An actor may entrust other actors. Entrustees have read access to the private data and messages of the actor at any point in time.
Entrusted actors are used when data should remain accessible, but does not need to be actively shared.
An employee may entrust his company, for example. Under normal circumstances, the company does not need to access an employees data directly. Instead, the employee should share with peers or partners whatever is needed through messages. However, there are cases where this does not work. If an employee unexpectedly quits or dies, for example, his data may need to be accessed directly.
For similar reasons, a user may want to entrust a close friend.
In addition, users collaborating on the same project may entrust a third party organization, such as a notary, who could access the data upon presentation of a search warrant.
When writing a new version of the private data, the actor adds all entrustees as recipients on the envelope. They are not explicitly notified of the change, but can list the actor's private box and decrypt the data at any time.
On message envelopes, entrustees are added as additional recipients, but the message is not placed into their message boxes.
The sender should add both its own entrustees as well as the entrustees of the recipients, which are listed on their public cards.
When necessary, the entrustee accesses the actor's account, and decrypts the private data and message envelopes with its own key.
Offline keys and air-gapped recovery
Private keys of entrusted accounts can be stored offline until the data needs to be accessed. If incidents are rare, the private key may be stored on a piece of paper and/or memory stick in a vault, for example.
Data can later be recovered on an offline (air-gapped) system as follows:
- Set up a temporary offline system. This system only needs a subset of Condensation, namely a record parser and serializer, an object parser and serializer, as well as RSA encryption and decryption.
- Copy the original envelope onto the offline system.
- Create a new actor, and copy its public key onto the offline system.
- Transfer the private key from the vault onto the offline system.
- On the offline system, decrypt the AES key from the original envelope, and re-encrypt it for the new actor. The rest of the envelope remains as-is.
- Retrieve the new envelope.
- Destroy the offline system.
- Let the new actor sign the new envelope, and attach it to its private box.
The data itself does not need to be transferred to the offline system.
The offline system may be as simple as a microcontroller. For this very specific application, no full-blown operating system is needed.