[762] in cryptography@c2.net mail archive
KR in company policy
daemon@ATHENA.MIT.EDU (Antonomasia)
Fri May 9 09:46:50 1997
Date: Thu, 8 May 1997 18:40:25 +0100
From: Antonomasia <ant@notatla.demon.co.uk>
To: cryptography@c2.net
Cc: hal@rain.org
[I sent this yesterday to Lucky, Tom and Pat.
Lucky suggested posting it to the list.
I'm copying it to Hal in case of a moderator's
thumb pointing downward.
]
My view of company computer equipment and office
stuff in general is that the company owns it and
can say what you should do with it. This is a major
reason why I have my home computer. (I am not trying
to excuse occasions when managers may produce stupid
plans for the equipment.)
My company has a policy which includes auditing what
goes through the gateway. Nevertheless, I have never
been asked to produce keys or plaintext for any of my
mail messages (PGP or Mixmaster). (I have verified that the
company-supplied PGP is the same as that at ftp.ox.ac.uk.
I do not believe workstations I administer have been
compromised without my knowledge.)
I am lead to think that the auditing either:
1) is a bluff
2) is only aimed at porn-seekers
3) established early-on what my interests are
and that I can be trusted
In fact I do not use crypto for essential business.
I did consider encrypting my backups because of the ease of
stealing a tape with most of our work on it. I never have.
Backups take nearly all night as it is. Potential for getting
disciplined after tape theft is near zero. Potential after
failure to recover backups is significant. Managers are far,
far, far more interested in cost than security.
Possible situations where management wants key access are:
1) They want access to business cyphertext.
There should be a set policy of who gets what key,
and in what circumstances, and who should know when
he does so. Use the written policy.
If secrets are to be kept by some employees from others
or if signatures are to have value a
'boss owns all keys under him' policy will not work.
Make the bosses realise this. Obstructing corruption
ought to be one aim of the policy.
2) They want access to personal cyphertext.
You could avoid this by radically restricting
personal use of the company computers.
3) They want access to mysterious cyphertext
that landed as spam in your mailbox. It may
be hard to convince them, but you have no idea
either. Why not hand it over and ask _them_ what
it is ? In any event you are responsible for what
you say and do rather than what some kook says to you.
The plans I suggest for avoiding KR issues are:
Make backups of keys as good as backups of cyphertext.
You then do not risk 'lost key - retained text' situations.
(The backups may be different though, both to keep the
text and keys separately, and to allow deliberate
destruction of old keys.)
Store email as plaintext if it must be stored and the need for
communications secrecy is over. Or re-encrypt with a storage key.
Hand over plaintext (in preference to a key) when management
access is wanted.
The hypothetical 'employee holds company cyphertext hostage'
question is bogus. If the employee has the power to change
or delete the data then he is being trusted with it. You
either select staff better or split the work differently.
Bonfire, removed media, refusal to decrypt - what's the
difference ? This is not a crypto question.
Tom: Imagine that Netscape releases a product with KR/OKAY
and the law makes it mandatory. Netscape then has a
lead over competitors. Would you be happy with that ?
Imagine that a competitor gets into that position while
Netscape is still KR-less. What do you think about that ?
In saying 'business is business' you may be speeding GAK
along. Let the USG produce their own software with the
features they want.
Lucky Green wrote:
>
> The notion that KR is the best, if not only, way to allow corporate
> access to plaintext is a false perception that the pro-GAK forces
> successfully managed to install into the minds of corporate America
> and even many list members.
From: Patrick Madden <madden@openmarket.com>
: Lucky,
:
: You've asserted several times recently that KR is not the best way to allow
: corporate access to plaintext. Unfortunately, if you posted it, I missed
: the description of the alternate model you have in mind. Could you please
: post it--I'm in the middle of managing this situation in a real-world
: context, so any concrete information (implementations, papers) would help me.
:
: Thanks,
: --Pat
From: Tom Weinstein <tomw@netscape.com>
: You keep saying this, but you haven't told us what the right solution
: is. Please enlighten me.
--
###############################################################
# Antonomasia ant@notatla.demon.co.uk #
# (mail arcbot@notatla.demon.co.uk for cryptography archive) #
###############################################################
