Re: PGP, Inc.--What were they thinking?
Agreed. What amazes me is how PGP, Inc. would decide this should be a core part of their company. "PGP for Business," indeed. What were they
With all due respect to Tim May: As a person whose been at work on a very long feature about PGP Inc. for Wired, I can tell you that businesses really don't care that much about PGP's civil liberties advocacy. In fact, its rep could hurt as much as help them. The Fortune 500 is much more pragmatic: They want solutions that work, that help them maintain security for their intellectual property and capital. To that extent, PGP 5.5--which enables IS directors to manage a public key infrastructure and enforce company-wide security policies-- is a step in the right direction. But with this new product, I agree that they run the risk of alienating their core user group of cypherpunks and hackers. Encryption is a very complicated topic that doesn't lend itself well to sloganeering and histrionics. And one major thing that needs to be pointed out: PGP's key recovery system is *voluntary and private*--not mandatory and gov. controlled, which is what the Feds and Louis Freeh have been pushing for. One potential positive side effect of PGP 5.5 is that it could realign the crypto debate and force people to consider this question: Whose back door should netizens be more worried about: Big Brother or The Boss? Spencer E. Ante Associate Editor THE WEB Magazine To: cypherpunks@toad.com, fight-censorship@vorlon.mit.edu cc: (bcc: Spencer Ante/PCWORLD) Subject: Re: PGP, Inc.--What were they thinking? At 1:45 PM -0700 10/22/97, Anonymous wrote: thinking?
Um, maybe that they wanted to stay in business?
This is a truism, that businesses want to stay in business. (And thrive, etc.) The interesting question is whether this action will help them. Why it may not is what we're talking about. For example, if PGP loses its "little guy fighting the system" image, and the company is seen as a major supplier of snoopware and GMR systems, it will have squandered the good will which led many of us to support PGP. And it's by no means clear that corporations will pay enough for PGP for Business if this good will has been squandered. The free status of most versions of PGP is indeed an impediment to PGP making a profit. That's an unchangeable situation. Lots of copies of PGP are already out there, and lots more are available from many sites. The "commercial use" vs. "personal use" dichotomy is largely unenforceable. If Joe Employee uses PGP 2.6 or even 5.0 for his messages, PGP, Inc. will have a very hard time proving in court that Joe or his employer can be held liable for this use (at most, maybe Joe will have to pay $50 or so...and probably not even that, as PGP 5.0 is not serialized (so far as I can find) and records aren't kept...Joe can just claim he did in fact buy it, blah blah). This means PGP, Inc. faces a Netscape-like battle in finding revenue sources. Will they succeed? Will people like us continue to give PGP, Inc. the good will it has enjoyed? Stay tuned. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
spencer_ante@webmagazine.com writes:
As a person whose been at work on a very long feature about PGP Inc. for Wired, I can tell you that businesses really don't care that much about PGP's civil liberties advocacy.
The suits in charge might not, but many of the security or network people might. Technical advice on which product is best suited for corporate computer and email security often comes from such people.
In fact, its rep could hurt as much as help them. The Fortune 500 is much more pragmatic: They want solutions that work, that help them maintain security for their intellectual property and capital. To that extent, PGP 5.5--which enables IS directors to manage a public key infrastructure and enforce company-wide security policies-- is a step in the right direction.
Hmmm. You can have storage data recovery without allowing third and fourth parties to read what goes over the wire. Sending recovery info with the mesage is bad security practice anyway, especially when the keys are long term keys.
And one major thing that needs to be pointed out: PGP's key recovery system is *voluntary and private*--not mandatory
So was clipper remember? "It's voluntary, read my lips" said the politicians. Then a few FOIA's later we found out they were planning for it to be mandatory all along. Freeh is calling for mandatory now, with comments like "if voluntary doesn't work, we may be seeking mandatory escrow." It's just a tactic, it's obvious that the government wants mandatory. Clearly he will argue that it doesn't work once he gets a "voluntary" system. He'll probably engineer an example of it not working, if a suitable case doesn't arise by itself in a timely manner.
and gov. controlled, which is what the Feds and Louis Freeh have been pushing for.
It's not government controlled true.
