the gov.

one of the issues is that corporate/commercial world has had
much more 
orientation towards prevention of wrong doing. govs. have
tended to be 
much more preoccupied with evidence and prosecution of wrong
doing. the 
influx of former gov. employees into the corporate world in
the 2nd half 
of the 90s, tended to shift some of the attention from
activities 
related to prevention to activities related to evidence and
prosecution 
(including evesdropping).

for lots of drift ... one of the features of the work on
x9.59 from the 
mid-90s
http://www
.garlic.com/~lynn/x959.html#x959
http:
//www.garlic.com/~lynn/subpubkey.html#x959

was its recognition that insiders had always been a major
factor in the 
majority of financial fraud and security breaches.
furthermore that with 
various financial functions overloaded for both
authentication and 
normal day-to-day operations ... that there was no way to
practical way 
of eliminating all such security breaches with that type of
information. 
... part of this is my repeated comment on security
proportional to risk
http://www.
garlic.com/~lynn/2001h.html#61

the x9.59 approach was to eliminate the function overload so
that the 
same information that was needed for normal day-to-day
operation didn't 
also carry with it any authentication feature/attribute. the
result was 
that data breaches could still occur, but no longer enabled
the 
financial fraud that it once did ... and therefor it didn't
really 
represent a serious security breach ... aka the
countermeasure to 
financial fraud associated with the data breaches was to
recognize that 
it was impossible to totally eliminate them, since the
information was 
required extensively in day-to-day business processes, so to
prevent the 
wrong doing, the authentication feature/attribute was
removed from the 
associated information.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com