[gnso-acc-sgb] elaboration on the Blob topology

[Dan Krimm <dan@xxxxxxxxxxxxxxxx>]

Hi Paul and registrars,

Due to time constraints I didn't follow up with this on today's phone call,
but perhaps you can elaborate here on email.

My question with respect to the Blob proposal is: how many keys would be
involved, and how would they correspond with what data and what users,
specifically?

I assume that encryption for any specific blob is limited to a single key,
and once encrypted and distributed broadly (and publicly, given that it is
included with all queries on that domain) that key will work on that blob
forever.

So, in the event of a breach of the key into the general public, or at
least into a broader population than is properly certified for access,
there is no mechanism for further protection of the encrypted data in the
blob.

Given the statistics on the failings of human beings, one must expect that
a certain number of breaches will inevitably happen over time.  And, we
will not know about many of them (if they are contained to private but
uncertified entities).

In the May 2 call, it was suggested that perhaps there could be multiple
keys. so that a single public breach does not open up the entire set of all
blobs to public access (or at least to unauthorized access).

Can you explain how a topology of multiple keys might work?  How many blobs
would a single key provide access to, and do different LEAs get different
keys or do they all share the same key(s)?

It seemed to me that the simplest case was that a single key would provide
access to all blobs across all registrars.  In the opposite extreme, each
blob would be uniquely encrypted for each individual real-time query, but
then distribution of keys would be a major undertaking, and one may as well
set up a password-access database system anyway.

One particular concern I have is that some wealthy entity that wants to do
data mining could build up a database that combines both unencrypted as
well as encrypted data, and simply await an opportunity to acquire a key or
keys to be able to decrypt the blobs that are stored in an integrated
database.  If a single key would unlock all encrypted data in that
database, then that key would become quite valuable, and that increases the
incentive (and thus the chance) of a breach in return for quite substantial
payment under the table.  This seems to constitute a sort of "time bomb"
given the potential for a single breach across the full realm of certified
individuals in all LEAs assigned access across the globe.

This would almost be worse than a fully public breach, because it would
presumably be mostly unknown, and it would place such wealthy entities at a
great advantage in gaining unauthorized access.

So, while this scheme would seem to work as long as everyone with access
behaves properly, I would suggest that we need to consider the real
potentials for breaches and what the ramifications would be in such cases.

Thanks,

Dan

PS -- Today you pointed out that with this scheme there would be no trace
of specific use of the keys to gain access to specific data.  However, if
indeed there is consideration of Bertrand's suggestion of creating an
individualized audit trail of queries into the private data in order to
provide post-facto accountability for data use, this might present an
impediment to enforcement of any laws against abuse of the privileged data
by particular individuals, including those legitimately certified for
access initially.