7 October 1997: Link to PGP explanation of PGP 5.5 for Business
6 October 1997: Link to PGP response to criticism
6 October 1997
Source: Mail lists cryptography@c2.net and cypherpunks@cyberpass.net
Date: Sun, 5 Oct 1997 01:26:09 -0400 From: Monty Solomon <monty@roscom.COM> Subject: FC: New version of PGP is "everything the FBI ever dreamed of" Cc: cryptography@c2.net Begin forwarded message: Date: Fri, 3 Oct 1997 15:21:25 -0400 From: Declan McCullagh <declan@well.com> Subject: FC: New version of PGP is "everything the FBI ever dreamed of" ********* Date: Fri, 3 Oct 1997 07:30:33 -0700 To: risks@csl.sri.com From: Martin Minow <minow@apple.com> Subject: New PGP "Everything the FBI ever dreamed of" An article in today's (Fri, Oct 3) New York Times (CyberTimes) <http://www.nytimes.com/library/cyber/week/100397pgp.html> describes the new release of "PGP for Business Security 5.5," which contains mechanisms that incorporate key recovery mechanism that can either be volontary or be enforced by using PGP's software for controlling a company's SMTP server -- the server can verify that all encrypted messages include the corporate public key (or conform to other corporate policies): "The new version also includes some of the most sophisticated techniques for enforcing this policy through the corporation. The most novel may be a new version of software controlling a company's SMTP server, the machine that acts as the central mailroom for a corporation. PGP provides a software agent that will read all of the mail to make sure that it complies with the corporate policy. This may include requiring all messages to be signed with digital signatures or include a backdoor that the management can use to read the message. If the software agent discovers a message violates the policy, it can either return it to sender or simply log a copy. "PGP implements the backdoor with a central key. Each message is encrypted with both the public key of the recipient and the public key of the management. The message can only be read by someone holding the corresponding private keys, in this case the recipient and the management. The software allows the management to use different master keys for different departments by customizing the software. ... "Bruce Schneier, an encryption expert and author of the popular book Applied Cryptography, said that the new announcement "sounds like everything the FBI ever dreamed of." He also predicts that criminals will find ways to circumvent the restrictions while honest people may be more vulnerable to illicit use of the master key." --- Coincidently, the same issue of the New York Times has an editorial <http://www.nytimes.com/yr/mo/day/editorial/03fri4.html> attacking FBI director Louis Freeh's request that Congress "outlaw the manufacture and distribution of encryption programs the Government cannot instantly crack. Martin Minow minow@apple.com -------------------------------------------------------------------------- This list is public. To join fight-censorship-announce, send "subscribe fight-censorship-announce" to majordomo@vorlon.mit.edu. More information is at http://www.eff.org/~declan/fc/
Date: Mon, 6 Oct 1997 02:19:36 -0500 To: cypherpunks@algebra.com From: Vin McLellan <vin@shore.net> Subject: Re: New PGP "Everything the FBI ever dreamed of" Sender: owner-cypherpunks@cyberpass.net >An article in today's (Fri, Oct 3) New York Times (CyberTimes) ... >describes the new release of "PGP for Business Security 5.5," which >contains mechanisms that incorporate key recovery mechanism that can >either be volontary or be enforced by using PGP's software for controlling >a company's SMTP server -- the server can verify that all encrypted >messages include the corporate public key (or conform to other corporate >policies): Alex Le Heux <alexlh@xs4all.nl> noted: |> Keep in mind that this is the 'PGP for Business'. Companies often |>operate on the principle that email that's sent and received from |>their machines is the company's, not the employee's. This is actually |>reasonable business practice. Specially when encryption enters the |>picture. The employee could walk under a bus, and leave some vital |>but encrypted emails in his mailbox. This could be a real problem for |>corporations. William H. Geiger III <whgiii@invweb.net> brushed aside PGP Inc's critics to complain: >>This has been discussed before on this list and others, and few have >>disagreed, that a company has a legitimate need to be able to access its >>encrypted data. If