(Fwd from f-c) Note from PGP employee on MRK
X-POP3-Rcpt: declan@relay.pathfinder.com Subject: Re: PGP, Inc.--What were they thinking? Date: Wed, 22 Oct 97 20:38:14 -0400 x-sender: Jamie-McCarthy.org@mm.mailbank.com From: Jamie McCarthy <jamie@mccarthy.org> To: <fight-censorship@vorlon.mit.edu> cc: "Jason Bobier" <jason@pgp.com> Mime-Version: 1.0 Sender: owner-fight-censorship@vorlon.mit.edu X-Loop: fight-censorship@vorlon.mit.edu X-FC-URL: Fight-Censorship is at http://www.eff.org/~declan/fc/ X-FC-URL: To join send "subscribe" to fight-censorship-request@vorlon.mit.edu
A friend of mine by the name of Jason Bobier <jason@pgp.com> happens to work at PGP, Inc. I'll preface his comments by pointing out that I'm sure he doesn't speak for the company in any way.
Unfortunately these people just don't get it. Corporations refused to buy 5.0 because it did not have any way for the corps to get at email encrypted to their employees. There are some very legitimate uses of this, such as when an employee dies and someone else has to take over for them.
Without corps buying the product, there is no PGP, Inc., and thus no dedication of resources to the production of PGP. This leads us back to the floundering state of development that PGP was in before 5.0.
They also don't seem to realize that you always have the ability to remove the MRK from your list of recipients.
Sometimes I really feel like screaming at these people. _All_ of the developers at PGP are personal privacy zealots and no one likes the idea of the MRK. That is why we refuse to make them required. It is also why there still are freeware and personal versions of the product. I wish they would just realize that we aren't some evil group of people that are solely plotting how to make the most money off of this. Most everyone at PGP has internalized personal privacy as a cause (actually most had it before they joined PGP).
*sigh* OK, enough ranting. Feel free to quote various parts of this if you feel like responding to the list.
Jason
-- Jamie McCarthy new email => jamie@mccarthy.org homepage: http://www.absence.prismatix.com/jamie/ fan of: http://www.nizkor.org/
At 10:35 pm -0400 on 10/22/97, Declan McCullagh wrote:
A friend of mine by the name of Jason Bobier <jason@pgp.com> happens to work at PGP, Inc. I'll preface his comments by pointing out that I'm sure he doesn't speak for the company in any way. <snip>
Sometimes I really feel like screaming at these people. _All_ of the developers at PGP are personal privacy zealots and no one likes the idea of the MRK.
Kind of like aeronautical engineers are aviation zelots? The ganglia twitch... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>
Declan <declan@well.com> forwards:
A friend of mine by the name of Jason Bobier <jason@pgp.com> happens to work at PGP, Inc. I'll preface his comments by pointing out that I'm sure he doesn't speak for the company in any way.
Unfortunately these people just don't get it. Corporations refused to buy 5.0 because it did not have any way for the corps to get at email encrypted to their employees. There are some very legitimate uses of this, such as when an employee dies and someone else has to take over for them.
When someone dies, it seems to me that you are interested to get at the archived email primarily, not the odd new emails which is addressed to that employee. Regardless, even if you did want to allow the company to be able to spot check emails arriving for the employee it would simpler, to just give the employees key to the company. PGP employees seem to get upset if you suggest giving companies copies of employess keys -- but really what difference does it make if the company can read messages addressed to you with their own key or with your key. (Clearly in either case you can by pass the whole setup with superencryption, or just by walking out of the building with a DAT tape).
Without corps buying the product, there is no PGP, Inc., and thus no dedication of resources to the production of PGP. This leads us back to the floundering state of development that PGP was in before 5.0.
Right. So implement storage recovery, that's what the corp wants to protect: data availability.
They also don't seem to realize that you always have the ability to remove the MRK from your list of recipients.
However, in some circumstances this ability doesn't help you much: because if the recipient is working for a company running pgp5.5 set up strictly, it'll bounce your mail unless you keep the "MRK" on the list of recipients.
Sometimes I really feel like screaming at these people. _All_ of the developers at PGP are personal privacy zealots and no one likes the idea of the MRK. That is why we refuse to make them required.
The SMTP policy enforcer which bounces mails which don't have extra CMR crypto-recipients seems to fly in the face of your claimed refusal. Yes you can hack around it, yes it's optional, but PGP Inc wrote it, and provides facilities to enforce this behaviour for those that chose to use it in that mode.
It is also why there still are freeware and personal versions of the product.
pgp5.5 freeware/personal use also knows how to comply with CMR request from someone using a company account with policy enforcer, and strict settings.
I wish they would just realize that we aren't some evil group of people that are solely plotting how to make the most money off of this. Most everyone at PGP has internalized personal privacy as a cause (actually most had it before they joined PGP).
I'm not sure that many people have accused PGP of being "evil" or plotting to sell us out for money. What many have said though is that there are better ways to implement corporate data recovery disaster recovery procedures than PGP have implemented; ways which are much more resistant to abuse by government. There isn't that much objection to companies having what ever access they want; certainly not much for data recovery. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
participants (3)
-
Adam Back -
Declan McCullagh -
Robert Hettinga