Thu, 03 October 1996 12:23 UTC
Received: from cnri by ietf.org id aa01563; 3 Oct 96 8:23 EDT
Received: from neptune.hq.tis.com by CNRI.Reston.VA.US id aa08169; 3 Oct 96 8:23 EDT
Received: from neptune.tis.com by neptune.TIS.COM id aa03119; 3 Oct 96 7:48 EDT
Received: from relay.hq.tis.com by neptune.TIS.COM id aa24945; 2 Oct 96 17:05 EDT
Received: by relay.hq.tis.com; id RAA07801; Wed, 2 Oct 1996 17:08:57 -0400
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma007795; Wed, 2 Oct 96 17:08:30 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA09787; Wed, 2 Oct 96 17:10:36 EDT
Received: by relay.hq.tis.com; id RAA07790; Wed, 2 Oct 1996 17:08:27 -0400
Received: from rosetta.verisign.com(204.162.64.10) by relay.tis.com via smap id xma007783; Wed, 2 Oct 96 17:08:21 -0400
Received: from dustin.verisign.com (gateway-outside [204.162.64.20]) by
Message-ID: <9610030744.aa03114@neptune.TIS.COM>
X-Date: (the original message had no date)
Date: Thu, 03 Oct 1996 19:23:00 -0000
rosetta.verisign.com (8.7.4/8.6.12) with ESMTP id OAA23377; Wed, 2 Oct 1996 14:09:55 -0700 (PDT) Received: from Peter.verisign.com (Peter.verisign.com [192.42.157.77]) by dustin.verisign.com (8.7.4/8.6.12) with SMTP id OAA13698; Wed, 2 Oct 1996 14:10:07 -0700 (PDT) Received: by Peter.verisign.com with Microsoft Mail id <01BBB06B.90E8B660@Peter.verisign.com>; Wed, 2 Oct 1996 14:11:12 -0700 Message-Id: <01BBB06B.90E8B660@Peter.verisign.com> From: Peter Williams <peter@verisign.com> To: 'Derek Atkins' <warlord@athena.mit.edu> Cc: "pem-dev@tis.com" <pem-dev@TIS.COM>, "'Frederik H. Andersen'" <fha@dde.dk> Subject: RE: Sad situation!!! Date: Wed, 2 Oct 1996 14:11:10 -0700 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: pem-dev-approval@neptune.tis.com Precedence: bulk Derek, I know the technology can logically faciliate key escrow. Im amazed that PGPers are willing to release a product using the PGP trademark, with a feature which may facilitate covert access. But, so Im amazed. Can you explain the facilities of PGP key recovery, and the agenda for marketing of this feature. Its a real test case of will of the people I see, here. If PGP, "the people", has caved to covert access in practice, we might as well go with medium grade encryption at 56 bits of DES for general purpose use. Will the exported PGP product be able to be used in a NONE key recovery mode? Will there be an export versions (for nasty foreigners, like me) and a domestic version? Will a US PGP be available in mode usable by US executives, when they travel oversees, without violating export rules? Will US domestic PGP implemntations be able to interact with Non-US PGP implemenations which do not use key recovery? The thing corporations want most of all is to control who can perform file/message encryption, and know that in all cases when an employee has used PGP.corporate-version, the coporation can never be denied access to its data protected using PGP either because of the encryption feature, else inability to access the ciphertext generated using PGP. These rules and quesetions would hold I believe for any package equivalent to PGP. I had written PGP off, on the ground of egos. Im actually glad to be in error (if I am.) ---------- From: Derek Atkins Sent: Wednesday, October 02, 1996 1:34 PM To: Peter Williams Cc: pem-dev@tis.com; 'Frederik H. Andersen' Subject: Re: Sad situation!!! Peter, You are confused. It is possible for PGP to support message recovery systems (I don't say "key" recovery, even though what I mean is that the session key can be recovered). The means to do this is 100% backwards compatible, and can even be done using PGP 2.6.2. The question is what the "corporate market" wants in terms of key/data recovery mechanisms. In my discussions with corporate markets, their recovery requirements can be easily fulfilled by PGP. So, saying that PGP cannot perform data recovery is wrong; you just need to properly use (or configure, as the case may be) the program. As for the status of PGP 3.0 (aka PGPlib) -- we're trying to finish up and get "alpha" quality code REAL soon. The PGP Library is about 98% finished, and the PGP message processing application hasn't changed in a long time. The PGP Key Management application is still being flushed out. -derek