[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP, Inc.--What were they thinking?





[email protected] writes:
> As a person whose been at work on a very long feature about PGP Inc. for
> Wired, I can tell you that businesses really don't care that much about
> PGP's civil liberties advocacy. 

The suits in charge might not, but many of the security or network
people might.  Technical advice on which product is best suited for
corporate computer and email security often comes from such people.

> In fact, its rep could hurt as much as help them. The Fortune 500 is
> much more pragmatic: They want solutions that work, that help them
> maintain security for their intellectual property and capital. To
> that extent, PGP 5.5--which enables IS directors to manage a public
> key infrastructure and enforce company-wide security policies-- is a
> step in the right direction.

Hmmm.  You can have storage data recovery without allowing third and
fourth parties to read what goes over the wire.  Sending recovery info
with the mesage is bad security practice anyway, especially when the
keys are long term keys.

> And one major thing that needs to be pointed out: PGP's key recovery
> system is *voluntary and private*--not mandatory 

So was clipper remember?  "It's voluntary, read my lips" said the
politicians.  Then a few FOIA's later we found out they were planning
for it to be mandatory all along.  Freeh is calling for mandatory now,
with comments like "if voluntary doesn't work, we may be seeking
mandatory escrow."  It's just a tactic, it's obvious that the
government wants mandatory.  Clearly he will argue that it doesn't
work once he gets a "voluntary" system.  He'll probably engineer an
example of it not working, if a suitable case doesn't arise by itself
in a timely manner.

> and gov.  controlled, which is what the Feds and Louis Freeh have
> been pushing for.

It's not government controlled true.

> One potential positive side effect of PGP 5.5 is that it could
> realign the crypto debate and force people to consider this
> question: Whose back door should netizens be more worried about: Big
> Brother or The Boss?

Big Bro, any day.

But it is not quite that stark because there is a subtly which appears
to be being missed:

  governments want real time access to _communications_

Companies want:

  availability of _stored data_ 
  disaster recovery procedures for encrypted stored data 

(where disaster is sudden death of employee, or employee forgetting
passphrase).

This difference allows you to develop systems which are resistant to
government key grabbing efforts, which at the same time allow
companies disaster recovery plans for encrypted stored data.

PGP's system is too neutral in this respect.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`