[nottorp]

For large organization data the keys would need to be stored within the organization, not with one particular user as in the case of your personal PII needs.

And then you'd still need to worry about digital sovereignity for the keys.

[fc417fc802]

I don't follow. Are you saying that BigCorp would demand key escrow? They already deploy custom email solutions today so I don't see the issue.

[nottorp]

I am saying you can't keep the keys just on a stick in the employee's pocket since multiple people need to have access to the data.

And if those keys are stored by a company subject to US jurisdiction, we're back to the same problem.

[fc417fc802]

Well yes, if you hand your keys over that is indeed a problem. Of course handing your keys over to the provider rather defeats the purpose of E2EE so hopefully no one is doing that.

Key escrow is the usual solution to an employer needing access to employee materials.

[nottorp]

> Key escrow is the usual solution

Yes, and you move the problem to "is the entity/process/whatever handling key escrow under US jurisdiction"?

[fc417fc802]

Yes, obviously, but key (/account/identity/etc) management is typically a much narrower and well defined problem to solve and in many cases it will already have been solved (centralized management of user accounts, employee ID cards that contain physical tokens, and other such things).