One potential positive side effect of PGP 5.5 is that it could realign the crypto debate and force people to consider this question: Whose back door should netizens be more worried about: Big Brother or The Boss?
Big Bro, any day. But it is not quite that stark because there is a subtly which appears to be being missed: governments want real time access to _communications_ Companies want: availability of _stored data_ disaster recovery procedures for encrypted stored data (where disaster is sudden death of employee, or employee forgetting passphrase). This difference allows you to develop systems which are resistant to government key grabbing efforts, which at the same time allow companies disaster recovery plans for encrypted stored data. PGP's system is too neutral in this respect. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
At 3:08 PM -0700 10/22/97, spencer_ante@webmagazine.com wrote:
With all due respect to Tim May:
As a person whose been at work on a very long feature about PGP Inc. for Wired, I can tell you that businesses really don't care that much about PGP's civil liberties advocacy. In fact, its rep could hurt as much as help them. The Fortune 500 is much more pragmatic: They want solutions that
I agree that the civil liberties side of PGP is of no interest to corporations...in fact, it scare them a great deal. Talking about how Hamas is using PGP to communicate so that the Zionist entity government cannot successfully wiretap the freedom fighters is not something IS managers like to hear about. I agree that PGP, Inc. is apparently recasting itself as a supplier to IS departments and bean counters.
work, that help them maintain security for their intellectual property and capital. To that extent, PGP 5.5--which enables IS directors to manage a public key infrastructure and enforce company-wide security policies-- is a step in the right direction.
But with this new product, I agree that they run the risk of alienating their core user group of cypherpunks and hackers. Encryption is a very complicated topic that doesn't lend itself well to sloganeering and histrionics. And one major thing that needs to be pointed out: PGP's key
If you are implying that my words are "sloganeering and histrionics," I think you're way off-base. I suggest you start reading the points being debated in more detail, and think about the deeper issues. --Tim May The Feds have shown their hand: they want a ban on domestic cryptography ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^2,976,221 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
At 15:08 -0700 10/22/97, spencer_ante@webmagazine.com wrote:
But with this new product, I agree that they run the risk of alienating their core user group of cypherpunks and hackers. Encryption is a very complicated topic that doesn't lend itself well to sloganeering and histrionics. And one major thing that needs to be pointed out: PGP's key recovery system is *voluntary and private*--not mandatory and gov. controlled, which is what the Feds and Louis Freeh have been pushing for. One potential positive side effect of PGP 5.5 is that it could realign the crypto debate and force people to consider this question: Whose back door should netizens be more worried about: Big Brother or The Boss?
Spencer, the folks on the cypherpunks list know better than perhaps anyone else that encryption is a complicated topic. I know it's tempting to search for New Things to Say about the crypto debate. I try it myself sometimes. But the question you posed about "whose backdoor should netizens be more worried about" has been debated for years and is hardly new. The short answer to it is: when Big Brother is my Boss, I have remedies. I can leave the company or pressure it to change policies. I can file a union grievance. If all else fails, I can leave the company and start my own. This is not the case when Big Brother is Louis Freeh or Janet Reno. When worldwide GAK is the rule, where else can I go? Also: governments have guns; governments have jails. They have unique coercive powers, which the law and western philosophical traditions recognize -- and try to limit. -Declan (posting this before a soccer game somewhere in virginia)
On Wed, Oct 22, 1997 at 03:08:07PM -0700, spencer_ante@webmagazine.com wrote:
With all due respect to Tim May:
As a person whose been at work on a very long feature about PGP Inc. for Wired, I can tell you that businesses really don't care that much about PGP's civil liberties advocacy. In fact, its rep could hurt as much as help them. The Fortune 500 is much more pragmatic: They want solutions that work, that help them maintain security for their intellectual property and capital. To that extent, PGP 5.5--which enables IS directors to manage a public key infrastructure and enforce company-wide security policies-- is a step in the right direction.
But with this new product, I agree that they run the risk of alienating their core user group of cypherpunks and hackers.
Alienate some, for sure. It doesn't really matter, though. Cypherpunks and hackers don't have a monopoly on intelligence -- there are plenty of people who will hack crypto for food. PGP can't make a go of it on free software, and they can't live forever on investor financing.
