[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP Employee on MKR

To: [email protected]
Subject: Re: PGP Employee on MKR
From: Adam Back <[email protected]>
Date: Fri, 24 Oct 1997 19:53:28 +0100
CC: [email protected]
In-reply-to: <2328C77FF9F2D011AE970000F84104A74933D0@indyexch_fddi.indy.tce.com>(message from Fisher Mark on Fri, 24 Oct 1997 12:30:09 -0500)
Sender: [email protected]

Fisher Mark <[email protected]> writes:
> Mark Grant <[email protected]> writes:
> >Yes, but PGP WANT TO BUILD THIS INTO EVERY SYSTEM THEY SELL!!!!! I
> >don't care that any Perl hacker can write a script which builds CMR 
> >into PGP 2.6.2, because those scripts are restricted to those who 
> >wish to use them. PGP ARE BUILDING THE FUNCTIONALITY INTO EVERY 
> >PRODUCT THEY SELL!!!!
> 
> But the changes to add GAK/GMR/CMR to PGP (or any other crypto product
> that permits multiple recipients) are close to trivial.  Don't be fooled
> into thinking that if PGP takes this "feature" out (can't be a bug --
> it's documented :) that that will make it a lot harder to add that
> feature back in once the appropriate laws are passed.

Adding the feature clearly will be easy.  But persuading the people
using the non-CMR enabled software base to downgrade will be a big
problem.  I wonder how many people will still using old versions years
later.  There is a huge inertia to not upgrade that frequently.
People don't like upgrading, companies don't like upgrading, it costs
time, money, it's unwanted hassle.  

I'm guilty of this myself in some areas.  `do fix what isn't broken'.
Eg I'm using an ancient beta Xfree86, and hacking around the expiry
simply because I can't be bothered to download and install the next
version.

At dcs.exeter the admins were _way_ behind.  I had netscape2, and then
3 installed for myself and friends to use, while they were still
trundling along with an antique NCSA Mosaic beta version or something.
I had gcc-273 installed in my own filespace and they had gcc-258 or
something (it matters if you're using templates.. the old ones are
more broken).

> Still, in retrospect, PGP's engineers and scientists should have
> thought about all the security implications of CMR -- they might
> have implemented CDR to begin with.

You would've thought, yes.  Even from a security point of view,
forgetting political arguments CDR is better.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

References:
- RE: PGP Employee on MKR
  - From: Fisher Mark <[email protected]>

Prev by Date: unconstitutional? try this variant...(Re: GMR in the talked-about form here would be unconstitutional)
Next by Date: Re: Proof IE4 not an OS, was Re: Bill Gates, the Bully Savior
Prev by thread: RE: PGP Employee on MKR
Next by thread: Re: PGP Employee on MKR
Index(es):
- Date
- Thread