| We need a new way of thinking about caches of secrets. It comes from this unpleasant truth: all secrets eventually leak. The evidence of the past few years teaches us that even state actors with unlimited resources cannot prevent their secrets from leaking. A "leak" here happens when a trusted entity loses control of the secret to one or more untrusted and malicious entities. That's just a definition, not a claim that any particular government, company, or person is a trusted entity. To counter this, we need multiple layers of defense. One is the business of bricking the phones when the leaked secrets are exploited. That makes it plain that the secret has leaked. It's a valuable layer of defense. Another is to make the secrets have limited useful lifetimes. Expiration and revocation for TLS certificates is a way to do that. Credit/debit card numbers can be deactivated and replaced rapidly. That's another way to limit the lifetime of a secret. Ozzie's proposal does not include a way to limit secrets' lifetimes. (Social Security numbers are problematic secrets: they too have unlimited lifetimes.) A third layer is making the secrets have limited utility. If debit cards had daily spending limits, their secret numbers would be less useful than they are today, for example. Day-one exploits are secrets with vast utility, for another example. Ozzie proposes a secret to unlock an entire phone. How about limiting that to, say, the phone's call log or SMS log? A fourth layer is to keep the caches of secrets as small as possible, so a breach affects as few people as possible. Ozzie proposes the opposite of this. A fifth layer: holders of caches of secrets must know they are strictly liable for breaches proportional to the damage they do. It must not matter whether the breach was due to negligence, carelessness, espionage, or salt water rusting out the safe after a storm. Large scale key escrow cache systems will never be able to meet this standard: nation states won't honor that liability, nor will they pay private companies enough to cover the insurance for it. (Strict liability is not unprecedented: workers' compensation and the vaccine injury victims' compensation fund are two reasonably successful examples.) People, companies, and governments holding secrets necessarily must consider what happens when (not if) they leak, and provide at least some defenses in depth like these. Ozzie's proposal has weak and incomplete in-depth defenses. That's why it's dangerous. |