On 13/08/15 17:33, Joe Abley wrote: > On 13 Aug 2015, at 12:18, Dave Crocker wrote: > >> On 8/13/2015 9:14 AM, Stewart Bryant wrote: >>> Many of the interesting cases can be addressed by some mixture of >>> extreme key fragmentation with escrow fragmented across a set >>> of organizations that are both unable and unlikely to collude, but >>> would co-operate with an appropriate third party if presented with >>> the appropriate justification. >> >> That's theory that could reasonably sound appealing. Are there >> real-world examples of a model like this showing the desired properties >> that balance safety and utility? > > Management of root zone DNSSEC Key Signing Key (KSK). > I don't think those are at all the same. The KSK case is basically a once-off tiny-scale key storage thing run by relatively mutually trusting parties where misbehaviour should be apparent or would be pointless. The mythical system Stuart is imagining would need to handle extremely mutually untrusting parties at Internet scale in a system that's basically supposed to support exactly the kind of thing that would constitute misbehaviour in the KSK case. So no, not the same in many ways, including the important aspect that the KSK backup system is reality whereas the other is fantasy. S. PS: A nit, but I assume that it is not "copies" of the KSK you meant but rather cryptographic shares in that key which are an entirely different thing.