PGP, Inc.--What were they thinking?

Adam Back aba at dcs.ex.ac.uk
Fri Oct 24 08:44:02 PDT 1997




Phillip Hallam-Baker <hallam at ai.mit.edu> writes:
> I can understand the pressures on PGP to support key escrow. 

There is reasonable justification for key escrow, or recovery features
for _stored_ encrypted information.  The rate at which people forget
passwords alone suggests that this would be a good idea.

However the PGP design does much more than that: it allows third and
fourth parties to decrypt messages in transit.

> The problem with PGP's move is that it is the first significant
> break by the Internet software provider community. This will make it
> much easier for Netscape or Microsoft to cave in.

I think they could have implemented recovery of stored encrypted
files, and of saved email archives more easily without including
recovery information over the wire.  It's a security risk to send
recovery encrypted info over the wire encrypted to long term public
keys.

> It will also build the pressure on them.
> I wonder what would happen to Bills problem with the DoJ if he had a sudden
> change of heart. Somehow I don't see Netscape and Microsoft holding the line
> on GAK if PGP are happily exporting their product and grabbing market share.
> 
> I really did not expect Phil Zimmerman to be the first to blink.

Me either.

> I also don't understand it from the corporate perspective. PGP may be
> picking up some business in the corporate market but at the cost of
> alienating a significant part of the hacker community which has been his
> best supporter up till now. I would think his best strategy would have been
> to build on this customer base rather than sell it out at the first
> opportunity.

He could have built storage escrow with much less argument; almost no
argument in comparison I would expect.

> If Phil Z. wants to get into the Enterprise market he is going to have to
> start speaking their language. Most companies today are looking for open
> standards. PGP may have been the de facto security solution three years ago
> but the reality today is several million copies of Comminicator and Explorer
> with S/MIME built in. 

The obvious thing I think is for pgp to build systems which can
automatically interoperate with either.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`







More information about the cypherpunks-legacy mailing list