Encryption is a very complicated topic that doesn't lend itself well to sloganeering and histrionics.
Eh? GAK, GAKWare, Big Brother Inside, Four Horsemen of the Infoclypse, etc, etc,etc Sloganeering and histrionics are the very lifeblood of this list. It would die in days if it were limited to rational discussion... And of course, sloganeering and histrionics are just as prevalent in the crypto debates in DC.
And one major thing that needs to be pointed out: PGP's key recovery system is *voluntary and private*--not mandatory and gov. controlled, which is what the Feds and Louis Freeh have been pushing for. One potential positive side effect of PGP 5.5 is that it could realign the crypto debate and force people to consider this question: Whose back door should netizens be more worried about: Big Brother or The Boss?
Nobody denies that your boss has the right to control his equipment and software as he sees fit, and everybody debating on these lists agrees that the government does not need access. It is also incontrovertable that PGP's CMR implementation is a response to real demand. It may be less obvious, but despite what PGP claims, a significant fraction of this demand is for the ability to SNOOP, and not just data recovery. *All* the debate on this list implicitly takes the employee's side, not the management's side, and that is a serious lack. The unpleasant fact is that managers NEED TO BE ABLE TO SNOOP. It is terrible to work for an employer who will snoop, but it is just as terrible to have dishonest employees. It doesn't take a genius to realize that the existence of dishonest employees is a primary motive for management snooping. Clearly, there are some organizations for which this is more important than others -- financial services companies are only the most obvious example. -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
On Fri, Oct 24, 1997 at 02:42:19PM +0100, Adam Back wrote:
Kent Crispin <kent@bywater.songbird.com> writes:
It may be less obvious, but despite what PGP claims, a significant fraction of this demand is for the ability to SNOOP, and not just data recovery.
I was suspicious about this also, the CMR design makes much more sense if this is the user requirement. Binding cryptography also would make sense for this requirement.
But the last time I expressed this suspicion on this list Jon Callas clearly stated that this was not the case:
Jon Callas <jon@pgp.com> writes: : It is possible that : there is an unstated perceived user requirement, that the messaging : standard be able to allow third party access to the communications : traffic directly. : : Nope, that's not what we're arguing for.
So it would appear that your suspicious are unfounded...
Jon's statement and my statement are consistent, if you look a little more closely.
*All* the debate on this list implicitly takes the employee's side, not the management's side, and that is a serious lack. The unpleasant fact is that managers NEED TO BE ABLE TO SNOOP.
Okay! Some one who is able to say the unpleasant words. (I think Lucky may have been hinting at this also).
If this is the case, I reckon it's still better to just escrow their comms keys locally.
In my early days on the list I spent a great deal of effort arguing exactly this point, perhaps even with you. Perhaps you recall my discussions of the "key-safe" model. (I suppose we could check the archives...) At that time, however, my proposal was branded as key escrow and hence evil, and the STANDARD REPLY WAS THAT IT WOULD BE FAR, FAR BETTER TO JUST ENCRYPT TO A COMPANY KEY AS WELL AS THE PRIVATE KEY. *You* may even have made such arguments. Now that PGP has actually gone and implemented exactly what some months ago was the preferred alternative, the jack-rabbit meme-ridden collective cypherpunk semiconciousness awakens from its hazy stupor and says "Huh! GAK!", and parades Key Escrow as a safer solution. So, for sure, either the thinking those months ago was shallow, or the thinking now is shallow. The third alternative, that the thinking has remained at a constant level, is interesting to contemplate.
Put them all in the company safe, whatever. To go with this kind of a company with this kind of policy, I would presume that sending or receiving super-encrypted messages would would be a sackable offense.
However, there is an alternate reason for the CMR design, which you don't include above (tho' you did I think discuss this earlier):
That PGP Inc thought CMR would be easier to implement within their plugin API, and dual function crypto (file encryption, and email encryption), and to cope with things like encrypt-to-self on Cc: to self to keep copies.
Yes, I did mention the matters of history, backward compatibility, and expedience under tight schedules as important factors.
