-----BEGIN PGP SIGNED MESSAGE----- Anonymous <nobody@REPLAY.COM> wrote:
PGP 5.5 for Business Security can be configured to use escrow keys. It isn't automatic, you have to explicitly enable this. I am pretty sure, but not positive, that once enabled, the user is warned that that an escrow key is being used.
Okay, we lived with Viacrypt and PGP 4.5 before. Let's talk about reasons to include those pieces of suspicious code in the 5.0 -version for _personal privacy_. Activated or not, the idea alone is a bad thing and smells like betrayal.
Why has it been done? Certainly it is not a big problem to compile a version 5.0 with an activated key escrow-function? Is PGP Inc. waiting for the law to catch up? We should observe closely in the future and look out for the little "enhancements" which will make PGP Inc. keep their market shares:
Actually, I'm told the reason for those code hooks is so that commercial users can do INTERNAL key "escrowing", so that if a vital individual dies or quits and refuses to turn over his key to his successor, his employer can recover the key and access encrypted data that would otherwise remain inaccessible. If the employer is paying him to produce something, then the end result is the property of the employer and should not be lost if the employee dies or becomes disgruntled, quits, and refuses to turn over the key (or claims he "forgot" his passphrase) to his employer. OTOH, an employee should be allowed to properly revoke his key upon quitting and distribute the revocation certificate. (The employer may be wise to REQUIRE that.) I really have no problem with that as long as its use remains VOLUNTARY at the user's discretion. Needless to say, an employee in a situation like that should use one key for work-related purposes and a separate, non-escrowed one for his personal use. Although anything is possible, I doubt that the government would use this as a means of implementing MANDATORY key escrowing. The powers-that-be at the NSA seem to have real fits with software encryption to start with, and something that's available in source code and thus modifiable would give them nightmares. I'd expect anything they eventually approve/mandate to be merely a software interface to a tamper-resistant encryption engine in firmware (complete with embedded key[s]). - --- Finger <comsec@nym.alias.net> for PGP public key (Key ID=19BE8B0D) -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBNIWeZQbp0h8ZvosNAQE1GAf9E0/ZlxyCZSO9FUMIQ8EbdWJce84wqXDs Zm4MgrdVpOkaQJWeC14WEwE2cLl6RRtcS8NSq+2YWpaZw2+8lxFsOcAhPqSCowCi 5OoBw8MraGZd6ARmQSIoveqcEBWTvggwwg9hGUy1/Eh4JDNy2ZfWj+WLgRILG0Hj kV6Uzrlm56oPKdDW4927jwelQcFdj76UDbQSfeVVWXM6hpJtEpxayDdB9vXCWRZ5 eOVf2FA5Lu6LM23zqQ3+gpA1+XTFK4ENCWO+MSDk3OU20Pk7l5SAZ89bfuI7887a yai8KKwHnHmE18Y5DYOrKoP6aDbjgS0207R5Z5khKsv3BLqJ4zKdPQ== =BnQo -----END PGP SIGNATURE-----