-----BEGIN PGP SIGNED MESSAGE----- Anonymous, claiming to be Monty Cantsin, writes about PGP 5.5:
Decrypting files and decrypting messages are not the same problem. The PGP product has SMTP support - it is explicitly designed to weaken transmitted messages. Just like Clipper.
No, it isn't "just like Clipper." Messages encrypted with PGP 5.5 can be decrypted or verified by PGP 5.0 or other implementations that can decode the PGP message and encryption format. Also, PGP 5.0 or other complient implementations can send encrypted and signed messages to PGP 5.5 users. The transmitted message is as "weak" as the quality of the encryption, the number of people who have access to the secret key, and the quality of their passwords. It is also as "weak" as the physical security that prevents passwords from leaking (i.e., by Tempest or black bag wiretaps inside the secure user's workstation). Given all of the other risks, encrypting to a corporate private key doesn't seem to me to significantly increase the risk. The real risk, to my view, is that some future implementation will require the secondary key, and will require that that secondary key be stored in a "government accessable" database. This, however, seems a bit remote and, given that PGP publishes their source code, reasonably easy to detect. Martin Minow minow@apple.com -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBND0KUG23+ciinrc5AQGvMgP9HKE4s/3FbjfFpvfC230wvHkjDd2HWyC1 lhVa/i9ayO8pZC/k+V06pGTZLcZ89a4X2r3fQGjj0QNghuotkV9xVVD9AzLTLX88 YPp2DQWDCjkWq4PzBB8IR6c+rH6AbuqtDAhfas/Rto/9DI7EJWqi3dZbi7tFm7jj g2nTAFk9VVo= =DkbK -----END PGP SIGNATURE-----