It is terrible to work for an employer who will snoop, but it is just as terrible to have dishonest employees. It doesn't take a genius to realize that the existence of dishonest employees is a primary motive for management snooping.
Even with snoopware such as you describe, and companies with such attitudes, there are other similarly easy ways to get data out: user walks out of building with floppies. In fact from memory I think this was one you suggested: "frisbee DAT tape out of window to sweetheart" or words to that effect.
I don't remember saying that, but the point is obvious, anyway. The argument that leaking company secrets is the primary concern is fallacious for exactly the reason you mention -- there are a thousand ways to leak data out. There are other, more realistic concerns. Is the employee exchanging encoded gif images with his friends? Is the employee telling the truth about an exchange with a customer? Is the employee spending all his time reading mailing lists devoted to home-brew-beer, and other hobbies? Is the employee distributing porno images from an ftp site on a company computer? Is the employee running a consulting business on the company computers? For investigating any such suspicions, snooping incoming mail would be just as valuable as snooping outgoing mail. BTW: You may laugh -- But I have seen real-life instances of each of these examples.
Clearly, there are some organizations for which this is more important than others -- financial services companies are only the most obvious example.
Maybe. If PGP Inc want to go this far, and design software with these features, I reckon local key escrow is better.
I reckon local key escrow is better, myself. But be real for a moment, Adam. If they had designed a system with "local key escrow" they would have been crucified by the butterfly brains on cypherpunks far more intently than they are being lambasted for CMR. The very phrase "KEY ESCROW IN PGP" would have turned the cypherpunk group mind into quivering jelly.
However that is not what they are saying.
It doesn't matter what they are saying, really. They designed something with a set of constraints, one of which was the meme of antipathy to anything that could be termed "key escrow". I understand what Lucky meant when he said that PGP had pulled the greatest hack ever on corporate America. It's so good that you have to conceal your mirth, for fear of screwing it up... -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
Kent Crispin <kent@bywater.songbird.com> writes:
On Fri, Oct 24, 1997 at 02:42:19PM +0100, Adam Back wrote:
It may be less obvious, but despite what PGP claims, a significant fraction of this demand is for the ability to SNOOP, and not just data recovery.
Jon Callas <jon@pgp.com> writes: : It is possible that : there is an unstated perceived user requirement, that the messaging : standard be able to allow third party access to the communications : traffic directly. : : Nope, that's not what we're arguing for.
So it would appear that your suspicious are unfounded...
Jon's statement and my statement are consistent, if you look a little more closely.
Could you explain, please. I took it at face value. He made other statements also denying that claim.
If this is the case, I reckon it's still better to just escrow their comms keys locally.
In my early days on the list I spent a great deal of effort arguing exactly this point, perhaps even with you. Perhaps you recall my discussions of the "key-safe" model. (I suppose we could check the archives...) At that time, however, my proposal was branded as key escrow and hence evil, and the STANDARD REPLY WAS THAT IT WOULD BE FAR, FAR BETTER TO JUST ENCRYPT TO A COMPANY KEY AS WELL AS THE PRIVATE KEY. *You* may even have made such arguments.
I recall your key safe. I also recall that you suggested cypherpunks work out ways to do data recovery -- a suggestion which was ignored because we figure why help them. There are dangers with each. The company safe model is better, but governments could come along and demand a copy of the keys in the safe, if they are communications keys. For this reason generally I reckon it's safer to stick only storage keys in the safe. Don't back up comms keys. There are some short-falls to not being able to recover comms keys (like losing messages which were in transit at time of memory lapse). So if you do need to recover comms keys, it is I think a good idea to implement PGP WoT autenticated TLS (I described how to do this in another post, a reply to one of Jon Callas posts). This is another easy thing to do. A few days hacking at most, everything is in place, even SMTP agents. Another thing to do is opportunistic PFS. Use PFS when you can. This just means sending a EG key with each message. If there is a reply, the person replying uses the EG key. The recipient deletes the key after use. (EG keys are cheap to generate, if you keep the same public vales.) This is good because it allows the company recovery of comms keys, but denys attackers (industrial espionage, rogue government agents) access to the ciphertext. All simple easy things to do.
