|
An organisation entrusted with the
keeping of cryptographic keys. The apparent idea behind the appointment of
trusted third parties (ttps) is that by holding a copy of someone's public
key they can provide independent confirmation of that person's identity to
other parties in an e-commerce deal. This is in itself not a bad
idea, but government are also keen to use ttp schemes to keep tabs on
suspected criminals who are using strong cryptography. This process may or
may not require a warrant, but recent amendments to legislation in many
countries now make it much easier to do.
Proposed ttp schemes
all suffer from major flaws, which render them unusable in practical ways.
The most obvious is that the sorts of people governments claim to be
targeting with their proposals are unlikely to co-operate with authorities
and turn over copies of their private keys.
Supporters of cryptography point out that law-abiding citizens are
at the greatest risk from such key escrow schemes. In particular,
businesses seeking to get involved in e-commerce have had their confidence
severely undermined by the looming threat of ttp. Their concerns are
many and legitimate. All these schemes are open to abuse by government
officials and security organisations, whose records in this area are not
unblemished. Moreover, the third parties themselves are almost irresistible
targets for malicious crackers, for whom large-scale stores of
private keys represent a playground of immense proportions. This inevitable
makes ttps horribly expensive to administer, as they require
military-grade security to keep them closed to unauthorised visitors. (See
also public key cryptography and regulation of investigatory
powers act.) |
