3.8.3 EA Permissions

While all the EAs' devices in the oldest class have access to the same PUK keys and can perform the same actions from a cryptographic perspective, the Zoom servers allow assigning a more granular set of permissions to each Escrow Administrator, which would apply to all their devices on the EA sighchain. These additional restrictions align with typical business requirements our customers might have, as detailed below, but could be circumvented if the Zoom server were to be compromised.

Users with the escrow-manager permission can enable escrow, create the first escrow device, grant escrow permissions to other users, and approve new devices on the EA sighchain.

To support user recovery (see Section 3.8.4) and legal discovery (see Section 3.8.5), we introduce two more server-enforced permissions.

Users with the escrow-write permission (used for recovery) and the escrow-read permission (used for discovery) both can add devices to the EA sighchain, but cannot approve the device themselves (only users with the escrow-manager permission can approve new devices for the EA). Therefore, to receive access to the EA PUKs, their newly added devices need to be approved by a user with the escrow-manager permission. In addition, users with the escrow-write permission can use their EA device keys to write approval links on other account members' user sighchains (therefore helping them recover their data), while users with the escrow-read permission can request from the server ciphertexts encrypted for any of the account member in order to decrypt them.