PGP 5.5 CMR/GAK: a possible solution

Adam Back aba at dcs.ex.ac.uk
Wed Oct 22 12:01:36 PDT 1997




Anonymous writes:
> mark at unicorn.com writes:
> >
> > [super encrypt instead of CMR] 
> 
> Neat, automatic superencryption.
> 
> Could the same idea work with the Pgp method with the CMR key?  You
> would encrypt to the user first, then reencrypt to the combination
> of user and CMR key.

I think that is redundant -- if only the user can decrypt to get the
actual plaintext -- you'd just as well send encrypted to the user
alone.

Super encrypting with a non-CMRed company key is perhaps what you are
thinking, and then encrypting internally to user and CMR key.

This would be a definate improvement over straight forward CMR because
it is effectively a poor-mans Transport Level Security (TLS), and
therefore denies access to the ciphertext (and attached CMR recovery
info) to governments and other intruders.

Still I think better yet not to send recovery information over the
wire at all, unless there is a user requirement for message screening.

The stated corporate user requirement for CMR by PGP Inc is recovery
of stored files.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`







More information about the cypherpunks-legacy mailing list