Re: What's really in PGP 5.5?
At 02:27 PM 10/7/97 -0700, Jon Callas wrote: [Explaining PGP's rather alarming "data recovery" features.]
Well, that's mostly all it is. There are other bits of the system. For example, if I look up Alice's key on a key server and Alice has a recovery key, I get Alice's recovery key, too. If Alice's recovery key is a "please use" key, then I can encrypt to Alice alone. In any case, the PGP software tells me that Alice has a recovery key, so I can decide to use some other mechanism to talk to her.
Sending a copy to the boss of everything Alice sends is OK. If Alice wants to send something her boss should not read, perhaps she should use her private account, rather than a company paid account. Sending a copy of everything Alice receives to the boss or HR is not OK. Alice should get to control it. It would be acceptable for the company system to keep track of what Alice has received, and flag "Alice received something, and has not yet filed the cleartext copy with us" It is not acceptable to just plain snoop on what Alice receives.
Note that design satisfies the opt-in and fair-warning requirements. Also, since Alice's recovery key is an attribute of her self-signature, she can change it. She can even have a second user name (let's call it Bob), that has no recovery key.
Alice needs finer granuality of control. The leakage to her boss primarily affects her, rather than the sender. Furthermore any auto-snoop feature sets a very dangerous precedent. It is politically a lot more difficult for the FBI to mandate that they can recover your data, if such a mandate leads to the message flashing up, "now sending a copy to the FBI" every time you decrypt something. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd@echeque.com
James Donald <jamesd@echeque.com> writes:
At 02:27 PM 10/7/97 -0700, Jon Callas wrote: [Explaining PGP's rather alarming "data recovery" features.]
Sending a copy to the boss of everything Alice sends is OK.
If Alice wants to send something her boss should not read, perhaps she should use her private account, rather than a company paid account.
Sending a copy of everything Alice receives to the boss or HR is not OK.
Alice should get to control it.
I'm not sure I see why you draw this distinction. Is it because the person sending may intend the message for Alice only? If so I think Jon said that all current versions of PGP warn the user that their is a company escrow situation when you send to the key (this information being in attributes of the key). Snooping Alice's outgoing traffic, and snooping Alice's incoming traffic are similarly little brotherish in my view. If the company has an approval system for official statements (seems reasonable, if it's a press release, important contractual decision, etc), then Alice can send a copy to the legal beagles for the ok, and they can send it on.
It would be acceptable for the company system to keep track of what Alice has received, and flag "Alice received something, and has not yet filed the cleartext copy with us"
I figure this is fair game also... clearly they can see the traffic coming into LAN and being delivered to Alice's mailbox.
It is not acceptable to just plain snoop on what Alice receives.
I don't like it either. But how is this so different from snooping on what Alice sends.
Furthermore any auto-snoop feature sets a very dangerous precedent.
Agree.
It is politically a lot more difficult for the FBI to mandate that they can recover your data, if such a mandate leads to the message flashing up, "now sending a copy to the FBI" every time you decrypt something.
I was arguing earlier that the way for the company to do archiving of received encrypted email was for archive copy to be taken after the employee has decrypted it. The employee should be made aware that the received email is being archived. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
On Fri, Oct 10, 1997 at 11:40:46AM +0100, Adam Back wrote:
[...]
If the company has an approval system for official statements (seems reasonable, if it's a press release, important contractual decision, etc), then Alice can send a copy to the legal beagles for the ok, and they can send it on.
Isn't it the whole presumption that what Alice is sending is important company information? That is, that Alice *is* a 'legal beagle' or some such? Casual or semi-private email may or may not be allowed, depending on how paranoid or repressive the company, but that isn't the issue, as I see it. The issue is 'important company email'. [...] -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
participants (3)
-
Adam Back -
James A. Donald -
Kent Crispin