employees want to send love letters or whatnot then >>they should not be doing it on company time using company resources. >> >>If a corporation wishes to establish a company policy that all >>correspondence be encrypted with the companies master key it is their >>right to do so and IMNSHO it would be foolhardy for them to do otherwise. >> >>Claiming that they are doing the work of Big Brother is a cheap-shot and >>uncalled for. With respect, Gentlemen, I think you are missing the point. There is no corporate demand for a key-recovery mechanism which allows Management immediate real-time access to all encrypted electronic communications. This new PGP facility is analogous to key-escrow or key-recovery for session keys; in essence, it's a backdoor to the session. Here in the US, FBI Director Louis Freeh has been pointed in his comments about the distinction between key-recovery for stored data and key-recovery for transient electronic communications. Key-recovery for encrypted stored data, Freeh noted, serves a sensible and pragmatic business need. Corporations will do it because it's a necessary part of their Disaster Planning. But, as Freeh noted several times in Congressional testimony, there are few if any business requirements for surreptitious, real-time, access to online communications, so businesses (unless forced by legislation, argued Freeh) simply won't do it. It is police agencies, not Management, which seek real-time access to all encrypted e-mail. No one but the Govt wants it. Management, at least in the US, doesn't need this sort of evidentiary data. Management has an employee who can be required to keep a copy of all business e-mail for Management review; or required to cc his or her boss on all e-mail to a customer -- or even forbidden to use e-mail for anything other than business mail cced to the boss. And, of course, the employee can be fired if he/she doesn't comply. But the truth is: Managment doesn't need the aggravation and -- while the standard of managment oversight is more lenient, at least for professional staff -- no company can keep talented employees if it treats them this way. Surreptitious universal access to an employee's encrypted e-mail _is_ like sound and video pickups in the bathrooms. Vastly intrustive; humilating; diminishing. Far more intrustive than is useful or necessary for conventional management needs. It is the work of Big Brother, sadly. GAK-enabled PGP, plain and simple! As Director Freeh noted, it's only LEAs who need and want this. The likely early victims of such a draconian oversight will probably be the long-suffering US government employees. With no evidence to support my supposition, I'll bet the GAKed-crypto strategists are once again offering the federal workforce as the sacrificial lambs, as they did with Fortezza. Trying (again!) to use the bulk federal purchasing power to establish a defacto product standard. Watch over the next six months. I think they used the new -- "post-Fortezza," pre-PKI -- prospect of huge '98-'99 federal purchases of COTS crypto for non-classified DoD and civilian agency e-mail to lure Mr. Zimmerman, major stockholder, into swallowing the words of Feckless Phil, the wild and wooly free-crypto rebel. Anyone wanna wager that this "design option" evolved concurrent with a quiet MOU-structured review of the New Improved PGP by the X Organization at Ft. Meade? Nor, I fear, will this be the last enhanced cryptographic communications app to come out of vendors active in the NSA's new Commercial Liaison initiative. Big federal market. Big lure. Hard not to give the Customer what he wants. Still, it's sad. (I, btw, am moderating a panel on the "Prospects for Government Control of the Internet" at the NSA/NIST-sponsored NISSC in Baltimore this week. Among my panelists are David Herson, the top pro-GAK policy maven for the European Commission; Tom Black of Smith System Engineering, the network specialists commissioned by the European Parlament to figure out how to enforce content regulation; Patricia Edfors, the Chair of the federal PKI Steering Committee and the Security Champion on GITS; Dave Farber of UPenn, the Internet Society, and EFF; and Danny Weitzner of CDT. Powerful and articulate voices from all sides of the Question. Thoughtful and non-obvious suggestions for questions to the Panel would be welcome -- to the List or in private e-mail. TIA.) _Vin Vin McLellan + The Privacy Guild + <vin@shore.net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --