[PLUG] Death in the open source community

Rich Burroughs rich at paranoid.org
Sun May 29 18:51:32 UTC 2005


AthlonRob wrote:
> It's the nature of life today that many of us (myself included)
> necessarily keep important things encrypted.  We don't want other people
> to have access to these things.  Think of encrypted files as a
> more-secure safety deposit box at the local bank (banks still do have
> these somewhere, right?).  We put important documents in the magic
> little box that keeps everybody else out.

Yes, but I wouldn't put every piece of paper that I own in a safe 
deposit box. Just the important documents. I certainly wouldn't put the 
source code for an Open Source project there, unless it was an offsite 
backup for DR purposes. I would not do it to keep that document secret.

And I would have plans in place in advance for how the people who would 
need access to those important documents in the safe deposit box would 
get to them. That is not exactly a new concept.

Putting your encryption key inside of a safe deposit box with 
instructions for who should have access to it if you passed would 
actually be one way to handle the scenario Keith mentions.

> Some of these important things are things that need to be released upon
> death to close relatives, friends, and collegues.  For instance, I'd
> want my GoDaddy password to be given to Alan Hicks if I died, because I
> own the Slackbook domain and he's the Slackbook maintainer.  I'd like
> him to be able to transfer the domain to himself without such hassle if
> I pass away.

It seems again that there are easier solutions for this. Like moving the 
name to a separate account and sharing the password with him.

> Does this make sense so far?
> 
> Keith is trying to come up with a mechanism to allow information like
> that to be released upon death... what if I get hit by a bus tomorrow
> (quite unlikely, we don't have busses down here)?  What mechanism might
> allow Alan access to my password?

And what if one of the 8 people who has a piece of your encryption key 
loses it?

> I like the idea of trusting a few close friends with bits of the puzzle,
> so only working together could they unlock the data... trusting a
> majority wouldn't be comprimised or decide to comprimise things
> themselves. 

You guys are obviously free to pursue this if you want to, but I just 
feel like you are making things much more complicated than they need to be.

If the data is not something that needs to be encrypted, like a CVS tree 
for an Open Source project, then I just would not encrypt it. I think 
people who are working on an Open Source project together should make 
sure their data is shared, not kept secret. If there is only one copy on 
someone's encrypted hard drive, then that's a problem if the drive fails 
too. You should certainly have some sort of DR plan involving offsite 
backups from wherever the CVS server is.

In Keith's followup he makes it sound like he is concerned about more 
personal data. If you can't trust a friend or family member enough to 
give them some sort of access to that, even access where they at least 
need to jump through some hoops first (like through a lawyer), then I'm 
not sure what to tell you. Frankly I would trust my own family members 
with the key to retrieve information that I needed to encrypt more than 
I would people that I know through PLUG. Nothing personal, I've met some 
great people through the group, but if the info is important enough to 
encrypt it I would want to entrust that to someone closer to me.

If you do want to break up your encryption key and give pieces of it to 
several people, then by all means do. That should be pretty easy for 
anyone who is familiar with their encryption software to do, I'm not 
sure why that needs the participation of PLUG somehow.

And Keith, someone who disagrees about the need for what you propose is 
not necessarily lacking empathy or compassion, that suggestion seems to 
be a bit of a low blow.


Rich




More information about the PLUG mailing list