[jarrett]

In any protocol, how would you manage the decryption keys? If the file's owner is dead, s/he can't provide the keys. So that means the keys must be transmitted to some trusted party before the owner's death.

That party could be the dead man's switch service, but do you want to trust them? I wouldn't. (Nothing against the operators of this site. It's just inherently risky to trust a website operator in this type of situation.)

Alternatively, the key can be given in advance to the files' intended recipients via some secure channel. For example, suppose Alice wants Bob to receive the files upon Alice's death. Alice can deliver the decryption key(s) to Bob in person, electronically with PGP, or in some other sufficiently secure manner. But in this scenario, Bob has to know about Alice's deadman's switch in advance.

So I'm wondering: Is there any way to do this a) with encryption, b) without entrusting the keys to the operator of the service, and c) without informing the recipients in advance?

[StavrosK]

Yes, that's what PGP is for. Encrypt whatever you want to the recipient(s)' public keys, done.

[jarrett]

I should have mentioned: I was assuming the recipients weren't necessarily PGP users. Realistically, most people aren't. I'd imagine a dead man's switch would often be used to send documents to law enforcement, lawyers, journalists, etc. How many of those people have PGP public keys? If they don't, then you have to ask them to create one. Besides the difficulty in getting people to adopt PGP, you're also back the problem of disclosing your dead man's switch prior to your death.

[gingerlime]

I wonder if you can split things between several switches. In the most simple scenario, DMS #1 would receive an encrypted file to be sent to Bob in case of Alice's death. DMS #2 would receive a passphrase for the encrypted file, also to be sent to Bob (or they can be sent to Ben, who would have to meet Bob and both of them together get access)

DMS #1 and #2 (Assuming there are several 'providers' in the 'market') would need to collude or both get hacked in order to compromise the secret.

If there are more DMS services, the key can also be split between them. And I believe there are some key-splitting algorithms that even help this process further.

[jarrett]

That's a good idea. I think you're right: An attacker would have to compromise all the DMSs to obtain the plaintext. That's not outside the realm of possibilities. But it is much harder than compromising just one. At that point, the DMSs might not be the weak link in the chain anymore--an attacker might find it easier to attack your own systems. (Which is a good thing.)

[kryptiskt]

> So I'm wondering: Is there any way to do this a) with encryption, b) without entrusting the keys to the operator of the service, and c) without informing the recipients in advance?

Give half the key to the service and half to your friends, then you're only vulnerable to a conspiracy between them. Or do some more elaborate m of n thing.

[jarrett]

What about my third desire:

> c) without informing the recipients in advance

If you're willing to arrange the protocols with your recipients in advance, there are multiple viable approaches. But what if telling them in advance is itself a security risk?