don't use encrypt to self (Re: legislating the impossible?)

[Adam Back]

I commented that in my view encrypt to self should not be used because
of the risks it adds.

Someone asked me off list why I held this view, so I thought I'd
comment here too.

The problem with `encrypt to self' is that it places access to
ciphertext on my disk under the control of a third party -- the
sender.  What's more I have no idea what precautions the sender takes
of their key or passphrase -- they might not have a passphrase, or
have it written on a sticky note on the side of their screen, and they
may be using a multi user unix system.

If the message is encrypted to my key only, I can periodically delete
my private key and generate a new key.

The reason I call encrypt to self a misfeature is because it sends an
additional door into the plaintext over the internet when there is no
technical reason to do so.  If the sender wishes to keep a copy the
software should keep a copy in plaintext or should keep a copy
encrypted with the sender's own keys locally -- by sending an
additional door into the data over the internet he is adding
additional, and entirely unnecessary, risk.  

That archival encryption is implemented with the `encrypt to self'
feature by PGP is for the convenience of the implementor only.
Another reason that encrypt to self is a bad approach to archival
encryption is that it uses one key for two distinct purposes:
communications and archiving.  For archiving keys you need to keep
them as long as you wish to have access to the data.  For
communications keys you should delete private keys periodically to
reduce risks.  So using the same key for both purposes prevents one
from discarding old keys, because doing so would make archives
inaccessible.

The additional problem `encrypt to self' presents when we consider
someone trying to recover keys is that the attacker can coerce either
party to recover keys.  This is particularly pertinent when the DTI
and UK government starts to talk about legal requirements to hand over
keys.  By using encrypt to self, you will open yourself up for demands
for keys.

Similarly by using long term encryption keys (rather than deleting
private keys and generating new keys say on a monthly basis) you are
also opening yourself up for such demands.

Companies not wishing to open themselves up for expensive discovery
processes, and individuals who value their privacy would be better to
not use encrypt to self, and would do well to use short lived keys.

This is analogous to the practice of housekeeping to discard memos and
internal documentation periodically to reduce risks of discovery
processes.

Adam
-- 
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`