SSSS enables recovery by a number of people in a set.



1.- We encrypt the root key to an OpenPGP key created for escrow purposes. We store the encrypted root key into an USB flashdrive, and the drive inside Envelope 1.

2.- The same person that created the passphrase used to protect the secret key, enters it in SSSS and creates several shares of it, in an m/n scheme. He clear signs each share (including a descriptive title) with that key, storing each signed share in a plain text file (that way, we can check the shares have not been altered).

3.- The shares are distributed to the board members (carrying them in USB flash drives, or by other way).

4.- The private OpenPGP key is stored (protected by the passphrase, of course) in a USB flash drive, and the drive is put inside Envelope 2. The only person that can't keep Envelope 2 is the one that created the passphrase (but unless that person also gets Envelope 1, there is no risk involved).


  1. Independence from banks or notaries.
  2. Low cost: we need the USB flashdrives, and nothing more.
  3. We can set any threshold we want. It can be a 3/5 for board members, or even 35/35 for all associated members (the idea is always have some spare shares in case somebody cross the street without looking first).
  4. We can copy Envelopes 1 and 2, to have redundancy. Each copied set can have its own set of shares (at this point we should consider buying USB flash drives in bulk).
  5. Celerity: as long as we can communicate with the share holders, they can provide their shares very fast, by encrypted mail, etc. As long as there is 1 trusted person to receive the shares and operate the software in case of need, there would not be problems. (But would this be considered secure enough?


  1. In a handover, how can we be sure the former board members destroy their copies of the share?(CARS?) And how do we know the persons having Envelopes 1 and 2 are not making copies? If we have enough handovers, maybe we will reach a time when there are enough copies of the envelopes and the shares to make feasible to gather enough people to be able to find m different shares. (but if we are creating increasing amounts of people angry enough to do that, maybe we would have bigger problems than certificate escrow).
  2. If there is not handover, we can lose the secret (unless we have some kind of backup, like another set of shares in hands of other people)
  3. If there is not handover, we may recover the passphrase using the secondary scheme (like 20/35 association members), but, how will we recover the USB drives?

Discussion on N-of-M

Chokhani et al

Answer these issues from Chokhani et al 4.6.2:

Note that Chokhani is a guideline for a CPS, and is not a criteria or binding document. CAcert has followed the headings layout in its CPS, but differs in its outsourcing to AP, SP, etc.




Key Storage

Key Escrow

Assessment against Requirements

Author Assessment

Community Member Assessment

Community Member Assessment by Daniel Black

Roots/EscrowAndRecovery/SSSS (last edited 2011-02-20 17:17:51 by UlrichSchroeter)