[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CAK as a really bad form of corporate networking




I've been scratching my head, trying to figure out what the market for
PGP's new recovery program is for. After all, if employees have local disks
and these disks are on a company network or backup plan, then the
corporation has access to the plaintext of memos, reports, and plaintext
sent and received e-mail. (The purpose of Alice encrypting to Bob being
_in-transit_ security, and nothing more.)

It seems to me that the CAK (Corporate Access to Keys) approach being
talked about, where Alice encrypts to Bob and _also_ encrypts to Eve, is a
poor solution to the "archiving" problem.

As Adam Back and others have noted, if Alice stores her Eudora or whatever
e-mail files on her systems, presumably in plaintext (as the purpose of
encrypting with Bob is for _in-transit_ security, not storage security),
then the corporation can insist that she make her plaintext files
archivable on the company's backup system.

One way to look at the market for CAK is that a company is too flaky to
have a corporate network or backup strategy and is using CAK as a kind of
crude networking scheme. E-mail, with cc:ing of the company crypto czar, is
a way to archive or pool company traffic. A rather back-assed approach, it
seems to me.

Meaning no insult to PGP, Inc. or its fine programmers, it's as if this
message was sent out:

--begin internal Giant Corporation memorandum--

From: Cakbert, Evil PR and Security Administrator
To: All Droids
Subject: Mandatory Voluntary CAK System

It has come to my attention that our attempts to get a corporate-wide
network working have failed, and that we are using a mishmash of intranets,
local LANs, and direct dial-out systems. This is thwarting our efforts to
read what you people are writing to each other.

Henceforth, to solve this network problem we must insist that you adopt a
mandatory voluntary system of cc:ing me, Cakbert, on all of your messages.
Encrypted messages must be voluntarily encrypted with PPP (Pretty Poor
Privacy).

Thank you for your attention.

--end internal Giant Corporation memorandum--

--Tim May

The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."