1997-10-24 - Re: PGP, Inc.–What were they thinking?

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: kent@bywater.songbird.com
Message Hash: a1b7277b178e75441f29604922048c7276128eb59989d27eb0d955ea59f6126a
Message ID: <199710241342.OAA01491@server.test.net>
Reply To: <19971022174359.10769@bywater.songbird.com>
UTC Datetime: 1997-10-24 15:34:51 UTC
Raw Date: Fri, 24 Oct 1997 23:34:51 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 24 Oct 1997 23:34:51 +0800
To: kent@bywater.songbird.com
Subject: Re: PGP, Inc.--What were they thinking?
In-Reply-To: <19971022174359.10769@bywater.songbird.com>
Message-ID: <199710241342.OAA01491@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Kent Crispin <kent@bywater.songbird.com> writes:
> It may be less obvious, but despite what PGP claims, a significant
> fraction of this demand is for the ability to SNOOP, and not just data
> recovery.  

I was suspicious about this also, the CMR design makes much more sense
if this is the user requirement.  Binding cryptography also would make
sense for this requirement.

But the last time I expressed this suspicion on this list Jon Callas
clearly stated that this was not the case:

Jon Callas <jon@pgp.com> writes:
:    It is possible that
:    there is an unstated perceived user requirement, that the messaging
:    standard be able to allow third party access to the communications
:    traffic directly.
: 
: Nope, that's not what we're arguing for. 

So it would appear that your suspicious are unfounded...

> *All* the debate on this list implicitly takes the employee's side,
> not the management's side, and that is a serious lack.  The
> unpleasant fact is that managers NEED TO BE ABLE TO SNOOP.

Okay!  Some one who is able to say the unpleasant words.  (I think
Lucky may have been hinting at this also).

If this is the case, I reckon it's still better to just escrow their
comms keys locally.  Put them all in the company safe, whatever.  To
go with this kind of a company with this kind of policy, I would
presume that sending or receiving super-encrypted messages would would
be a sackable offense.

However, there is an alternate reason for the CMR design, which you
don't include above (tho' you did I think discuss this earlier):

That PGP Inc thought CMR would be easier to implement within their
plugin API, and dual function crypto (file encryption, and email
encryption), and to cope with things like encrypt-to-self on Cc: to
self to keep copies.

> It is terrible to work for an employer who will snoop, but it is 
> just as terrible to have dishonest employees.  It doesn't take a 
> genius to realize that the existence of dishonest employees is a
> primary motive for management snooping.

Even with snoopware such as you describe, and companies with such
attitudes, there are other similarly easy ways to get data out: user
walks out of building with floppies.  In fact from memory I think this
was one you suggested: "frisbee DAT tape out of window to sweetheart"
or words to that effect.

> Clearly, there are some organizations for which this is more
> important than others -- financial services companies are only the
> most obvious example.

Maybe.  If PGP Inc want to go this far, and design software with these
features, I reckon local key escrow is better.  However that is not
what they are saying.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread