On Wed, Oct 22, 1997 at 02:23:29PM -0400, Declan McCullagh wrote:
At 14:06 -0400 10/22/97, Jonah Seiger wrote:
While I suspect that new key recovery or CMR products may create some new traction for supporters of mandatory GAK, PGP 5.5 is not the first example of such a product (TIS has been marketing key recovery products for a while).
Of course TIS has been doing this forever. But TIS, a shop staffed by former NSA spooks, is not the PGP that Phil Zimmermann founded. For PGP to release such a product changes the political dynamic in important ways.
More importantly though, the Blaze et al study (http://www.crypto.com/key_study) did not say that key recovery/key escrow systems can't be built.
In fact it said: "Building the secure infrastructure of the breathtaking scale and complexity that would be required for such a scheme is beyond the experience and current competency of the field." Sounds like "can't be built" to me.
In that case, it is completely inaccurate to call PGP5.5 an existence proof. In any case, the Blaze et al paper explicitely acknowledges that there is a "business case" for corporate level key recovery, and clearly distinguishes the LEA infrastructure model from more limited cases.
I agree that PGP 5.5 doesn't meet the FBI's demand for realtime access. But it can be used as a waving-around-on-the-House-floor prop to pass a law that requires mandatory key escrow.
They could wave around TIS's products (designed by noted cypherpunk Carl Ellison, I believe), or NorTel's Entrust, just as well. Hell, in a few months they may be able to wave around Adam Backs CDR product, which also facilitates GAK -- access to communications is worse than access to data, by some measure, but the LEA's will certainly be grateful to Adam for his legitimization of Key Escrow... -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html