Phillip Hallam-Baker <hallam@ai.mit.edu> writes:

I can understand the pressures on PGP to support key escrow.

There is reasonable justification for key escrow, or recovery features for _stored_ encrypted information. The rate at which people forget passwords alone suggests that this would be a good idea. However the PGP design does much more than that: it allows third and fourth parties to decrypt messages in transit.

The problem with PGP's move is that it is the first significant break by the Internet software provider community. This will make it much easier for Netscape or Microsoft to cave in.

I think they could have implemented recovery of stored encrypted files, and of saved email archives more easily without including recovery information over the wire. It's a security risk to send recovery encrypted info over the wire encrypted to long term public keys.

It will also build the pressure on them. I wonder what would happen to Bills problem with the DoJ if he had a sudden change of heart. Somehow I don't see Netscape and Microsoft holding the line on GAK if PGP are happily exporting their product and grabbing market share.

I really did not expect Phil Zimmerman to be the first to blink.

Me either.

I also don't understand it from the corporate perspective. PGP may be picking up some business in the corporate market but at the cost of alienating a significant part of the hacker community which has been his best supporter up till now. I would think his best strategy would have been to build on this customer base rather than sell it out at the first opportunity.

He could have built storage escrow with much less argument; almost no argument in comparison I would expect.

If Phil Z. wants to get into the Enterprise market he is going to have to start speaking their language. Most companies today are looking for open standards. PGP may have been the de facto security solution three years ago but the reality today is several million copies of Comminicator and Explorer with S/MIME built in.

The obvious thing I think is for pgp to build systems which can automatically interoperate with either. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`

Phillip M. Hallam-Baker wrote:

I should point out before starting that I now work for Verisign. This following personal opinion however and may not reflect any corporate policy that may or may not exist.

Knowing who is pulling Verisign's strings, I sincerely doubt that a thinly-veiled character assassination of Phil Zimmermann is out of line with their corporate policy. It's a little early to start cumming in your pants over PGP's loss of reputation capital, P[s]hill. When the dust is finished settling in the battle deciding whether we will live in a total surveillance state, or not, Verisign is likely to end up at the bottom of the dust-bin (unless, of course, you accomplish your aims at the company very, very quickly--which is highly unlikely). Phill Half-Baked "Stick a knife in me, I'm half-done."