To comment on Will Price's comments I forwarded earlier today: Will Price <wprice@pgp.com> wrote:
I've commented about this on this list before I believe. This appears to be a case of really old news suddenly being dredged up for no apparent wholesome reason -- which strikes me as quite odd because Wired was apparently so eager to break this ancient story that they didn't wait to ask anyone from NAI about it.
I didn't heard anything other than speculation as to whether the TIS acquisition would result in NAI rejoining KRA. The news is that it now is listed again (or at least someone noticed that it is now listed). Perhaps I was not paying attention, but I didn't hear anyone from PGP announce that NAI had rejoined (or automatically rejoined) KRA as a result of TIS merger.
NAI being listed on the KRA page is *solely* a result of our TIS acquisition. I really doubt anyone here actually called some KRA person and officially renewed our membership. Frankly, I doubt anyone here actually knows who to talk to there -- if there even is a "there".
Surely some of your TIS GAKware colleagues know all about KRAP -- being major league GAKkers, and having specifically signed up in the first place, being leading contributers to the KRAP/GAK drive effort.
As I have said before, due to the TIS acquisition, NAI now has a bunch of products which contain key escrow features.
Watch terminology here. TIS stuff contains GAK -- "key escrow" or "message recovery" where the government has the master keys. All commercial PGP versions 5.x and higher contain key recovery in the form of PGP's "Corporate Message Recovery" (CMR) design. Even the personal use versions know how to cooperate in providing corporate backdoors. Now CMR is clearly much less objectionable than TIS stuff, tho' politically debatable I would argue. TIS stuff is outright GAK. But I think part of the point of KRA was to coerce/bribe crypto companies to demonstrate working and workable NSA master key type GAK. The problem people have had with PGP building a CMR / CKE mechanism is you as a side effect demonstrate a method which would be workable as an NSA master key GAK system. Clearly all that is missing is software configuration and the NSA to publish a key, and a law requiring use of it. Yeah, OK so there was always encrypt to self, but giving the NSA ammunition is bad (viz the quotes from US government saying that Key Recovery works and using PGP 5.x as an example). I think that helping the US government claim that GAK is workable is a bad result for a company with PGP's privacy stance to end up contributing to. I am glad that CMR was kept out of the OpenPGP spec.
Eliminating or modifying these features such that they work in a less big brother-like fashion will take significant time -- indeed entire TIS products were based around managing key escrow infrastructures. Don't get me wrong, TIS had a lot of other great products, but it will take time to redesign and rethink some of them in the context of export and key escrow.
Will seems to be saying here that NAI is planning to remove GAK from the TIS products acquired in the NAI purchase of TIS. Firstly this is interesting because I wonder who is pulling the strings inside NAI -- consider: NAI paid a lot more for TIS than they paid for PGP. TIS has lots of US government defense contracts (presumably partly as bribery for assistance to US Government with KRAP/the GAK drive). Secondly he comments that it will take significant time to make the TIS products less big brother like. I don't buy this. You've got the source code -- just release a patch to fill the GAK field with garbage. Sounds like a days work tops.
I'm not sure there's much point in withdrawing from KRA when those products still exist.
Sure there is. The bad PR of being in KRAP alone should make it worth quiting. This was why PRZ arranged the pull out last time around. Secondly pulling out of KRA would be a nice way to back up your claims that NAI intends to remove the GAK from the bought TIS products. If NAI intends to do this, what is the point of being a member of KRA which is all about acheiving the reverse -- about putting GAK into products.
These issues have no effect whatsoever on the PGP group.
Glad to hear it. The effect it does have is in reputation damage due to PR fall out. Some people may prefer not to buy from a company supporting the US government in it's attempts to force key escrow onto users. NAI is pulling in two directions, TIS and KRA membership, and PGP privacy stance. Adam