Now that PGP has actually gone and implemented exactly what some months ago was the preferred alternative, the jack-rabbit meme-ridden collective cypherpunk semiconciousness awakens from its hazy stupor and says "Huh! GAK!", and parades Key Escrow as a safer solution.
So, for sure, either the thinking those months ago was shallow, or the thinking now is shallow. The third alternative, that the thinking has remained at a constant level, is interesting to contemplate.
Don't know which, but I do suspect a concrete example has helped to clarify thought. Also CMR is a new development, yes people have talked about multiple recipients before; but building in MTA support to reject messages is an additional part of the system. (Clipper did something similar rejection of non "recoverable" messages -- the 16 bit checksum with undisclosed checksum algorithm being one other example).
Yes, I did mention the matters of history, backward compatibility, and expedience under tight schedules as important factors.
I'm not sure it's _that_ valid, and heres a few reasons why: pgp5.0 has most of the CMR functionality in it -- this implies that PGP Inc have been planning the CMR approach for ages. Also CDR, just escrowing storage keys, is simple. Even simpler than CMR and mail bouncing SMTP agents.
The argument that leaking company secrets is the primary concern is fallacious for exactly the reason you mention -- there are a thousand ways to leak data out.
There are other, more realistic concerns. Is the employee exchanging encoded gif images with his friends? Is the employee telling the truth about an exchange with a customer? Is the employee spending all his time reading mailing lists devoted to home-brew-beer, and other hobbies? Is the employee distributing porno images from an ftp site on a company computer? Is the employee running a consulting business on the company computers? For investigating any such suspicions, snooping incoming mail would be just as valuable as snooping outgoing mail.
BTW: You may laugh -- But I have seen real-life instances of each of these examples.
I'm not laughing. Protecting secrets stored on company machines is I suspect difficult. This is because the company controls the machines: it owns them, it probably installed the software, it can install more software when you're not in the office (eg key board sniffer). Also a sense of proportionality is useful; balance what can be weakly enforced by software, against other ways that company NDAs can be broken (frisbeeing DAT tape out of window), or other ways that outsiders can send you info which the company wouldn't like (eg like sending to your home email address).
Maybe. If PGP Inc want to go this far, and design software with these features, I reckon local key escrow is better.
I reckon local key escrow is better, myself. But be real for a moment, Adam.
Always try to be realistic, Kent.
If they had designed a system with "local key escrow" they would have been crucified by the butterfly brains on cypherpunks far more intently than they are being lambasted for CMR.
Not quite as much I don't think. Especially if they had just implemented storage key escrow. We've been discussing CKE (Commercial Key Escrow) being fine and useful for ages, and GACK of messaging keys being evil. This is a very old meme.
The very phrase "KEY ESCROW IN PGP" would have turned the cypherpunk group mind into quivering jelly.
Would have got some opposition to be sure. But I really think there would have been much less fuss.
However that is not what they are saying.
It doesn't matter what they are saying, really. They designed something with a set of constraints, one of which was the meme of antipathy to anything that could be termed "key escrow".
And pro-privacy seemed to be one of the design principles also. Unfortunately the net effect is worse than what a privacy and politically neutral individual would have come up with just security objectives.
I understand what Lucky meant when he said that PGP had pulled the greatest hack ever on corporate America. It's so good that you have to conceal your mirth, for fear of screwing it up...
Please share what's so funny. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Kent Crispin <kent@bywater.songbird.com> writes:
It may be less obvious, but despite what PGP claims, a significant fraction of this demand is for the ability to SNOOP, and not just data recovery.
I was suspicious about this also, the CMR design makes much more sense if this is the user requirement. Binding cryptography also would make sense for this requirement. But the last time I expressed this suspicion on this list Jon Callas clearly stated that this was not the case: Jon Callas <jon@pgp.com> writes: : It is possible that : there is an unstated perceived user requirement, that the messaging : standard be able to allow third party access to the communications : traffic directly. : : Nope, that's not what we're arguing for. So it would appear that your suspicious are unfounded...
*All* the debate on this list implicitly takes the employee's side, not the management's side, and that is a serious lack. The unpleasant fact is that managers NEED TO BE ABLE TO SNOOP.
