[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What's really in PGP 5.5?
- To: [email protected]
- Subject: Re: What's really in PGP 5.5?
- From: Anonymous <[email protected]>
- Date: Thu, 9 Oct 1997 12:42:28 -0400
- Comments: This message was remailed by a FREE automatedremailing service. For additional information on this service,send a message with the subject "remailer-help" [email protected]. The body of the message will bediscarded. To report abuse, contact the operator [email protected]. Headers below this point wereinserted by the original sender.
- Sender: [email protected]
The danger with the PGP system is that it could be easily perverted into
a British style trusted-third-party system for GAK. The government
would set up a key management infrastructure to provide an official
repository and CA to register keys. It could even be "voluntary" if
only government-approved CAs had liability protection which private CAs
didn't have, making it hard for the privates to compete.
However the price to use the government registry is that each key has
to use the PGP features to specify a TTP as an additional recipient.
Every message encrypted to that key should also be encrypted to the
TTP key. Only government-approved TTPs may be used, and although
there are many to choose from, all have to provide easy and secret GAK.
The PGP 5 software will then automatically encrypt to the TTP key.
Yes, this can be defeated using superencryption or faking the
additional-recipient block in the message. But we know any scheme can
be defeated. It still satisfies the government's requirement to get
routine access to most email communications, and to allow criminals who
use standard email packages to be watched.