Re: PGP and Compliance with SEC and Liability Rules
Tim May quoted from macweek:
"The Gartner Group's Wheatman pointed out that PGP Policy Management Agent allows corporatins for the first time to centralize control over encryption: "For encryption to be accepted, IT had to gain control. This isn't Big Brother; this is necessary to comply with liability laws and SEC regulations.""
However, this doesn't seem to work, unless I'm mistaken about CMR enforcement and the SEC regulations. CMR will only allow the snoops to read incoming email, not outgoing, and hence if Joe Blow at Foo-Bah.com wants to send me some handy insider trading tips CMR will not stop them. So this seems to be another justification for CMR which just doesn't make sense. Mark
At 6:31 AM -0700 11/5/97, Adam Back wrote:
Mark Grant <mark@unicorn.com> writes:
Tim May quoted from macweek:
"The Gartner Group's Wheatman pointed out that PGP Policy Management Agent allows corporatins for the first time to centralize control over encryption: "For encryption to be accepted, IT had to gain control. This isn't Big Brother; this is necessary to comply with liability laws and SEC regulations.""
However, this doesn't seem to work, unless I'm mistaken about CMR enforcement and the SEC regulations. CMR will only allow the snoops to read incoming email, not outgoing, and hence if Joe Blow at Foo-Bah.com wants to send me some handy insider trading tips CMR will not stop them. So this seems to be another justification for CMR which just doesn't make sense.
CMR and the Policy Management Agent can (and presumably will) be set to scrutizine _all_ mail for "policy violations," outgoing as well as incoming mail. The PGP page has some descriptions of their products.
I think that there is also a facility in the pgp5.5 for business client to add yet another recipient: the sending companies snoop key.
I also got the impression that the policy enforcer could be set up to bounce mail internally which did not have this extra recipient.
Indeed, the Policy Management Agent enforces certain criteria, including CMR, across _internal_ as well as external networks. "PGP® Policy Management Agent for SMTP helps to protect an organization's vital information by enforcing corporate security policies for email communications across internal and external networks." (fromwww.pgp.com). In more detail: :"PGP Policy Management Agent works with standard SMTP mail servers, intercepting and checking email to ensure that it conforms with desired security policies. A typical policy established for encryption software, for example, is that encrypted email must also be encrypted to a corporate message recovery key to enable data recovery. Email that adheres to the policy is automatically routed to the intended recipient. Email that fails to adhere to any of the established policies is rejected by the server and sent back to the client with a configurable SMTP error message, depending upon the policy failure. " --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
Mark Grant <mark@unicorn.com> writes:
Tim May quoted from macweek:
"The Gartner Group's Wheatman pointed out that PGP Policy Management Agent allows corporatins for the first time to centralize control over encryption: "For encryption to be accepted, IT had to gain control. This isn't Big Brother; this is necessary to comply with liability laws and SEC regulations.""
However, this doesn't seem to work, unless I'm mistaken about CMR enforcement and the SEC regulations. CMR will only allow the snoops to read incoming email, not outgoing, and hence if Joe Blow at Foo-Bah.com wants to send me some handy insider trading tips CMR will not stop them. So this seems to be another justification for CMR which just doesn't make sense.
I think that there is also a facility in the pgp5.5 for business client to add yet another recipient: the sending companies snoop key. I also got the impression that the policy enforcer could be set up to bounce mail internally which did not have this extra recipient. (Note, not having pgp5.5 for business to play with I am going on what others have said.) So now you've got mail headed out encrypted to 3 long term keys... if the sender uses encrypt to self that will be 4 long term keys! Then the spooks in the sending country will want to be another recipient, and spooks in the receiving country will also, bringing us to a total of 6 long term keys. Wew talk about security risks! I thought it would be a good feature to put into the SMTP agent to strip encrypt to self and recipients intended for internal snooping -- that would bring the recipients back down to 2 (or 4 with spooks). Better still would be one recipient (as happens with adhoc local escrow), and make that key a short term key which is burned after expiry also. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
participants (3)
-
Adam Back -
mark@unicorn.com -
Tim May