Declan <declan@well.com> forwards:
A friend of mine by the name of Jason Bobier <jason@pgp.com> happens to work at PGP, Inc. I'll preface his comments by pointing out that I'm sure he doesn't speak for the company in any way.
Unfortunately these people just don't get it. Corporations refused to buy 5.0 because it did not have any way for the corps to get at email encrypted to their employees. There are some very legitimate uses of this, such as when an employee dies and someone else has to take over for them.
When someone dies, it seems to me that you are interested to get at the archived email primarily, not the odd new emails which is addressed to that employee. Regardless, even if you did want to allow the company to be able to spot check emails arriving for the employee it would simpler, to just give the employees key to the company. PGP employees seem to get upset if you suggest giving companies copies of employess keys -- but really what difference does it make if the company can read messages addressed to you with their own key or with your key. (Clearly in either case you can by pass the whole setup with superencryption, or just by walking out of the building with a DAT tape).
Without corps buying the product, there is no PGP, Inc., and thus no dedication of resources to the production of PGP. This leads us back to the floundering state of development that PGP was in before 5.0.
Right. So implement storage recovery, that's what the corp wants to protect: data availability.
They also don't seem to realize that you always have the ability to remove the MRK from your list of recipients.
However, in some circumstances this ability doesn't help you much: because if the recipient is working for a company running pgp5.5 set up strictly, it'll bounce your mail unless you keep the "MRK" on the list of recipients.
Sometimes I really feel like screaming at these people. _All_ of the developers at PGP are personal privacy zealots and no one likes the idea of the MRK. That is why we refuse to make them required.
The SMTP policy enforcer which bounces mails which don't have extra CMR crypto-recipients seems to fly in the face of your claimed refusal. Yes you can hack around it, yes it's optional, but PGP Inc wrote it, and provides facilities to enforce this behaviour for those that chose to use it in that mode.
It is also why there still are freeware and personal versions of the product.
pgp5.5 freeware/personal use also knows how to comply with CMR request from someone using a company account with policy enforcer, and strict settings.
I wish they would just realize that we aren't some evil group of people that are solely plotting how to make the most money off of this. Most everyone at PGP has internalized personal privacy as a cause (actually most had it before they joined PGP).
I'm not sure that many people have accused PGP of being "evil" or plotting to sell us out for money. What many have said though is that there are better ways to implement corporate data recovery disaster recovery procedures than PGP have implemented; ways which are much more resistant to abuse by government. There isn't that much objection to companies having what ever access they want; certainly not much for data recovery. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`