-----BEGIN PGP SIGNED MESSAGE----- There is one all important consideration in this debate: would you rather have PGP, Inc. with its preeminent stature in the defense of freedom, freeware, and privacy as well as an established, TRUSTED product defining THE system which meets the need of the free world business, but is not selling out to GAK or CAK? or, would you rather see IBM, HP, TIS and others with their GAK products and potentially even backdoors? are any of these vendors even planning to give us source code so we might have a warm and fuzzy feeling until someone blows a hole in it 10 years from now? or, how about Bigfoot from the jungles of Redmond? PGP is the *only* small business with a name for the corporate MIS types. the answer is simple; stop arguing, squat, and move. When I initially composed this message it read: now, if the idealists, and the opinionated pragmatists would actually reflect on exactly what Jon Callas said, starting with Locke, instead of what they "think" he said, they might understand the philosophy for data storage and recovery which PGP is proposing versus GAK or CAK which PGP is not proposing. the more vituperative among us can be dismissed out of hand as the issue is less of personal privacy than it is one of reasonable property protection, documentation, and defensible security provisions. Jon Callas generally stated the problems adequately, and the solutions or conventions, in the running duels; unfortunately Jon is on the wrong side in an anarchic forum: as the bear; Jon's protagonists are the dogs, and we all know the results of the bear pit. truth was not a problem per se, just reason. as I think I made clear in my original FOCUS presentation, GAK (or CAK) must be dismissed out of hand. The issue reduces to: by what means is general responsibility accomplished? most ignored my premise, the few attacked for the same reason they always attack: crypto-anarchy, take-no-prisoners, or the only good JAKer [sic -freudian] is a dead one. historically, all of the elements of multi-key encryption with separate keys for signing, transmitting, and archiving have been available options with scripts or program wrappers since PGP burst on the freeware zone in its present incarnation. Meanwhile, the battles raged on with the defiant pragmatism of Adam Back balanced by Bill Gieger's careful affirmation of my premises in my prior FOCUS message response to Jon Callas: there is nothing in PGP 5.5 which can not be done with scripts and PGP 2.6. In fact, I stated my policy: session key and storage key. I had not implemented a separate signature key, but will be limiting my current public key to a signature key; and, creating a new encryption key. a good point, and well taken. other than possibly Bill Gieger, not one of the cypherpunk idealists, nor rationalists, in this thread has ever been required to face the realities of an employer. if they had been or are employers, they would understand all the perqs they presume are freebies or rights, are mere privileges --including personal freedoms not in the interest of the employer during company work periods, on company premises, or representing the company outside the facilities. I empathize with Jon Callas' complaint about the blues, and his plaintive "wanna trade" comment to Adam, but the blues come with the turf; likewise, the position of the buck stops here gives the idealists another nail for the coffin they have conjured for Jon and PGP "selling out to the enemy". the occupation of employer can be one of the least satisfying ways of living; department heads are not far behind --it's all about personal (not personnel) relations and diaper changing. as a scientist and developer, I never really enjoyed the boss tasks; more than once, I closed out when my function deteriorated to leader of the nursery. If PGP, hopefully with support, cooperation, and assistance from Cypherpunks, can offer workable and tenable solutions, which can satisfy the real needs of business for defensible audit trails, and which offer basically the same protection as current paper storage trails, PGP may be able to deploy their system as the *de facto standard* before any of the other systems take root. If PGP does not provide workable solutions for business, from simple PGP 2.6 to the SNMP managed "enforcer" and a simplified "frying the egg" means of establishing filing systems which meet both the overall needs of the business and the compartmentalized needs of restricted area and secure operations, some one else will --and corporate {a,im}morality applies their myopic vision only to the bottom line --GAK. for instance, if PGP can deliver *encryption management systems* which can provide control of the entire spectrum of corporate needs, perceived or real, such as: * no key escrow or management key (preferred, obviously) * session key with storage key (incl. some multi-key) group, department, corporate, etc. * multiple public key encryption (foolish for external) * limited CAK (certainly not desirable) * general CAK (an unreasonable sin) * GAK (the unpardonable sin) they have given business the *choice* of system management. It is important to keep in mind that the basic PGP product will do any of these formats as it currently stands with external controls. different business models have different levels of security requirements. hard core cases will buy in because they understand GAK and their foolish corporate mentality has no concern for the individual --get it installed, and the troops will push to bring it back to the preferred model using company security, not employee privacy, as the argument. better GAK with PGP than asking PGP to refuse to permit the use of their product in a GAK/CAK environment. GAK and CAK have no relationship to PGP --they are a corporate mindset and there is absolutely nothing PGP