Tim May <tcmay@got.net> writes:
"We're also asking loyal Americans within companies to send us the CMR secret keys. Companies have no right to keep secrets from government. We won't allow a company to have policies which prevent loyal Americans from providing information to their government."
By the way, I think the notion that the government will go to great lengths to get CMR secret keys is not far-fetched. Until PGP for Business supports a richer system of snoopware keys--and my understanding is that PGP 5.5 does _not_--then the CMR secret key of, say, Microsoft, would be a prize indeed.
I think the CMR public key extension is not limited to one CMR extra recipient per key. Closely following discussions on ietf-open-pgp, and the notes Bill Stewart kindly posted to this list (taken from the description PGP Inc gave at a meeting in the US) it sounded to me that there is a migration path like this: pgp5.0: accepts keys with multiple CMR key requests attached but doesn't honour CMR requests (? I hope!), and can't generate keys with CMR requests pgp5.5: generates keys with single CMR requests, can accept and handle keys with multiple CMR requests pgp6.x: will generate keys with multiple CMR requests (and of course honour them too) This suggests that the yet to be released pgp6.x (or whatever version number is chosen) will be able to cater to such government demands merely by the company generating their keys with two CMR requests: recovery@acme.com thoughtpolice@nsa.gov The NSA can publish their public key on http://www.nsa.gov/ tomorrow, and the law by presidential decree the day after. This is the balanced Sword of Damocles over privacy for real now: this is the switch waiting to be flicked. This is why I am upset with PGP Inc for using the CMR approach. It is not CMR per se as a neutral mechanism, but it is the approach of building tools which allow third party access, or "recovery" of communications traffic which has enabled all of this. This despite their stated corporate user requirement being storage recovery.
This is of course a security weakness of the whole CMR approach, exactly as with the key escrow database. It is a too-tempting target. Anyone within a company with access to the CMR secret key will be incentivized to sell it.
I agree, it is a centralised security risk. PGP Inc are talking about adding secret splitting perhaps, but still it is a security risk. The whole technique of sending recovery information over the wire is a security risk. Recovery information if there is any should be kept on local disks and thereby be protected by the companies normal physical security in the same way that papers in filing cabinets are. This is the status quo. (Well actually no encryption at all locally is largely the status quo, but pgp5.0 (and I presume pgp5.5) is also able to encrypt files, and PGP Inc argues more reasonably that their corporate clients have a requirement of being able to recover stored encrypted files also). Regardless it is trivial to have local storage recovery without sending recovery information over the wire. I'll be posting (web and list) a security analysis of CMR vs CDR presently; I think CMR loses badly from even a purely security oriented standpoint. (I have made my feelings about the political demerits of CMR as a storage recovery mechanism known already).
Of course, Microsoft won't be using PGP for Business. Recall that they may have their own "software key escrow" program cooking, based on my discussion a few years ago with Tom Albertson (sp?) of Microsoft. Bill Gates has issued strongly anti-GAK statements, so maybe this is on hold.
Perhaps this is what they are busy building at their top-sikrit crypto software development/research center at Cambridge, UK under the guidance of new head of research cryptographer Roger Needham. Looks like an export embargo end-run by Bill Gates. Maybe Bill Gates is a cypherpunk after all, well we can live in hope, anyway. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`