[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What's really in PGP 5.5?




> There are two reasons which are given as to why someone might want to
> have GAK installed for company use.
> 
> 1. to allow access to important material lost in the mail system in the
> event that an employee is hit by a bus
> 
> 2. to allow management to spot check the emails being sent and received
> 
> 
> Argument 1 seems pretty flimsy to me.  I reiterate my comment in an earlier
> post: who in their right mind keeps their _only_ copy of ultra valuable
> company information bouncing around in the email system?  Did those arguing
> for this position not notice that sometimes email gets lost in transit?
> 
> Regardless, if PGP claims to be catering to those who use this argument, and
> to not want to try that hard to make it impossible to by-pass, the more
> secure, and less GAK friendly way to do it is to have the mail client
> software archive the email sent and received.

Two problems.  First, not all mail clients let you archive the mail in
a different form than how it arrived.  Netscape 3 worked like this, maybe
4 too.  If the mail comes in encrypted just to an employee key, that is
how it will be stored, and no business access is possible.

Second, what if an employee doesn't come back from vacation?  You've got
messages sitting in his inbox which go back three weeks.  All encrypted
to his personal key, which is gone.  It's been long enough that the
senders may not have backups any more.  It's all lost, and at best the
company is going to put its partners and customers to a great deal of
inconvenience by making them re-send everything they've sent in the last
three weeks, not to mention making the company look incompetent.