IP: Re: P Key Escrow and Congress

[David Farber <farber () cis upenn edu>]

From: Stanton McCandlish <mech () eff org>
Subject: Re: IP: PGP Key Escrow and Congress
To: farber () cis upenn edu
Date: Thu, 16 Oct 1997 03:45:27 -0700 (PDT)
X-EFF-General-Info: info () eff org
X-URL: http://www.eff.org/~mech
X-Mailer: ELM [version 2.4 PL25]


As someone who initiall reacted as Bruce Schneier did, but who later took
a step back and examined the details of the new PGP system, I have to say
that there is a lot of misunderstanding going on here. PGP 5.5 Corporate
Edition does *not* do any form of key escrow.  What it does instead is it
forces users, if the company security admin so demands, to Cc a company
key on any outgoing encrypted mail to a third party, and/or (these are
separate options) reject incoming messages that are not Cc'd to that key.


[Note: By "Cc" I don't mean the Internet email carbon copy, but an
analogous carbon copying in the actual encryption process, in which
another, company, key is added to the decryption-capable recipients list,
before any sending via email takes place).


There is *no* relationship between what PGP 5.5 does, and key
"escrow"/"recovery" or "trusted third party" GAK systems.  Rather, what
PGP 5.5 can be forced to do is analogous to requiring that no phone call
be made w/o a company security officer being on the line before the
outside party can talk to the company grunt.  The PGP install process is
careful to note that this is an extreme measure that actually introduces
new security risks.


Any policymakers confusing this with GAK need to be disabused of this
confusion immediately. There is *zero* connection between the two
concepts, for any purposes relevant to FBI/NSA demands for GAK.[*]


For a government to *mandate* a PGP 5.5-style system that provides
govt. access is 100% analogous to a requirement that all phone calls must
include an FBI agent on the line for surveillance purposes before the
caller is connected to the callee.  This is WAY beyond the pale of GAK,
and something even Congress in its decidecly finite wisdom would not dare
impose. Unless allowed to continue mistaking PGP 5.5. for GAK.


[* Government access to keys, a.k.a key surrender, a.k.a. key "escrow" or
"recovery", a.k.a. "trusted third party key systems".]



--
Stanton McCandlish                                           mech () eff org
Electronic Frontier Foundation                           Program Director
http://www.eff.org/~mech    +1 415 436 9333 x105 (v), +1 415 436 9333 (f)
Are YOU an EFF member?                            http://www.eff.org/join








**************************************************
"Photons have neither morals nor visas"  --  Dave Farber 1994
**************************************************