From: "Mark O. Aldrich" <maldrich@grci.com>
Date: Thu, 7 Nov 1996 11:39:24 -0800 (PST)
To: "William H. Geiger III" <whgiii@amaranth.com>
Subject: Re: Is there a Win PGP?
In-Reply-To: <199611071228.GAA22584@mailhub.amaranth.com>
Message-ID: <Pine.SCO.3.93.961107141416.26496A-100000@grctechs.va.grci.com>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 7 Nov 1996, William H. Geiger III wrote:

> Does anyone know if you can purchace a commercial license from ViaCrypt/PGP Inc. but
> use the standard PGP for commercial purposes?
> 

Yes, that's one way of doing it.  Phil's mentioned this in his PGP doc, as
I recall.  He says, <paraphrase> 'if you use it commercially, you have to
make certain I make a buck off this - either send me one, or buy a license
from ViaCrypt."

However, you should also know that PGP Inc. (formerly called ViaCrypt)
sells *TWO* versions of the software.  The PE (or personal edition)
doesn't have the "master key" feature.  If you don't want to use the
encrypted file recovery, then don't order the software that has it.

In the BE (business edition), there's an option to force Big Brother into
every recipient list.  This means that the boss can put him/herself onto
the list of "encrypt to whom" whether you want him/her there or not.
Also, the BE recognizes some nuances in keys that the freeware doesn't:
You can have "sign only" and "encrypt only" keys.  Thus, you can give
everyone a PGP key for digital signature (because, let's say, you want
those powerful non-repudiation capabilities), but if it's a sign-only key,
they can't encrypt anything with it.

I'm also confident that these "features" are very hackable.  Someone could
easily tweak the copy of the public key for Big Brother so it encrypts to
something for which nobody (who can be found) holds the other half of the
key pair.  I'm sure there are some check digits, but I also know that it's
going to be damn hard, with software sitting on my disk on my PC, for you
to keep me locked out of it for very long.  I'm sure that Cypherpunks
could contribute something valuable in creating the "Hacking PGP 4.0
Business Edition FAQ."  Anyone for a little R&D?

The purpose (as it's been explained to me by PGP Inc.) for the BE/PE
changes was to increase the *CHOICES* that PGP users were being given
- not to change PGP into something with key escrow.  (The secret
keys still are secret - there is no escrow).  Everyone knows full
well that there are many companies who won't ever touch PGP unless it's
equipped with some "fail safe" that permits them to enforce their INFOSEC
policy.  Recovering files that were encrypted by people whom have
forgotten their pass phrases is in line with most corporate policies.

Bottom line:  Buy the version you want.  If you don't like the BE
features, then don't pay for them or use them.

------------------------------------------------------------------------- 
|It's a small world and it smells bad     |        Mark Aldrich         |
|I'd buy another if I had                 |   GRCI INFOSEC Engineering  |
|Back                                     |     maldrich@grci.com       |
|What I paid                              | MAldrich@dockmaster.ncsc.mil|
|For another mother****er in a motorcade  |Quote from "Sisters of Mercy"|
|_______________________________________________________________________|
|The author is PGP Empowered.  Public key at:  finger maldrich@grci.com |
|    The opinions expressed herein are strictly those of the author     |
|         and my employer gets no credit for them whatsoever.           |
-------------------------------------------------------------------------