From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 10 Oct 1997 18:51:06 +0800
To: jamesd@echeque.com
Subject: Re: What's really in PGP 5.5?
In-Reply-To: <199710092259.PAA13153@proxy3.ba.best.com>
Message-ID: <199710101040.LAA00172@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




James Donald <jamesd@echeque.com> writes:
> At 02:27 PM 10/7/97 -0700, Jon Callas wrote:
> [Explaining PGP's rather alarming "data recovery" features.]
> 
> Sending a copy to the boss of everything Alice sends is OK.
> 
> If Alice wants to send something her boss should not read, perhaps she
> should use her private account, rather than a company paid account.
> 
> Sending a copy of everything Alice receives to the boss or HR is not OK.
> 
> Alice should get to control it.

I'm not sure I see why you draw this distinction.

Is it because the person sending may intend the message for Alice
only?  If so I think Jon said that all current versions of PGP warn
the user that their is a company escrow situation when you send to the
key (this information being in attributes of the key).

Snooping Alice's outgoing traffic, and snooping Alice's incoming
traffic are similarly little brotherish in my view.

If the company has an approval system for official statements (seems
reasonable, if it's a press release, important contractual decision,
etc), then Alice can send a copy to the legal beagles for the ok, and
they can send it on.

> It would be acceptable for the company system to keep track of what
> Alice has received, and flag "Alice received something, and has not
> yet filed the cleartext copy with us"

I figure this is fair game also... clearly they can see the traffic
coming into LAN and being delivered to Alice's mailbox.

> It is not acceptable to just plain snoop on what Alice receives.

I don't like it either.  But how is this so different from snooping on
what Alice sends.

> Furthermore any auto-snoop feature sets a very dangerous precedent.

Agree.

> It is politically a lot more difficult for the FBI to mandate that they
> can recover your data, if such a mandate leads to the message flashing up, 
> "now sending a copy to the FBI" every time you decrypt something.

I was arguing earlier that the way for the company to do archiving of
received encrypted email was for archive copy to be taken after the
employee has decrypted it.  The employee should be made aware that the
received email is being archived.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`