spencer_ante@webmagazine.com writes:
As a person whose been at work on a very long feature about PGP Inc. for Wired, I can tell you that businesses really don't care that much about PGP's civil liberties advocacy.
The suits in charge might not, but many of the security or network people might. Technical advice on which product is best suited for corporate computer and email security often comes from such people.
In fact, its rep could hurt as much as help them. The Fortune 500 is much more pragmatic: They want solutions that work, that help them maintain security for their intellectual property and capital. To that extent, PGP 5.5--which enables IS directors to manage a public key infrastructure and enforce company-wide security policies-- is a step in the right direction.
Hmmm. You can have storage data recovery without allowing third and fourth parties to read what goes over the wire. Sending recovery info with the mesage is bad security practice anyway, especially when the keys are long term keys.
And one major thing that needs to be pointed out: PGP's key recovery system is *voluntary and private*--not mandatory
So was clipper remember? "It's voluntary, read my lips" said the politicians. Then a few FOIA's later we found out they were planning for it to be mandatory all along. Freeh is calling for mandatory now, with comments like "if voluntary doesn't work, we may be seeking mandatory escrow." It's just a tactic, it's obvious that the government wants mandatory. Clearly he will argue that it doesn't work once he gets a "voluntary" system. He'll probably engineer an example of it not working, if a suitable case doesn't arise by itself in a timely manner.
and gov. controlled, which is what the Feds and Louis Freeh have been pushing for.
It's not government controlled true.
One potential positive side effect of PGP 5.5 is that it could realign the crypto debate and force people to consider this question: Whose back door should netizens be more worried about: Big Brother or The Boss?
Big Bro, any day. But it is not quite that stark because there is a subtly which appears to be being missed: governments want real time access to _communications_ Companies want: availability of _stored data_ disaster recovery procedures for encrypted stored data (where disaster is sudden death of employee, or employee forgetting passphrase). This difference allows you to develop systems which are resistant to government key grabbing efforts, which at the same time allow companies disaster recovery plans for encrypted stored data. PGP's system is too neutral in this respect. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`