Okay! Some one who is able to say the unpleasant words. (I think Lucky may have been hinting at this also). If this is the case, I reckon it's still better to just escrow their comms keys locally. Put them all in the company safe, whatever. To go with this kind of a company with this kind of policy, I would presume that sending or receiving super-encrypted messages would would be a sackable offense. However, there is an alternate reason for the CMR design, which you don't include above (tho' you did I think discuss this earlier): That PGP Inc thought CMR would be easier to implement within their plugin API, and dual function crypto (file encryption, and email encryption), and to cope with things like encrypt-to-self on Cc: to self to keep copies.
It is terrible to work for an employer who will snoop, but it is just as terrible to have dishonest employees. It doesn't take a genius to realize that the existence of dishonest employees is a primary motive for management snooping.
Even with snoopware such as you describe, and companies with such attitudes, there are other similarly easy ways to get data out: user walks out of building with floppies. In fact from memory I think this was one you suggested: "frisbee DAT tape out of window to sweetheart" or words to that effect.
Clearly, there are some organizations for which this is more important than others -- financial services companies are only the most obvious example.
Maybe. If PGP Inc want to go this far, and design software with these features, I reckon local key escrow is better. However that is not what they are saying. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
On Fri, 24 Oct 1997, Adam Back wrote:
If this is the case, I reckon it's still better to just escrow their comms keys locally. Put them all in the company safe, whatever. To go with this kind of a company with this kind of policy, I would presume that sending or receiving super-encrypted messages would would be a sackable offense.
Adam, How does your system prevent the employer from fabricating forged signatures in a PK system that uses the same key for signing and decrypting? And if you don't use such a system, then how do you deal with future versions of the software that will allow the user to swap DH keys from underneath the ElGamal keys? Thanks, -- Lucky Green <shamrock@cypherpunks.to> PGP encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
Lucky Green <shamrock@cypherpunks.to> writes:
On Fri, 24 Oct 1997, Adam Back wrote:
If this is the case, I reckon it's still better to just escrow their comms keys locally. [..] To go with this kind of a company with this kind of policy, I would presume that sending or receiving super- encrypted messages would would be a sackable offense.
How does your system prevent the employer from fabricating forged signatures in a PK system that uses the same key for signing and decrypting?
PGP isn't using ARR (Additional Recipient Requests) for the old RSA keys either, I don't think -- so I think a copy of pgp5.5 for business which has been configured by an admin with the strictest settings would not be able to generate RSA keys. So the simple way seems to be to not escrow the private components of the DSA signature key. If people forget their passphrase, they'll need to generate a new signature key and get it freshly certified by the admin while he's recovering their encryption key.
And if you don't use such a system, then how do you deal with future versions of the software that will allow the user to swap DH keys from underneath the ElGamal keys?
Interesting question even if you are using separate signature keys. You've got a new signature key. You want to bind your recovered EG keys to it. So I guess you just strip the self-certificates from the EG keys, and add new ones made by the new signature key. You can still decrypt messages, and even pgp5.0 would be able to cope with that (it'll try to fetch keys to check the certification on the signature key). Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
On Mon, 27 Oct 1997, Adam Back wrote:
Lucky Green <shamrock@cypherpunks.to> writes:
On Fri, 24 Oct 1997, Adam Back wrote:
And if you don't use such a system, then how do you deal with future versions of the software that will allow the user to swap DH keys from underneath the ElGamal keys?
[Stupid typo my part. This was supposed to be "swap ElGamal keys from under the DSA keys."]
Interesting question even if you are using separate signature keys. You've got a new signature key. You want to bind your recovered EG keys to it. So I guess you just strip the self-certificates from the EG keys, and add new ones made by the new signature key. You can still decrypt messages, and even pgp5.0 would be able to cope with that (it'll try to fetch keys to check the certification on the signature key).
Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
-- Lucky Green <shamrock@cypherpunks.to> PGP encrypted email preferred. "Tonga? Where the hell is Tonga? They have Cypherpunks there?"
participants (6)
-
Adam Back -
Declan McCullagh -
Kent Crispin -
Lucky Green -
spencer_anteï¼ webmagazine.com -
Tim May