Discussion Issues: Desirable Characteristics for Key Escrow Agents

In the government's recent announcement of its intent to allow the export of 64-bit software key escrow encryption products, one stipulation was that the keys would be escrowed with an approved key escrow agent.(*1) Exactly what qualifications/considerations are appropriate for approval as a key escrow agent have not been defined. Some of the issues which need to be discussed and resolved include the following:

• What kinds of organizations should be excluded from consideration as approved key escrow agents?
• What sort of legal agreement between the government and the key escrow agent is necessary to stipulate the responsibilities of the agent? Should this include the terms and conditions under which release of a key is required?
• How will liability for unauthorized release of key be handled?
• Should, for example, intentionally misreleasing or destroying a key be criminalized? Should this include other actions?
• How can the government's needs for confidentiality of key release be handled?
• Should approval of key escrow agents be tied to a public key infrastructure (for digital signatures and other purposes)?
• What procedures need to be developed for the storage and safeguarding of keys?
• What are the acceptable performance criteria (e.g., around- the-clock availability, accessibility, reliability, etc.) for approved key escrow agents?
• Under what circumstances will key escrow agents in foreign countries be approved?
• What process will be used to approve escrow agents? Costs/who pays?

*1 - "Approved," for the purposes of this discussion, means that the government (or its agent) has formally granted permission for an organization to hold keys for exportable encryption products.

8/24/95