From: "William H. Geiger III" <whgiii@invweb.net>
Date: Sat, 25 Oct 1997 05:52:05 +0800
To: mark@unicorn.com
Subject: Re: PGP Employee on MKR
In-Reply-To: <877714803.13910.193.133.230.33@unicorn.com>
Message-ID: <199710242142.RAA11252@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

In <877714803.13910.193.133.230.33@unicorn.com>, on 10/24/97 
   at 10:40 AM, mark@unicorn.com said:

>whgiii@invweb.net wrote:

>> There is a simple solution to that don't work for one if you don't like
>> their policies.

>I agree; that's why I don't. But I see an inconsistency here. PGP keep
>telling us that CMR isn't so bad because you can work around it, or
>superencrypt, or otherwise avoid the company's right to snoop on all
>communications. Yet you, who believe in this right, support CMR, which
>can be used to defeat that right, over simple escrow of employee's 
>corporate communication keys. Why?

>Again, I'm not saying that the companies have no such right. Personally
>I'd rather escrow my corporate key than see widespread CMR in its current
>form.

Well I don't see an inconsistance. :)

1st: Any security system can be circumvented. CMR can be circumvented, Key
Escrow can be circumvented, GAK can be circumvented ...

2nd: Just because I assert that one has a right to do something doesn't
mean that I *like* it. You can scratch you ass and pick your nose while
walking down the street, I don't like it but I am not going to stop you
from doing it. I am sure that the Jews in the ACLU who defended the Nazi's
right to march in Skokie, IL didn't like what they had to say but were
willing to defend their right to say it.

3rd: I never said I liked CMR or that I thought it was the best solution.
What I do believe it was the best solution available at the time. They
were able to provide a "solution" for their customers in a timely fashion
with little modification to their exisisting codebase. This was a
migration path for their customers from Viacrypt 4.0. One of the thing
they needed to get some customers away from was key escrow. Remember now
Viacrypt is RSA, signing & decryption are the same key. Escrowing these
keys is a BadThing(TM). Sure eventually they will migrate to the DSS/DH
keys but as I am sure you are aware chage is a slow thing in a corporate
enviroment.

4th: I most definatly do not believe that CMR=GAK or is anywhere close to
it. The sky is not falling chicken little, it's only rain :)

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNFEWyI9Co1n+aLhhAQE9MgP/dbk/ZgPNsIux+dlOBZ6b5ZNyhuZSuDT+
ZCjRDKPFRopZiRr5ERlt9cv+CAqFmE9w/h/hvbBCOUlPb7eXD2HskpveqcKwpwTh
Cfjd/iWaUAzHZjryW5/yOPLxZeXojEvXGg1XlCjaKr51DvBJdITTJRtqwWvNRCd2
BL3O85bCS90=
=4fkg
-----END PGP SIGNATURE-----