From: Anonymous <anon@anon.efga.org>
Date: Wed, 8 Oct 1997 15:29:37 +0800
To: cypherpunks@cyberpass.net
Subject: What's really in PGP 5.5?
Message-ID: <36e200bba528c46e3694521079832b77@anon.efga.org>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

Jon Callas wrote:
>I have a number of comments about the New York Times article on PGP
>5.5 for Business of which Martin Minow sent a synopsis.

>If we had built what they said we had, then we'd deserve of all the
>derision people have directed at us. But we didn't. The New York
>Times got it flat wrong.

In your long message I was unable to locate an area in which the New
York Times "got it flat wrong".  If anything, your post was more
alarming than the newspaper article.

>This downside is particularly insidious for a number of
>reasons. First, without fixing that problem, strong cryptography will
>be in some sort of limbo. You want to use it to protect your valuable
>information, but you won't want to use it for any information that's
>*too* valuable, because it's easily lost. Crypto-protected
>information is fragile, and this fragility could hurt its widespread
>deployment.

What you call "fragility" is properly called "security".  Would you
describe 128-bit keys as more "fragile" than 40-bit keys?  Why is PGP,
Inc. inventing propaganda terms for the authorities?

>Data recovery is useful for a number of things. Perhaps you lost your
>passphrase. Or data might have been encrypted by an employee or co
>worker who was in an accident. (As an aside, fifteen years ago, the
>architect of a product I worked on was in a severe car wreck. He was
>not killed, but suffered brain damage and has never returned to
>work.) Your spouse might need access to financial records. Everyone,
>be they an individual, business, or coporation has a right to having
>their data protected, and protection not only means being able to put
>it into a safe, but getting it out of that safe later.

It is fascinating to me that every example you use does not involve
decrypting transmitted messages.  Yet, that is the feature which is
under discussion.

The demand for the ability to decrypt encrypted messages in the
corporate environment can easily be measured with this test: how many
companies have a policy that requires employees to record all outgoing
mail?

>(6) It must also provide a response to those who would regulate
>crypto in the name of public safety.

This is a red herring.  Nobody has been talking about regulating
cryptography as a matter of public safety in a serious way.  Why is
PGP, Inc. posing non-threats to justify its actions?  Probably because
its actual, all too obvious, motivations are unpalatable to the
cypherpunks and probably to most of its customers and supporters.

They are not unpalatable to Big Brother, however.

I suggest that in the future we do not meet at the PGP, Inc.
headquarters and that we do not treat this company as a trustworthy
ally.

Monty Cantsin
Editor in Chief
Smile Magazine
http://www.neoism.org/squares/smile_index.html
http://www.neoism.org/squares/cantsin_10.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBNDsgSpaWtjSmRH/5AQG/pwf+LBO0ynwGeLLJipuWTIfoE9n7xvBJeXD4
od4Q7NYMZl/UfbudynBHMKGI0/xrhVhC1lmJlXXu+/mbBK2K1H0X9EMILQqpxhM4
RJd5ndR1BI0dpoRZX4+6PRq2mRi3lspvvXp3UkL4bKR8MpCqVJNcpluunMtBgIzh
WoxXjw2GzVnbPiWoHhS/TIdQNSvubBCYBsje5rOKc71yQj86ymUzKLovX6O7j/dD
eIjlJZTuP+AemEyG6FD5dyXQV7qdcxKwDG9G4ka813NHl88LU0Nc1JcM4aPATgfh
4cZhgppUvZqSGwd0QpxYb/OduE/adCuqmyrubMumc3SqTKRjPdLyBA==
=f9J+
-----END PGP SIGNATURE-----