[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zimmerman/ViaCrypt?



Edgar Swank noted:

>There was a big discussion recently on alt.security.pgp about PRZ and
>ViaCrypt.  Apparently Phil now wants to produce his own commercial
>version of PGP and has "requested" ViaCrypt to sell back the
>commercial rights under threat of a lawsuit if they don't.
>
>Phil disagrees with ViaCrypts new "business" version of PGP which
>apparently encrypts all messages with an employer-supplied public key
>in addition to any specified by the employee.  ViaCrypt has their side
>of the argument on their web page. <http://www.viacrypt.com/>

        PRZ is becoming a businessman.  Nothing wrong about that --
business is what makes the cars shine and the toilets flush.  To me,
however, it seems self-servingly pious to seek to reclaim previously sold
rights on the grounds that a corporate customer should not have the right
to set up an escrow key for company communications.

        There's another debate due about whether an employee should have
the right to also -- on company time, over company nets, etc. -- use e-mail
with a private (non-escrowed) encryption to secure personnal
communications.  I, predicably, think the employee should have such a right
-- as part of the permissible and acceptable "personal space" allowed an
employee.  (Just as he/she should be allowed to make unmonitored personal
phone calls, and go to the bathroom when the urge strikes.)  Today, this
level of privilege is probably an artifact of white collar or professional
employment;  not an employee's or citizen's right, but rather a perk
associated with the independence granted a valued employee who expects and
demands it.

>The basis of the possible lawsuit would be that ViaCrypt violated
>their agreement not to put any "back door" into any product with the
>PGP name. Whether the "business version feature" could be defined as a
>"back door" would be the crux of the argument.

        That's an argument that should be laughed out of court.  And off
the Net even sooner.  (Although Phil is so much of a hero to most of us,
for his own productive efforts and for having endured the DoJ's squeeze, he
probably got an outrageously tolerant hearing on alt.security.pgp.)

 Steve Reid <[email protected]> added:

>>IMHO Phil Zimmerman has good reason to object to the mutant version, >>if
>>it's going to cause the PGP name to somehow endorse escrow.

        Balderdash! There is nothing corrupt or nasty about escrow, per se
-- the issue is who gets access to the escow key and under what conditions.
If the legitimate owner of the protected information totally controls the
escrow key, there is no issue.  In business communications, key escow is
just another dimension in backup.

>>If there really is a demand for escrow, maybe cypherpunks could create a
>>One Time Pad escrow service. Different custom 'keys' could be produced,
>>depending on who's asking for the data... <G>

        There is a demand for escrow.  For a while, seven or eight years
ago, I collected tales of all the weak commercial crypto system which were
then being busted.  One of the most striking things was the number -- four
or five commercial products that I recall, Lotus 1,2,3 being the most
prominent -- which were cracked by legitimate administrators desperate to
retrieve something encypted by an employee who had lost his/her key.

        Suerte,
                                _Vin

         Vin McLellan +The Privacy Guild+ <[email protected]>
      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                         <*><*><*><*><*><*><*><*><*>