[PLUG] Death in the open source community
Rich Burroughs
rich at paranoid.org
Sun May 29 18:51:32 UTC 2005
AthlonRob wrote:
> It's the nature of life today that many of us (myself included)
> necessarily keep important things encrypted. We don't want other people
> to have access to these things. Think of encrypted files as a
> more-secure safety deposit box at the local bank (banks still do have
> these somewhere, right?). We put important documents in the magic
> little box that keeps everybody else out.
Yes, but I wouldn't put every piece of paper that I own in a safe
deposit box. Just the important documents. I certainly wouldn't put the
source code for an Open Source project there, unless it was an offsite
backup for DR purposes. I would not do it to keep that document secret.
And I would have plans in place in advance for how the people who would
need access to those important documents in the safe deposit box would
get to them. That is not exactly a new concept.
Putting your encryption key inside of a safe deposit box with
instructions for who should have access to it if you passed would
actually be one way to handle the scenario Keith mentions.
> Some of these important things are things that need to be released upon
> death to close relatives, friends, and collegues. For instance, I'd
> want my GoDaddy password to be given to Alan Hicks if I died, because I
> own the Slackbook domain and he's the Slackbook maintainer. I'd like
> him to be able to transfer the domain to himself without such hassle if
> I pass away.
It seems again that there are easier solutions for this. Like moving the
name to a separate account and sharing the password with him.
> Does this make sense so far?
>
> Keith is trying to come up with a mechanism to allow information like
> that to be released upon death... what if I get hit by a bus tomorrow
> (quite unlikely, we don't have busses down here)? What mechanism might
> allow Alan access to my password?
And what if one of the 8 people who has a piece of your encryption key
loses it?
> I like the idea of trusting a few close friends with bits of the puzzle,
> so only working together could they unlock the data... trusting a
> majority wouldn't be comprimised or decide to comprimise things
> themselves.
You guys are obviously free to pursue this if you want to, but I just
feel like you are making things much more complicated than they need to be.
If the data is not something that needs to be encrypted, like a CVS tree
for an Open Source project, then I just would not encrypt it. I think
people who are working on an Open Source project together should make
sure their data is shared, not kept secret. If there is only one copy on
someone's encrypted hard drive, then that's a problem if the drive fails
too. You should certainly have some sort of DR plan involving offsite
backups from wherever the CVS server is.
In Keith's followup he makes it sound like he is concerned about more
personal data. If you can't trust a friend or family member enough to
give them some sort of access to that, even access where they at least
need to jump through some hoops first (like through a lawyer), then I'm
not sure what to tell you. Frankly I would trust my own family members
with the key to retrieve information that I needed to encrypt more than
I would people that I know through PLUG. Nothing personal, I've met some
great people through the group, but if the info is important enough to
encrypt it I would want to entrust that to someone closer to me.
If you do want to break up your encryption key and give pieces of it to
several people, then by all means do. That should be pretty easy for
anyone who is familiar with their encryption software to do, I'm not
sure why that needs the participation of PLUG somehow.
And Keith, someone who disagrees about the need for what you propose is
not necessarily lacking empathy or compassion, that suggestion seems to
be a bit of a low blow.
Rich
More information about the PLUG
mailing list