From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 24 Oct 1997 23:44:02 +0800
To: hallam@ai.mit.edu
Subject: Re: PGP, Inc.--What were they thinking?
In-Reply-To: <01bcdf5a$4a2d3a60$06060606@russell>
Message-ID: <199710241232.NAA01339@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
> I can understand the pressures on PGP to support key escrow. 

There is reasonable justification for key escrow, or recovery features
for _stored_ encrypted information.  The rate at which people forget
passwords alone suggests that this would be a good idea.

However the PGP design does much more than that: it allows third and
fourth parties to decrypt messages in transit.

> The problem with PGP's move is that it is the first significant
> break by the Internet software provider community. This will make it
> much easier for Netscape or Microsoft to cave in.

I think they could have implemented recovery of stored encrypted
files, and of saved email archives more easily without including
recovery information over the wire.  It's a security risk to send
recovery encrypted info over the wire encrypted to long term public
keys.

> It will also build the pressure on them.
> I wonder what would happen to Bills problem with the DoJ if he had a sudden
> change of heart. Somehow I don't see Netscape and Microsoft holding the line
> on GAK if PGP are happily exporting their product and grabbing market share.
> 
> I really did not expect Phil Zimmerman to be the first to blink.

Me either.

> I also don't understand it from the corporate perspective. PGP may be
> picking up some business in the corporate market but at the cost of
> alienating a significant part of the hacker community which has been his
> best supporter up till now. I would think his best strategy would have been
> to build on this customer base rather than sell it out at the first
> opportunity.

He could have built storage escrow with much less argument; almost no
argument in comparison I would expect.

> If Phil Z. wants to get into the Enterprise market he is going to have to
> start speaking their language. Most companies today are looking for open
> standards. PGP may have been the de facto security solution three years ago
> but the reality today is several million copies of Comminicator and Explorer
> with S/MIME built in. 

The obvious thing I think is for pgp to build systems which can
automatically interoperate with either.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`