3.8.2 Users’ Escrow Device Management

When an account enables escrow and sets up an EA Sighchain, all devices belonging to the account’s members will receive an unmistakable notification that escrow is being enabled for their account, and that the user’s data will be available to the account’s EAs. Clients will validate that escrow is turned on by checking that the EA sighchain’s userID is in the account sighchain, and only accept EA sighchains with lockdown mode enabled.

The notification shows the EA sighchain’s fingerprint, which account admins should share with their users through a secure out-of-band channel. Users should compare the fingerprint received from the out-of-band channel with the one displayed by their clients. If the fingerprints differ, users should reach out to their account admins to notify them of the potential MitM attack. Users will not be able to use features leveraging their device keys until escrow is enabled.

Upon acknowledgment of the notification, clients generate a fresh set of device keypairs corresponding to their new virtual escrow device, encrypt the secret keys for the EA sighchain’s latest PUK, delete the secret keys, and add the corresponding public keys with a DeviceAddAndApprove link on their own sighchain. The server will prevent users from revoking this virtual device (unless the administrators disable escrow).

If the EA sighchain’s PUK rotates, the escrow device keys of all the users in the account (and their PUKs) have to rotate as well, as all those keys are known to a revoked device. A DeviceKeyRotate link that rotates an escrow device’s key can either be signed by any of the users’ own devices or by one of the EA’s device keys. At the moment, these rotations are performed by each user’s own devices when they come online, but in the future we can have the EA’s devices also perform them to ensure that the escrow device key rotation is completed in a timely manner, especially for users who might not come online frequently.

Because clients do not display UI notifications for these escrow device key rotations, escrowee the system enforces that the only devices that can rotate the escrow device keys are those on the user sighchain, and those trusted by the device on the EA sighchain that enabled escrow (and that the user has acknowledged they trust). This is achieved by having clients enforce that the EA sighchain is in lockdown mode, and including the EA sighchain tail in the DeviceAddAndApprove introducing the new device. If later the client detects that the EA sighchain is no longer in lockdown mode, or that the device pointed at the latest PUK on this chain is not trusted by the one which originally enabled lockdown mode (for example, this could happen when lockdown mode is disabled and re-enabled by a different device on that chain), it either throws an error or asks the user to acknowledge escrow again (with an updated fingerprint).