or cypherpunks can do about it --except educate the customers that there are far more secure methods of date recovery than hanging their shorts out in public for big brother to cut the clothesline. In other words, why should any cypherpunk, except our resident nihilistic anarchist, object if PGP's SNMP system provides industry with tools which can deploy the **less** objectionable control systems? or even the objectionable ones? if PGP does not or is not willing to provide the systems, and in the absence of these tools from an alternative *trusted* source, we will see GAK, just plain unabridged GAK, the simplest means to control for the Corporate Operations Officer (COO), or some other equivalent abomination spreading across the land like the ominous black cloud roiling across the land from an oil refinery fire. major corporations, most of them victims of many years of litigation, subpoenas, and judgements with their peers and with the government will just cave in to GAK --it covers all the bases, albeit very insecurely, but that is the fire next year: worry about tomorrow tomorrow. despite the general hue and cry of selling out to the enemy which arose in cypherpunks with the PGP defense department contract, as long as PGP 5.5 and its SNMP enforcer are implemented as Jon Callas claims, that contract may be the best government friend this community has today. PGP will be placing a product which covers the full spectrum of "privacy invasion" within the forces of evil. there are two ways to define a product in a market of this magnitude, a market which matches David and Goliath. PGP, by virtue of its freeware status is the standard the world over; by selling to the enemy, PGP will have proven it can be all things to all people --use what you need from it. Bubba/Goliath has been rumbling and jousting, but his own parts are buying the product that works. a very critical point. secondly, by market penetration, F{reeh,uck} is left standing in the middle of street, pulling his short arm. but if David fails to hurl that stone, Bubba will hand us GAK. the real issue in privacy is where does privacy begin, and where do corporate rights and responsibilities start, and do private rights end? defined classically: on company premises there is little if any legally enforceable individual privacy regarding communications. in NY brokerages, it is well known that brokers have their usual company computers, and a laptop with a modem, often wireless. if they are overly concerned there is always ssh --not ppp. even then, they are on company premises with company power and lights.... however, this discussion is intended to focus on business communications, not their ethics, or lack thereof and not personal communications which should be inviolate, and performed away from work. the corporate paper trace works two ways --proving you did what you said you would, or would not do --or as I put it to subordinates in a hatchetman cleanup: CYA on the sins of commission and omission. proper maintenance of paperwork, in an auditable form, is not just a sieve to collect fodder for big brother; you can, and should protect (or hang, of course) yourself with paperwork. Obviously, if you are engaged in questionable, unethical, or illegal practices, saved paper is dangerous; I can not imagine Bill Gate$ archiving notes or email <g?>. the real goal is "safe" record keeping, just like paper copies; no-one likes employer snooping (or employee snooping). unfortunately, the long running trust and honesty of years ago is not justifiable today, so there are rules. as for government snooping, give 'em a freeway salute. whether it is storage keys for Adam, or session keys, whatever, the issue is the same: anything you do to abridge the simplicity of the key pair is a potential privacy problem --as well as an additional opportunity for breach of security. the paper equivalent of one encryption key which can be lost is placing the paper copy in an access proof, unpickable safe and losing the key --and the safe self-destructs when tampered. would these same people place their only paper copy in this safe? (probably, since "losing" your key is generally described only as your bad karma). master keys are foolish and I dismiss GAK or CAK out of hand. encryption and filing policies which include a session key, a department key, or something which gives some sense of information security is preferable to the master key. the more diversity, the more security. I also believe it is preferable to encode the message twice: once to the recipient(s), the second with the company provided session key, whatever level. the logic is that using a separate encoding pass (which obviously must be essentially simultaneous) is less risky and a little less tacky than sending a message with dual keys --small point, but a consideration. it would not be difficult to rework a public key pair engine to dump to company records at the same time the communication record is released. as a comparison to the abuses which inherently will evolve with GAK: prisoners, convicted felons: murderers, rapists, pedophiles, etc. have more rights than "free" men (even though felons' civil rights are stripped for life at the time of conviction). censors for the incarcerated are only allowed to check incoming mail for money, drugs, weapons, eg: contraband; they are not permitted to slit the outgoing envelope. in addition to the regulations, the intelligence level of a hack would not understand the shading of allusions in plain text! even Dapper Joe Gotti, the Teflon Don, is entitled to the privacy of his personal correspondence unless there is a show cause order. to be both honest and pragmatic, certainly the privacy rights of some of some problem prisoners are violated. theoretically, GAK and CAK would be acceptable in a perfect world, and if the