[1701] in cryptography@c2.net mail archive
Re: Are we all looking at the same PGP 5.5 ?
daemon@ATHENA.MIT.EDU (Timothy N. Hill)
Mon Oct 6 18:48:50 1997
In-Reply-To: <Pine.BSI.3.91.971006113032.8449C-100000@ivan.iecc.com>
Date: Mon, 6 Oct 1997 15:00:09 -0400
To: John R Levine <johnl@iecc.com>
From: "Timothy N. Hill" <tnh@acm.org>
Cc: cryptography@c2.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 11:41 -0400 97-10-06, John R Levine wrote:
>> GAK-enabled PGP, plain and simple!
>
>I took a look at PGP's press releases, and what I found was a system
>that lets management implement and enforce encryption policy for
>e-mail and stored files. One can implement rules that, for example,
>require that mail to or from certain IP ranges or DNS domains be
>encrypted or digitally signed. The "corporate message recovery"
>presumably means that you can set it up so that certain classes of
>outgoing mail use the corporate recipient key as well as the nominal
>recipient key(s) so the company can see what the message says.
>
>Mail is still sent with boring old unencrypted SMTP. (It kind of has
>to, if you expect anyone to be able to receive it.) There are no
>session keys to escrow even if someone wanted to do so.
>
>I personally don't have much use for a product like this, but I can't
>see that it's any different in concept from any other corporate key
>system. It's intended to avoid situations where an employee drops
>dead or quits, and company files he created become unreadable, or to
>enforce more or less intrusive company rules about use of company
>resources.
>
>GAK is a real threat. Let's not be distracted by side issues.
Hear, hear!
Three notes:
1. These corporate features are not new to PGP. Before PGP, Inc., when
ViaCrypt had the commercial rights to PGP software, ViaCrypt produced a
version that had the same sort of features.
2. I hope the encryption interface always informs a sender before
automatically adding a corporate recipient key.
3. I hope that companies that require inclusion of a corporate recipient
key for some or all messages will document for their employees the purpose
of their policy, who holds the corporate private key(s), and under what
circumstances they may be used.
- Tim
Timothy N. Hill <tnh@acm.org> "Umpiring is best described as the
Wellesley, Massachusetts, USA profession of standing between two
<http://tnh.ne.mediaone.net/> seven year olds with one ice cream
PGP 3FAA C8B3 D7BB 9C93 882E cone."
4221 2F66 EFF4 00C6 CF92 - Ron Luciano
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNDk2fS9m7/QAxs+SEQKIvACfTSFNqdAJUxgUJKRr17fnEzFNrf4An060
w0xp0itipvHhu8NL+NqwUZkF
=Iow5
-----END PGP SIGNATURE-----
