I'm quite certain that the Security and MIS directors at various companies asked PGP, Inc. to include message recovery features. Not so much to handle the very rare (almost nonexistent) cases where a piece of mail sent at some time in the past has to be recovered because Alice was hit by a truck, or similiar unlikely events (*), but because Security and MIS folks would

Tim May wrote: like

the option of "monitoring" e-mail traffic.

As someone who has witnessed recovering email (the icky task fell to someone else), I can tell you it's not a pretty sight. Employees leave, sometimes under a cloud (sometimes under several tornadoes worth of bad weather), sometimes people are assigned overseas, etc. -- sometimes file recoveries need to be done, which implies that there may have been encryption used on those files. CDR (IMHO) would allow for these kind of recoveries without compromising the security of the data en-route. Personally, I would prefer a CDR system that did _not_ encrypt the stored plaintext, just because that simplifies matters while also preventing use of CDR for GAK, as there are _no_ general organization keys for the government to desire. Nothing prevents the employee from encrypting the "recovery file" anyway, which should be done if the information is "sensitive but unclassified" (like company financial data that should only be viewable by the employees responsible for that data). (This should be done in most companies because any computer kept at the desktop is inherently insecure.) (Handling disk/file encryption keys in a corporate setting is a separate matter.) The ability to recover important documents is what _I_ want as an IS member -- and CMR isn't the best way to do it. (Personally, if IS has time to monitor everyone's email, I think they are *way* overstaffed...) ========================================================== Mark Leighton Fisher Thomson Consumer Electronics fisherm@indy.tce.com Indianapolis, IN "Their walls are built of cannon balls, their motto is 'Don't Tread on Me'"