federal government and the rest of the information snoops would unfailingly adhere to Constitutional "commandments." human nature has proven more than once, and it will prove it again, it is not likely everyone will be incorruptible. in fact, I will go so far as to say that *everyone* has a price --even Tim May <g>. however, anybody who has eyes or ears knows, comprehends, and accepts that all governments rule by power --even the United States; and, that the control of information is the power to control. today, it is even more accepted that governments are, at best, a necessary evil --and corrupt, paranoid, and nosy governments at that; one which will violate your rights if it is, or they think it might be, in their interests to do so. few do not know that our governments are rotten to the core on privacy issues; the US, even more than the other members of Western society, has been abrogating, and will continue to perniciously abrogate, our rights. unfortunately, each centralization of the filing system permits the government, or lawyers litigating, a clearer path of access. in reality, encrypted electronic records are significantly safer filing cabinets than those filled with paper, but they are still records maintained. paper filing cabinets are fast disappearing; records are either microfilmed, or converted to bits, or both. Xerox, for instance, has a combination system which maintains an optical image and a scanned text digital image which can be processed with pattern recognition, etc. people say the damnedest things in email without thinking. given the ubiquity of computers, data recovery advances, and governmental intentions, everyone, whether or not it is personal or business, needs to learn the virtue of compartmentalization; files need to be organized: separate the necessary documentation from the routine and sublime --purge the latter regularly from visible system. following this procedure is not illegal if it is a regular practice, and, even more importantly, it is not performed to obfuscate or impede an investigation, civil or criminal. fundamentally, the worst thing we can do is permit the government to think they gained something by necessary business practice on the way to their perverted goal of transparent crypto. there is no question they will use their standard ploy that we have already agreed to backup procedures for data storage safety --so what is the difference if you permit us to maintain a key; remember, we're from the government, and we're here to help you. trust me-- yeah, right! on the other hand, we should be encouraged by the decision of the European commission to totally stiff the U.S. request for them to comply with the F{reeh,uck} mandate; likewise, they chastised the French. The difference in France v. the US is that if you do not ask the French government, they do not tell you: "no". If the European commission does follow through with their intentions, and I have no doubt they will as European politicians recognize both security and discreetness, they will be submitting EC legislation before the end of the year encouraging strong encryption both to facilitate commerce and to protect against the criminal elements; they fully realized the folly of expecting criminals not to use strong encryption even if it is illegal. firearms in the hands of criminals are also illegal. either F{reeh,uck} and Bubba can get off their horses and sell the EC hardware and software, or they can lose it all. Interestingly. the software will probably be PGP --except the revenue will not come home to PRZ, let alone America. Great trade policy, Bubba. where did you say you're from? Arkansas? the actions of the more pragmatic, and obviously privacy conscience, European leaders only paints a sharper contrast with the intentions of the U.S. government. have no doubt, the U.S. government is no different than Lucifer who intended to remove from mankind any choice. the actions of the U.S. government since the Civil War have been an insidious assumption of centralized power, including unaccountable police, and a systematic plan of supposed emergencies to expand the control of the few at the expense of the many. when the smoke of the battle clears, if PGP is not its original pristine, highway salute to the powers that be "old self," any "concessions" in behalf of corporate responsibility will be judged on their appearance, not the effectiveness of the solution. Then the flaming idealists will sing and dance for blood, claiming PGP released the dogs of war, beginning the inexorable dance to our doom. the disruptive class must be put aside (to argue among themselves) and the rest of need to get down to work: we must educate the users, washed and unwashed alike, that "doing business" is not necessarily cozying up to the devil; while simultaneously affirming that we can not and will not tolerate arrangements with any similarity to GAK, CAK and the four horsemen. on the other hand, if the government does not disassemble and chastise Bill Gate$, I fear Bill's intentions far more than I do the federal government, starting with crash prone mediocrity and including Gate$' standard no source code policies-- "trust me". sure, Bill, I trust you; just come a little closer.... -- "When I die, please cast my ashes upon Bill Gates. For once, let him clean up after me! " ______________________________________________________________________ "attila" 1024/C20B6905/23 D0 FA 7F 6A 8F 60 66 BC AF AE 56 98 C0 D7 B0 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 Comment: No safety this side of the grave. Never was; never will be iQCVAwUBNEGcK704kQrCC2kFAQGkvgP9GdIrtrxBBA/48TZ+VKFStV4pl687EfxH fKinV1RNgTI33MoTXcxsy7nKRkX6b8PRk6/k33vTiWLwrUPrhFQPL0i49EIBZsfJ FOTEdGEQE16DosImiFFCGp5TUlG8dx1C9OJeutaWV9D9lBf8zNBilpPUFpbnQdYn b1Rd7f7ShIk= =lMeS -----END PGP SIGNATURE-----