[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why not PGP?
At 11:01 AM 10/10/96 -0600, Rollo Silver wrote:
>I don't intend to submit my present or future private PGP keys for key
>escrow (Is that what's called GAK?). To protect myself against forgetting
>my private key (which has happened once already) I'll no doubt some day put
>it on a floppy and put the floppy in my bank safe deposit box.
You can't "forget your key"; it's encrypted with your password and is on disk.
BTW, if you do put either or both on floppy to take to your bank, encrypt
the files using PGP's single-key encrypt capability, using a long and
highly non-memorizable key. (Use a freshly demagnetized, formatted floppy,
being careful not to put any non-encrypted files on it, even temporarily.)
That way, if somebody (police, Feds, etc) break into your deposit box, they
get NOTHING.
You still have to "remember" that long, non-memorizable key, although
something like that can be written on paper and well-hidden and/or split up
into parts. It's only value is to decrypt that bank-stored floppy.
>
>Two questions:
>
>1. Does anyone think that legislation might be passed which would
>criminalize my communications with Ray?
The politicians and cops and TLA's would certainly love this, but it doesn't
look too likely for the next five years or so, at least in America and
probably not Europe. However, somebody just posted an item about
illegalizing "networked computers" in Burma...
If you're worried about this, how about giving PGP to as many friends as
have computers, to increase its usage? The more who use it and are aware of
the political issue behind it, the less likely the politicians are to pull
the wool over the collective eyes of the public.
>2. Suppose someone writes a program Z that has no expicit crypto code in
>it, but has hooks for installing one or another version of PGP. Given a
>copy of Z, someone in this country could install PGP he got from MIT,
>whereas someone in Europe could install the international version.
>Would export of Z violate ITAR restrictions?
Nobody seems to know for sure, but this has been discussed a number of times
around here. I happen to believe that using ITAR to even restrict the
export of encryption is an abuse. Attempting to restrict a program which
can interface with external encryption is even sillier. (by that standard,
an operating system interfaces with PGP, which would make MSDOS restricted
if ITAR were interpreted in this way.)
The really odd thing is that exports of Pentium computers aren't restricted,
apparently, yet an X86 clone is just as much a tool of encryption as the
software. And if you ask a person, "would you rather have a copy of PGP and
no computer, or a 166 MHz Pentium computer and no copy of PGP?" the answer
most intelligent people would give is the latter, since getting PGP is easy
and free.
Jim Bell
[email protected]