[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keyed-MD5, ITAR, and HTTP-NG

On Mon, 30 Oct 1995, Doug Hughes wrote:

> >  Since you deal with security issues maybe you can help me to learn 
> >about some issues with encryption.  I am talking with one of the 
> >administration people about putting PGP on the system for everyone to 
> >use, but there are issues for them (the admin) as they might be liable, 
> >even if they can't read the e-mail.  What other legal considerations 
> >should be evaluated?
> >  Is there any large organizations (like any other universities) that 
> >allow their students to use PGP, and have the system in place to make it 
> >easier for the students?  If it is offered here I might be the one to add 
> >to the mail program (pine) that is generally used to transparently use 
> >PGP, which is what I mean by having a system set up for the encryption. 
> >
> We have approx 1000 machines and 5000 user accounts and have pgp installed.
> I can't think of any reason not to have it installed, and lots of good
> reasons for having it installed.

"Me too," except the numbers are higher.

I would think that you would worry more about your users getting a false
sense of security from storing secret keys on a large multiuser system
than about being held liable for naughty PGP-encrypted traffic. I don't 
see how you could be held liable anyway. How is PGP that much different 
from allowing your users to set a password on their account? It makes it 
harder for root to invade their privacy, but in general, we have very 
stringent requirements that must be satisfied before we'll read user 
directories or mail.