1997-10-17 - Re: what can we do about PGP sell out and CMR?

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: anon@anon.efga.org
Message Hash: c3e88374135ca3258ec8c44804bd34807e194cb19dd65ae63bae5e58d224d947
Message ID: <199710172045.VAA02847@server.test.net>
Reply To: <eca9fd16c885a0317a288f74def63dc8@anon.efga.org>
UTC Datetime: 1997-10-17 22:59:47 UTC
Raw Date: Sat, 18 Oct 1997 06:59:47 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sat, 18 Oct 1997 06:59:47 +0800
To: anon@anon.efga.org
Subject: Re: what can we do about PGP sell out and CMR?
In-Reply-To: <eca9fd16c885a0317a288f74def63dc8@anon.efga.org>
Message-ID: <199710172045.VAA02847@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Anonymous writes:
> You've got a lot of nerve accusing PGP, Inc. of being "sellouts" when
> you're over on open-pgp pushing KEY ESCROW, of all things.  I can see it
> now, the new product name, "PGP with Key Escrow".  Motto: "Lose your key?
> Don't worry, we've got a copy."  Do you really think cypherpunks are
> going to support key escrow?  Fat chance.

I take your comments to be directed at my Corporate Data Recovery
(CDR) proposal which I presented as a more GAK resistant alternative
than PGP Inc's Corporate Message Recovery (CMR) proposal.

Data recovery is less dangerous than communications recovery.

Why?

Scenario #1 (comms recovery): government mandates everyone gives them
comms recovery key (CMR key).  Government can key word scan all your
messages in real time.  If you are non-technical and don't know to
hack around it you either comply or are caught out, and suffer penalty
for breaking law.

Scenario #2 (data recovery): government mandates everyone gives them
data recovery key (CDR key).  If government raids your offices or
home, they can recover your plaintext.  If they do not raid your home
they can not.  Raiding homes is expensive.  They can't raid all homes
because they do not have the money.  Also, they can't check whether
you are using GAK software -- until they raid you they won't know.
When they raid you you are likely in trouble anyway, so you may as
well not use GAK software if you figure you are likely to be raided.

Therefore GAK on data doesn't work as well, and doesn't as much affect
the balance of power between citizens and governments as GAK on
communications does.

Can you see flaws in this reasoning?

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread