 
            A PGP Employee wrote:
Unfortunately these people just don't get it. Corporations refused to buy 5.0 because it did not have any way for the corps to get at email encrypted to their employees. There are some very legitimate uses of this, such as when an employee dies and someone else has to take over for them.
No, PGP Inc 'just don't get it'. I'm sure that there are plenty of people out there who disagree with the entire concept of CMR, and I'm not very happy with it myself. But that's not the most important issue here. Since this point just doesn't seem to get through to PGP Inc employees, I'm going to shout. FORCING ENCRYPTION TO MULTIPLE KEYS FOR ONE RECIPIENT IS ONE STEP AWAY FROM GAK. FORCING ENCRYPTION TO MULTIPLE KEYS FOR ONE RECIPIENT IS ONE STEP AWAY FROM GAK! FORCING ENCRYPTION TO MULTIPLE KEYS FOR ONE RECIPIENT IS ONE STEP AWAY FROM GAK!! FORCING ENCRYPTION TO MULTIPLE KEYS FOR ONE RECIPIENT IS ONE STEP AWAY FROM GAK!! !!!*FORCING ENCRYPTION TO MULTIPLE KEYS FOR ONE RECIPIENT IS ONE STEP AWAY FROM GAK*!!! Is that clear enough? Do you understand what I (and, apparently, Adam Back and others) am saying now? The problem is not so much with the fact that you're supporting company needs, but with the way you're doing so.
They also don't seem to realize that you always have the ability to remove the MRK from your list of recipients.
Just as government-supported rating schemes are purely voluntary and will be so for, oh, I don't know, a couple of years? Once the infrastructure is there, we need only an executive order to make it mandatory. If this software ships in its current form and becomes the dominant player in the market, in four or five years all keys will be GMR keys with the FBI or NSA as one mandatory recipient. You 'privacy zealots' will have created the government's surveillance infrastructure. I hope you'll feel proud.
Sometimes I really feel like screaming at these people. _All_ of the developers at PGP are personal privacy zealots and no one likes the idea of the MRK.
Good. Then reimplement it to avoid giving the government a GAK/GMR infrastructure. Yesterday I posted a modified version of PGP's CMR to the cypherpunks list which can't be used for GAK because it only encrypts to one key; Jon Callas just told me I'd 'redesigned PGP 5.5'. Cool. I've redesigned PGP 5.5 so that it can't support GAK; in that case, please implement it, or accept that you're deliberately choosing to support the thugs in governments around the world and have become part of the problem.
That is why we refuse to make them required.
Just 'mandatory voluntary' for companies which have your SMTP enforcer enabled. What's the difference?
Most everyone at PGP has internalized personal privacy as a cause (actually most had it before they joined PGP).
So prove it. Stop working on creating a GMR/GAK infrastructure. The current PGP CMR system has numerous problems which many people have pointed out on the cypherpunks list, and you'd do better to solve those problems rather than see them in a major New York Times article about '101 Ways PGP 5.5 Harms Company Security'. How long will PGP Inc last when it's reputation for providing secure products is in tatters, because it chose to release a product which deliberately reduced company security and opened them to new threats, rather than redesign their CMR to remove these problems? The current CMR implementation is bad for us, bad for PGP Inc's commercial customers, and bad for PGP Inc. Why is this so hard for you to accept? Why ship a bad product when you can fix the problems? Mark