Adam Back writes:
Jonathan Seybold <jseybold@pgp.com> writes:
Adam, one aspect of your suggestion puzzles me: One thing which concerns me most is KNOWING when a message I send (or receive) could be read by someone else. The PGP CMR scheme makes this very clear: if there is an extra CMR key, the message may be read by whomever controls that key, if not, only the recipient may decrypt the message. If, however, the message is secretly re-encrypted to a corporate storage key AFTER it is received, I will never know that.
You will if you mark the key with this information.
This is a straw man anyway. You don't know this now. Someone you are communicating with could already be forwarding plaintext to a third party unbeknownst to the sender. This is a "do you trust the recipient" issue.
What I _am_ arguing is that in designing systems to provide companies with data recovery mechanisms that you should a) not weaken security more than necessary, and b) that it would be nice if you used a method which doesn't introduce GAK compliancy for communications keys.
I presented I think in plenty of detail an alternate mechanism which is both non-GAK compliant, and more secure. So what is the problem? Is there a technical flaw in my solution?
No. But there is in their's(PGP Inc.) as I think you and others have amply demonstrated. The technical issues alone are enough to reject usage of PGP5.5's CMR features. It intrigues me that there has been virtual silence from PGP employees on the technical issues. Only Hal Finney via the IETF-Open-PGP has come anywhere near commenting upon this. I haven't seen anyone from PGP Inc. comment on your data-recovery implementation ideas. In my optimistic moments, I take this as a sign that internally, PGP inc. is giving consideration to producting more sensible and effective solutions. (Maybe even as outlined here)
This means, I believe, that they should NEVER INVOLVE HIDDEN BACK DOORS THAT USERS ARE NOT AWARE OF.
Agreed. You can flag backdoors with either solution.
See above. The prescence of flags does not prevent this. By definition I might add ;). Trust issues, etc. are involved.
It works well enough, but it could be made much more secure, by separating storage key functionality from transient message key functionality. This would also give you the chance to resolve the articificially created need for GAK compliancy, which arises because you are being forced by this lack of distinction between key functionalities to use one key for both long term storage and what should be transient communications key usage.
Hal Finney's description of key sttributes indicate that implementing separate storage keys would not be hard for PGP Inc to implement in the next release.
Decentralised control is good, of course, but the pgp5.5 and SMTP policy enforcer is a ready to roll GAK system.
Of course, other companies could have (and will) implement similar systems. That PGP, with it's reputation and stated policies, would is surprising. Hopefully, PGP will live up to their reputation by realizing this misstep and correcting it with a more secure, less GAK-compliant implementation.
The PGP bashing PGP observes is an attempt by the pro-privacy crypto community to influence PGP to re-think the GAK compliancy, and to point out the more secure way to implement corporate recovery of stored email messages without GAK compliancy.
I reserve the right to bash any company which attempts to field GAK compliant software.
The "bashing" in this notoriously harsh forum has been rather tender in my view. Perhaps the perception of "bashing" is based on recognition (and guilt) that the CMR mechanism is flawed and goes against "the spirit of PGP." Methinks, y'all doth protest too much. -- --------------------------------------------------------------------- Omegaman <mailto:omegam@cmq.com>|"When they kick out your front door, PGP Key fingerprint = | How are you gonna come? 6D 31 C3 00 77 8C D1 C2 | With your hands upon your head, 59 0A 01 E3 AF 81 94 63 | Or on the trigger of your gun?" Send email with "get key" as the| -- The Clash, "Guns of Brixton" "Subject:"to get my public key | _London_Calling_ , 1980 ---------------------------------------------------------------------