From: Adam Back <aba@dcs.ex.ac.uk>
To: spencer_ante@webmagazine.com
Message Hash: 1d33772f74a334ab866fc6d021169520612a51025851fdb5178b02ff25de189d
Message ID: <199710241357.OAA01507@server.test.net>
Reply To: <88256538.00787D24.00@pcwhub.pcworld.com>
UTC Datetime: 1997-10-24 15:57:04 UTC
Raw Date: Fri, 24 Oct 1997 23:57:04 +0800
From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 24 Oct 1997 23:57:04 +0800
To: spencer_ante@webmagazine.com
Subject: Re: PGP, Inc.--What were they thinking?
In-Reply-To: <88256538.00787D24.00@pcwhub.pcworld.com>
Message-ID: <199710241357.OAA01507@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain
spencer_ante@webmagazine.com writes:
> As a person whose been at work on a very long feature about PGP Inc. for
> Wired, I can tell you that businesses really don't care that much about
> PGP's civil liberties advocacy.
The suits in charge might not, but many of the security or network
people might. Technical advice on which product is best suited for
corporate computer and email security often comes from such people.
> In fact, its rep could hurt as much as help them. The Fortune 500 is
> much more pragmatic: They want solutions that work, that help them
> maintain security for their intellectual property and capital. To
> that extent, PGP 5.5--which enables IS directors to manage a public
> key infrastructure and enforce company-wide security policies-- is a
> step in the right direction.
Hmmm. You can have storage data recovery without allowing third and
fourth parties to read what goes over the wire. Sending recovery info
with the mesage is bad security practice anyway, especially when the
keys are long term keys.
> And one major thing that needs to be pointed out: PGP's key recovery
> system is *voluntary and private*--not mandatory
So was clipper remember? "It's voluntary, read my lips" said the
politicians. Then a few FOIA's later we found out they were planning
for it to be mandatory all along. Freeh is calling for mandatory now,
with comments like "if voluntary doesn't work, we may be seeking
mandatory escrow." It's just a tactic, it's obvious that the
government wants mandatory. Clearly he will argue that it doesn't
work once he gets a "voluntary" system. He'll probably engineer an
example of it not working, if a suitable case doesn't arise by itself
in a timely manner.
> and gov. controlled, which is what the Feds and Louis Freeh have
> been pushing for.
It's not government controlled true.
> One potential positive side effect of PGP 5.5 is that it could
> realign the crypto debate and force people to consider this
> question: Whose back door should netizens be more worried about: Big
> Brother or The Boss?
Big Bro, any day.
But it is not quite that stark because there is a subtly which appears
to be being missed:
governments want real time access to _communications_
Companies want:
availability of _stored data_
disaster recovery procedures for encrypted stored data
(where disaster is sudden death of employee, or employee forgetting
passphrase).
This difference allows you to develop systems which are resistant to
government key grabbing efforts, which at the same time allow
companies disaster recovery plans for encrypted stored data.
PGP's system is too neutral in this respect.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Return to October 1997
Return to “Tim May <tcmay@got.net>”