1997-11-05 - Re: PGP and Compliance with SEC and Liability Rules

Header Data

From: Tim May <tcmay@got.net>
To: Adam Back <mark@unicorn.com
Message Hash: db954f8b45e037a30db64e99d639bd2f3edfb1bc4d4c23319dc74b992f36f1e9
Message ID: <v03102800b08646cbca3f@[207.167.93.63]>
Reply To: <878730951.18011.193.133.230.33@unicorn.com>
UTC Datetime: 1997-11-05 17:05:53 UTC
Raw Date: Thu, 6 Nov 1997 01:05:53 +0800

Raw message

From: Tim May <tcmay@got.net>
Date: Thu, 6 Nov 1997 01:05:53 +0800
To: Adam Back <mark@unicorn.com
Subject: Re: PGP and Compliance with SEC and Liability Rules
In-Reply-To: <878730951.18011.193.133.230.33@unicorn.com>
Message-ID: <v03102800b08646cbca3f@[207.167.93.63]>
MIME-Version: 1.0
Content-Type: text/plain



At 6:31 AM -0700 11/5/97, Adam Back wrote:
>Mark Grant <mark@unicorn.com> writes:
>> Tim May quoted from macweek:
>> >"The Gartner Group's Wheatman pointed out that PGP Policy Management Agent
>> >allows corporatins for the first time to centralize control over
>> >encryption: "For encryption to be accepted, IT had to gain control. This
>> >isn't Big Brother; this is necessary to comply with liability laws and SEC
>> >regulations.""
>>
>> However, this doesn't seem to work, unless I'm mistaken about CMR
>> enforcement and the SEC regulations. CMR will only allow the snoops
>> to read incoming email, not outgoing, and hence if Joe Blow at
>> Foo-Bah.com wants to send me some handy insider trading tips CMR will
>> not stop them. So this seems to be another justification for CMR
>> which just doesn't make sense.
>

CMR and the Policy Management Agent can (and presumably will) be set to
scrutizine _all_  mail for "policy violations," outgoing as well as
incoming mail.  The PGP page has some descriptions of their products.


>I think that there is also a facility in the pgp5.5 for business
>client to add yet another recipient: the sending companies snoop key.
>
>I also got the impression that the policy enforcer could be set up to
>bounce mail internally which did not have this extra recipient.


Indeed, the Policy Management Agent enforces certain criteria, including
CMR, across _internal_ as well as external networks. "PGP(r) Policy
Management Agent for SMTP helps to protect an organization's vital
information by enforcing corporate security policies for email
communications across internal and external networks." (fromwww.pgp.com).

In more detail:

:"PGP Policy Management Agent works with standard SMTP mail servers,
intercepting and checking email to ensure that it conforms with desired
security
policies. A typical policy established for encryption software, for
example, is that
encrypted email must also be encrypted to a corporate message recovery key
to enable data recovery. Email that adheres to the policy is automatically
routed to the
 intended recipient. Email that fails to adhere to any of the established
policies is
 rejected by the server and sent back to the client with a configurable
SMTP error
 message, depending upon the policy failure. "

--Tim May

The Feds have shown their hand: they want a ban on domestic cryptography
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^2,976,221   | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."








Thread