1997-10-09 - Re: What’s really in PGP 5.5?

Header Data

From: “James A. Donald” <jamesd@echeque.com>
To: Jon Callas <minow@apple.com
Message Hash: 25866d3eb41f2adc825030cbec9c1792f46a306665364df184447a26f2e1c44a
Message ID: <199710092259.PAA13153@proxy3.ba.best.com>
Reply To: N/A
UTC Datetime: 1997-10-09 23:13:15 UTC
Raw Date: Fri, 10 Oct 1997 07:13:15 +0800

Raw message

From: "James A. Donald" <jamesd@echeque.com>
Date: Fri, 10 Oct 1997 07:13:15 +0800
To: Jon Callas <minow@apple.com
Subject: Re: What's really in PGP 5.5?
Message-ID: <199710092259.PAA13153@proxy3.ba.best.com>
MIME-Version: 1.0
Content-Type: text/plain



At 02:27 PM 10/7/97 -0700, Jon Callas wrote:
[Explaining PGP's rather alarming "data recovery" features.]
> Well, that's mostly all it is. There are other bits of the system. For
> example, if I look up Alice's key on a key server and Alice has a recovery
> key, I get Alice's recovery key, too. If Alice's recovery key is a "please
> use" key, then I can encrypt to Alice alone. In any case, the PGP software
> tells me that Alice has a recovery key, so I can decide to use some other
> mechanism to talk to her.

Sending a copy to the boss of everything Alice sends is OK.

If Alice wants to send something her boss should not read, perhaps she
should use her private account, rather than a company paid account.

Sending a copy of everything Alice receives to the boss or HR is not OK.

Alice should get to control it.

It would be acceptable for the company system to keep track of what
Alice has received, and flag "Alice received something, and has not
yet filed the cleartext copy with us"

It is not acceptable to just plain snoop on what Alice receives.

> Note that design satisfies the opt-in and fair-warning requirements. Also,
> since Alice's recovery key is an attribute of her self-signature, she can
> change it. She can even have a second user name (let's call it Bob), that
> has no recovery key.

Alice needs finer granuality of control.  The leakage to her boss primarily
affects her, rather than the sender.

Furthermore any auto-snoop feature sets a very dangerous precedent.

It is politically a lot more difficult for the FBI to mandate that they
can recover your data, if such a mandate leads to the message flashing up, 
"now sending a copy to the FBI" every time you decrypt something.
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd@echeque.com






Thread