An article in today's (Fri, Oct 3) New York Times (CyberTimes) ... describes the new release of "PGP for Business Security 5.5," which contains mechanisms that incorporate key recovery mechanism that can either be volontary or be enforced by using PGP's software for controlling a company's SMTP server -- the server can verify that all encrypted messages include the corporate public key (or conform to other corporate policies):
Alex Le Heux <alexlh@xs4all.nl> noted: |> Keep in mind that this is the 'PGP for Business'. Companies often |>operate on the principle that email that's sent and received from |>their machines is the company's, not the employee's. This is actually |>reasonable business practice. Specially when encryption enters the |>picture. The employee could walk under a bus, and leave some vital |>but encrypted emails in his mailbox. This could be a real problem for |>corporations. William H. Geiger III <whgiii@invweb.net> brushed aside PGP Inc's critics to complain:
This has been discussed before on this list and others, and few have disagreed, that a company has a legitimate need to be able to access its encrypted data. If employees want to send love letters or whatnot then they should not be doing it on company time using company resources.
If a corporation wishes to establish a company policy that all correspondence be encrypted with the companies master key it is their right to do so and IMNSHO it would be foolhardy for them to do otherwise.
Claiming that they are doing the work of Big Brother is a cheap-shot and uncalled for.
With respect, Gentlemen, I think you are missing the point. There is no corporate demand for a key-recovery mechanism which allows Management immediate real-time access to all encrypted electronic communications. This new PGP facility is analogous to key-escrow or key-recovery for session keys; in essence, it's a backdoor to the session. Here in the US, FBI Director Louis Freeh has been pointed in his comments about the distinction between key-recovery for stored data and key-recovery for transient electronic communications. Key-recovery for encrypted stored data, Freeh noted, serves a sensible and pragmatic business need. Corporations will do it because it's a necessary part of their Disaster Planning. But, as Freeh noted several times in Congressional testimony, there are few if any business requirements for surreptitious, real-time, access to online communications, so businesses (unless forced by legislation, argued Freeh) simply won't do it. It is police agencies, not Management, which seek real-time access to all encrypted e-mail. No one but the Govt wants it. Management, at least in the US, doesn't need this sort of evidentiary data. Management has an employee who can be required to keep a copy of all business e-mail for Management review; or required to cc his or her boss on all e-mail to a customer -- or even forbidden to use e-mail for anything other than business mail cced to the boss. And, of course, the employee can be fired if he/she doesn't comply. But the truth is: Managment doesn't need the aggravation and -- while the standard of managment oversight is more lenient, at least for professional staff -- no company can keep talented employees if it treats them this way. Surreptitious universal access to an employee's encrypted e-mail _is_ like sound and video pickups in the bathrooms. Vastly intrustive; humilating; diminishing. Far more intrustive than is useful or necessary for conventional management needs. It is the work of Big Brother, sadly. GAK-enabled PGP, plain and simple! As Director Freeh noted, it's only LEAs who need and want this. The likely early victims of such a draconian oversight will probably be the long-suffering US government employees. With no evidence to support my supposition, I'll bet the GAKed-crypto strategists are once again offering the federal workforce as the sacrificial lambs, as they did with Fortezza. Trying (again!) to use the bulk federal purchasing power to establish a defacto product standard. Watch over the next six months. I think they used the new -- "post-Fortezza," pre-PKI -- prospect of huge '98-'99 federal purchases of COTS crypto for non-classified DoD and civilian agency e-mail to lure Mr. Zimmerman, major stockholder, into swallowing the words of Feckless Phil, the wild and wooly free-crypto rebel. Anyone wanna wager that this "design option" evolved concurrent with a quiet MOU-structured review of the New Improved PGP by the X Organization at Ft. Meade? Nor, I fear, will this be the last enhanced cryptographic communications app to come out of vendors active in the NSA's new Commercial Liaison initiative. Big federal market. Big lure. Hard not to give the Customer what he wants. Still, it's sad. (I, btw, am moderating a panel on the "Prospects for Government Control of the Internet" at the NSA/NIST-sponsored NISSC in Baltimore this week. Among my panelists are David Herson, the top pro-GAK policy maven for the European Commission; Tom Black of Smith System Engineering, the network specialists commissioned by the European Parlament to figure out how to enforce content regulation; Patricia Edfors, the Chair of the federal PKI Steering Committee and the Security Champion on GITS; Dave Farber of UPenn, the Internet Society, and EFF; and Danny Weitzner of CDT. Powerful and articulate voices from all sides of the Question. Thoughtful and non-obvious suggestions for questions to the Panel would be welcome -- to the List or in private e-mail. TIA.) _Vin Vin McLellan + The Privacy Guild + <vin@shore.net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --