From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
Date: Thu, 23 Oct 1997 10:54:36 +0800
To: "Declan McCullagh" <tcmay@got.net>
Subject: Re: PGP, Inc.--What were they thinking?
Message-ID: <01bcdf5a$4a2d3a60$06060606@russell>
MIME-Version: 1.0
Content-Type: text/plain



I should point out before starting that I now work for Verisign. This
following personal opinion however and may not reflect any corporate policy
that may or may not exist.


I can understand the pressures on PGP to support key escrow. When I designed
the Shen trust system for the Web I allowed for an escrow facility for much
the same reasons that have been cited.

If it was not for the unrelenting pressure from the US government to support
GAK I am sure that commercial escrow would be a checkbox item. The problem
is that as long as the pressure is there any step towards commercial escrow
is also a step towards GAK.

The problem with PGP's move is that it is the first significant break by the
Internet software provider community. This will make it much easier for
Netscape or Microsoft to cave in. It will also build the pressure on them.
I wonder what would happen to Bills problem with the DoJ if he had a sudden
change of heart. Somehow I don't see Netscape and Microsoft holding the line
on GAK if PGP are happily exporting their product and grabbing market share.

I really did not expect Phil Zimmerman to be the first to blink.

I also don't understand it from the corporate perspective. PGP may be
picking up some business in the corporate market but at the cost of
alienating a significant part of the hacker community which has been his
best supporter up till now. I would think his best strategy would have been
to build on this customer base rather than sell it out at the first
opportunity.

If Phil Z. wants to get into the Enterprise market he is going to have to
start speaking their language. Most companies today are looking for open
standards. PGP may have been the de facto security solution three years ago
but the reality today is several million copies of Comminicator and Explorer
with S/MIME built in. If you are prepared to load certs manually for each
person you communicate with you can even use the Web of trust model with
S/MIME. Its easier if you can rely on a CA. I probably don't have to remind
many people on this list that few people make security a priority although
they are prepared to do so if it has little impact on them personally.

I really don't want to get into a standards flamewar, the point I'm making
is that this is a bigger issue in the Enterprise market than key escrow at
this point. Phil claims to have an RSA license, if he wants to go after the
enterprise market he can support S/MIME.


        Phill