
On Thu, 7 Nov 1996, William H. Geiger III wrote:
Does anyone know if you can purchace a commercial license from ViaCrypt/PGP Inc. but use the standard PGP for commercial purposes?
Yes, that's one way of doing it. Phil's mentioned this in his PGP doc, as I recall. He says, <paraphrase> 'if you use it commercially, you have to make certain I make a buck off this - either send me one, or buy a license from ViaCrypt." However, you should also know that PGP Inc. (formerly called ViaCrypt) sells *TWO* versions of the software. The PE (or personal edition) doesn't have the "master key" feature. If you don't want to use the encrypted file recovery, then don't order the software that has it. In the BE (business edition), there's an option to force Big Brother into every recipient list. This means that the boss can put him/herself onto the list of "encrypt to whom" whether you want him/her there or not. Also, the BE recognizes some nuances in keys that the freeware doesn't: You can have "sign only" and "encrypt only" keys. Thus, you can give everyone a PGP key for digital signature (because, let's say, you want those powerful non-repudiation capabilities), but if it's a sign-only key, they can't encrypt anything with it. I'm also confident that these "features" are very hackable. Someone could easily tweak the copy of the public key for Big Brother so it encrypts to something for which nobody (who can be found) holds the other half of the key pair. I'm sure there are some check digits, but I also know that it's going to be damn hard, with software sitting on my disk on my PC, for you to keep me locked out of it for very long. I'm sure that Cypherpunks could contribute something valuable in creating the "Hacking PGP 4.0 Business Edition FAQ." Anyone for a little R&D? The purpose (as it's been explained to me by PGP Inc.) for the BE/PE changes was to increase the *CHOICES* that PGP users were being given - not to change PGP into something with key escrow. (The secret keys still are secret - there is no escrow). Everyone knows full well that there are many companies who won't ever touch PGP unless it's equipped with some "fail safe" that permits them to enforce their INFOSEC policy. Recovering files that were encrypted by people whom have forgotten their pass phrases is in line with most corporate policies. Bottom line: Buy the version you want. If you don't like the BE features, then don't pay for them or use them. ------------------------------------------------------------------------- |It's a small world and it smells bad | Mark Aldrich | |I'd buy another if I had | GRCI INFOSEC Engineering | |Back | maldrich@grci.com | |What I paid | MAldrich@dockmaster.ncsc.mil| |For another mother****er in a motorcade |Quote from "Sisters of Mercy"| |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich@grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | -------------------------------------------------------------------------