[DoctorOetker]

1) regarding BUNCH: the nonces are random and hence there will be as many as there are phones drawn from suitably large n-bit space, but Apple does not need a local copy of the nonces, if the government requests a decryption and Apple agrees, it will decrypt and find the user pass code and the irrelevant nonce.

2) "and force anyone who wanted to look them up to do it physically, in person, with paper" I dont understand your proposal? If the government wants to decrypt a phone, they should come to Apple in person with what paper? How do you insure that everyone knows when a phone is audited? (Ozzie's proposal or what we read of it in the article does not adress insuring the populace finds out whenever a phone is decrypted). In your scenario the well observed building is operated by Apple or by the populace?

[kurthr]

The idea is that each of the secret keys (not nonces) would be kept on paper in a well observed location, with only the public keys leaving. The building would be operated by whoever is responsible for generating the keys and showing that their keys aren't (hopefully yet) compromised. They could allow the public to observe and perhaps the boxes could be marked with the range of IMEIs/keys contained within. If the cops want to go in and get a key out of a box, they can get a warrant to do it but everyone can know which few hundred thousand phones have been compromised.

It doesn't completely prevent malfeasance... it just makes it a PITA.

[DoctorOetker]

suppose Apple owns the building:

* there is no advantage in having cops come over: either a secret is revealed or it is not. Any information to convince Apple concerning a specific case or phone could just as well be sent over the internet. Allowing them to enter looks like a serious threat vector to me, they could plant things, smuggle things out...

* Either Apple is faithfully reporting each count of the cops unlocking a phone, or it isnt. In the case of requesting over the internet the cops can't bring in devices to look through closed boxes or whatever.

* Is your fear rooted in a perceived sense of insecurity because of the small passcode (4 decimal digits) and the effect that would have on the security of the encrypted(passcode+nonce)? because that is exactly why the random nonce is there, in theory the user could select his own nonce and have it burned in efuse memory, but he would only be able to change the nonce a limited number of times. Then the user can roll as many dice as he wants and xor bits to smithereens ;)

but it all stays crap key escrow, its just a big "Eureka!"-show trial balloon to gauge public acceptance, no?

[kurthr]

The real risk is that whatever the key-holder thinks is air-gapped storage isn't and the whole lot is secretly lost to crackers, state sponsored or not... that's a lot harder to do with 1000 tons of paper.

The point is that even a dedicated party trying to keep the keys safe probably can't do it (for any length of time) on digital media.