1997-10-27 - Re: Technical Description of PGP 5.5

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: kent@bywater.songbird.com
Message Hash: bc2b8959dfed7f736b62969d2b5da1ab9681b91b427e774b3fe1328d0c17f073
Message ID: <199710271820.SAA02733@server.test.net>
Reply To: <19971027063955.64669@bywater.songbird.com>
UTC Datetime: 1997-10-27 18:34:46 UTC
Raw Date: Tue, 28 Oct 1997 02:34:46 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Tue, 28 Oct 1997 02:34:46 +0800
To: kent@bywater.songbird.com
Subject: Re: Technical Description of PGP 5.5
In-Reply-To: <19971027063955.64669@bywater.songbird.com>
Message-ID: <199710271820.SAA02733@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Kent Crispin <kent@bywater.songbird.com> writes:
> Given the frequency of "I've forgotten my password" incidents at
> company help desks, widespread use of cryptography would cause this to
> become *the* prime cause of lost data.

pgp5.5 doesn't cope with this very well -- it requires all of the
stored emails to be decrypted by the holder of the recovery key and
re-encrypted to the users new key.  Same thing for tape archives,
write once CD archives, etc., etc.

Password memory lapses are likely to be the major problem.

It would suggest that smart cards might be a valuable ergonomics
investment.  I understand dumb card readers are dirt cheap (~$10 in
volume) and can be plugged inline into keyboard cables.  Reckon you
could swallow the cost in the product price even ($159 or whatever the
business edition is).

> The physical mail analogy to PGP's implementation of CMR is as 
> follows:  Company policy is that it does not accept private pmail for 
> individuals.  All mail for individuals must be addressed
> 
> XYZ Company
> attn: Indi Vidual
> Address1
> Address2
> 
> Mail addressed like this:
> 
> Indi Vidual
> Address1
> Address2
> 
> will be returned, because the company doesn't accept private mail.  
> Company mail is to be used for company business.  You don't receive 
> Playboy at work, you receive it at home.

Reasonable analogy of what's going on wrt strictly company use
addresses, and with companies which may allow private use addresses.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread