IP: COMMENTARY on MEEK's DEADMAN WALKING

[Dave Farber <farber () cis upenn edu>]

--
Dave:


If you use this, let's make it anonymous -- better that way.  Less likely to
be scurrilous backlash.


                        [from a very experienced senior scientist djf]


==================


On a humorous note ....


If, as Brock Meeks writes, the "Key Recovery Access Policy [is] better
known by its stunningly apt acronym, KRAP", then Mr.  Spock would almost
surely observe that "it is logical for the so-called 'key recovery access
providers' to be known KRAPers."


On a serious note...


Remember that there was a big flap within the last 5 years when some
company holding large databases of personal information (medical perhaps)
was sold, perhaps at a bankruptcy sale.  The databases of sensitive
personal information were suddenly in the hands of an organization having
no relationship to the original purpose for which the data was collected --
a privacy infraction, and not necessarily subject to the same safeguards
and protection -- a security infraction.


When Brock Meeks asks:


     What happens if one of the so-called "key recovery access providers"
     goes bankrupt while in possession of millions of keys?  Are those keys
     automatically turned over to the FBI for "safekeeping"?  Are they
     "auctioned off," much like the Resolution Trust Corporation auctioned
     off real estate it foreclosed on?


Another question should be added:


     Are these millions of keys to be seen as assets of the bankrupt
     business, to be disposed of to any buyer as part of a fire sale?


Or a variation on the issue:


     What happens if a provider sells itself to another organization, not
     necessarily in the business of being a provider?  Do the legal
     obligations imposed on the provider -- whatever they turn out to
     be -- transfer as legal obligations on the acquiring organization?


As so often observed in recent times ... the devil is in the details.