1997-10-21 - PGP, CMR, and OpenPGP

Header Data

From: Fisher Mark <FisherM@exch1.indy.tce.com>
To: “‘cypherpunks’” <cypherpunks@cyberpass.net>
Message Hash: ffc411150dd0b52e7698fcb5d77fe6eaa7741d89b6c913dee5b6bb716d87896a
Message ID: <2328C77FF9F2D011AE970000F84104A74933C1@indyexch_fddi.indy.tce.com>
Reply To: N/A
UTC Datetime: 1997-10-21 17:52:21 UTC
Raw Date: Wed, 22 Oct 1997 01:52:21 +0800

Raw message

From: Fisher Mark <FisherM@exch1.indy.tce.com>
Date: Wed, 22 Oct 1997 01:52:21 +0800
To: "'cypherpunks'" <cypherpunks@cyberpass.net>
Subject: PGP, CMR, and OpenPGP
Message-ID: <2328C77FF9F2D011AE970000F84104A74933C1@indyexch_fddi.indy.tce.com>
MIME-Version: 1.0
Content-Type: text/plain



As a Corporate Security Officer, I personally would prefer a solution
like Adam Back's CDR that leaves the copy of the corporate data on the
user's hard drive to the current PGP CMR.  As long as the email data
didn't need to be encrypted during local storage (i.e. encrypted against
the possibility of industrial espionage), I wouldn't care whether the
copy of the corporate data was encrypted -- actually it would be a lot
easier to leave it in plain text (as I think Tim May suggested).  (A
single file in Unix mail(1) file format would make a nice
auditing/reporting tool, so you could remember what you had sent to whom
all in one place.)

Corporate keys as in PGP CMR just means another key to manage that
provides a single point of weakness in the company's security
architecture.  Without forcing everyone to run on a secure OS on
hardware they can't directly access (i.e. no desktop computers), any
additional security provided by a CMR system (as in providing
unalterable records of encrypted email that was sent) can be easily
bypassed.

OpenPGP, meanwhile, should work on non-GAK/CAK solutions, while PGP Inc.
should come up with a new product name (like 'BizSecure' only less
whimsical) for its line of corporate encryption programs.  (It might
even be better business for PGP to set up a wholly-owned subsidiary,
whose name does not even incorporate the term 'PGP' or its derivatives,
for marketing such products, as those products would not be tainted by
personal privacy reputation of the name 'PGP'.)  'BizSecure' and its
kindred would then interoperate with OpenPGP standards only to the
extent of the common non-GAK/CAK functionality of the two systems.
==========================================================
Mark Leighton Fisher          Thomson Consumer Electronics
fisherm@indy.tce.com          Indianapolis, IN
"Their walls are built of cannon balls, their motto is 'Don't Tread on
Me'"






Thread