Thu, 03 October 1996 12:23 UTC

Received: from cnri by ietf.org id aa01563; 3 Oct 96 8:23 EDT
Received: from neptune.hq.tis.com by CNRI.Reston.VA.US id aa08169; 3 Oct 96 8:23 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa03119; 3 Oct 96 7:48 EDT
Received: from relay.hq.tis.com by neptune.TIS.COM id aa24945; 2 Oct 96 17:05 EDT
Received: by relay.hq.tis.com; id RAA07801; Wed, 2 Oct 1996 17:08:57 -0400
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma007795; Wed, 2 Oct 96 17:08:30 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA09787; Wed, 2 Oct 96 17:10:36 EDT
Received: by relay.hq.tis.com; id RAA07790; Wed, 2 Oct 1996 17:08:27 -0400
Received: from rosetta.verisign.com(204.162.64.10) by relay.tis.com via smap id xma007783; Wed, 2 Oct 96 17:08:21 -0400
Received: from dustin.verisign.com (gateway-outside [204.162.64.20]) by
Message-ID: <9610030744.aa03114@neptune.TIS.COM>
X-Date: (the original message had no date)
Date: Thu, 03 Oct 1996 19:23:00 -0000

rosetta.verisign.com (8.7.4/8.6.12) with ESMTP id OAA23377; Wed, 2 Oct 1996
14:09:55 -0700 (PDT)
Received: from Peter.verisign.com (Peter.verisign.com [192.42.157.77]) by
dustin.verisign.com (8.7.4/8.6.12) with SMTP id OAA13698; Wed, 2 Oct
1996 14:10:07 -0700 (PDT)
Received: by Peter.verisign.com with Microsoft Mail
	id <01BBB06B.90E8B660@Peter.verisign.com>; Wed, 2 Oct 1996 14:11:12 -0700
Message-Id: <01BBB06B.90E8B660@Peter.verisign.com>
From: Peter Williams <peter@verisign.com>
To: 'Derek Atkins' <warlord@athena.mit.edu>
Cc: "pem-dev@tis.com" <pem-dev@TIS.COM>, 
    "'Frederik H. Andersen'" <fha@dde.dk>
Subject: RE: Sad situation!!! 
Date: Wed, 2 Oct 1996 14:11:10 -0700
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: pem-dev-approval@neptune.tis.com
Precedence: bulk

Derek,

I know the technology can logically faciliate key escrow. Im amazed that
PGPers are
willing to release a product using the PGP trademark, with a feature which may
facilitate covert access. But, so Im amazed.

Can you explain the facilities of PGP key recovery, and 
the agenda for marketing of this feature. Its a real test case
of will of the people  I see, here. If PGP, "the people", has
caved to covert access in practice, we might as well go with medium
grade encryption at 56 bits of DES for general purpose use.

Will the exported PGP product be able to be used in a NONE key
recovery mode?

Will there be an export versions (for nasty foreigners, like me) and a
domestic version?

Will a US  PGP be available in mode usable by US executives, when
they travel oversees, without violating export rules?

Will US domestic PGP implemntations be able to interact
with Non-US PGP implemenations which do not
use key recovery?

The thing corporations want most of all is to control who can
perform file/message encryption, and know that in all cases when
an employee has used PGP.corporate-version, the coporation can never
be denied access to its data protected using PGP either
because of the encryption feature, else inability to access the
ciphertext generated using PGP.

These rules and quesetions would hold I believe for any package equivalent to
PGP.

I had written PGP off, on the ground of egos. Im actually glad to
be in error (if I am.)

 ----------
From: 	Derek Atkins
Sent: 	Wednesday, October 02, 1996 1:34 PM
To: 	Peter Williams
Cc: 	pem-dev@tis.com; 'Frederik H. Andersen'
Subject: 	Re: Sad situation!!! 

Peter,

You are confused.

It is possible for PGP to support message recovery systems (I don't
say "key" recovery, even though what I mean is that the session key
can be recovered).  The means to do this is 100% backwards compatible,
and can even be done using PGP 2.6.2.

The question is what the "corporate market" wants in terms of key/data
recovery mechanisms.

In my discussions with corporate markets, their recovery requirements
can be easily fulfilled by PGP.  So, saying that PGP cannot perform
data recovery is wrong; you just need to properly use (or configure,
as the case may be) the program.

As for the status of PGP 3.0 (aka PGPlib) -- we're trying to finish up
and get "alpha" quality code REAL soon.  The PGP Library is about 98%
finished, and the PGP message processing application hasn't changed in
a long time.  The PGP Key Management application is still being
flushed out.

-derek




  •