RE: Sad situation!!!

[Peter Williams <peter@verisign.com>]

Frederick,

Its not believable, given the personal credibilty problems which would
result, that a PGP trademarked
product will ever support key recovery, with mandatory access to confidential
material, by third parties, including potential covert (wrt to the
subscriber) access by law enforcement. This
inability to support a feature which US corporate users demand almost make
PGP a commercial product
disaster, in that corporate market.

(The above assumes, corporates do in fact demand key recovery, to control
access to their
own property.)

Does PGP have a major place in the market to which its always appealed. Of
course. Does
it have appeal to the general purpose residential market. We will see, and I
wish it
luck, personally.

PGPs destined lack of ubquity however, suggests that, it will not become an
actual standard
for general interoperabilty between internet folk, corporate, residential,
or civil libertarians,
alike.

Now, the standards situation would be reversed if PGP were to permit key
escrow. However,
full ubiquity would still be lost, as the traditional PGP users group will
no doubt refuse to use the
product, and many current distributors of the public-domain
version would be morally forced, on civil liberatarian grounds, to cease
distribution (or be labelled
hypocrits).

Whilst underground PGP will inevitably continue to thrive, its denotation as
an internet standard will
be as suspect as today.

Peter.

----------
From: 	Frederik H. Andersen
Sent: 	Wednesday, October 02, 1996 2:04 AM
To: 	pem-dev@tis.com
Cc: 	pgp-mime@purpletape.cs.uchicago.edu; smime-dev@RSA.COM;
resolving-security@imc.org; iesg@ietf.org
Subject: 	Sad situation!!!

Hi!

I have followed for years now the attempts to produce a workable secure
email standard which also would be (or become) widely implemented - in
US as well as elsewhere!

I think the situation is very sad! The efforts have more or less failed
and vendor specific standards seems to prevail - all with seemingly
unusable (short keys) security features; even serious X.400 based
proposals exists!

It seems to me, that the only usable solution will have to be based on
PGP somehow! Why? Because PGP supports unlimited strong cryptographic
features, is widely used, is available in the public domain in US as
well as outside US, and is also available as a commercial product!

The MIME specifications seemed to promise a solution for secure mail
but still the standards are not widely accepted and adopted. And even
more sad, the most widespread use of MIME is in the WWW/http domain
where seemingly only vendor specific standards survive :-(

If I ruled the world (!) the PGP/MIME integration had been finalized
years back, all mail user agents and Web browsers and servers would
have support for this in the form of external hooks so export related
problems were avoided. For really performance important products
development teams outside the US would have integrated PGP more
directly into their products!

Those of you that more or less agree, please tell me: Is there still
hope?  Where am I wrong?  What's happening about PGP 3.0?

Those of you that are happy that I'm not in charge: What alternative
security product do or will match the (potential?) capabilities of PGP?

Yours,
	Frederik