IP: Re: PGP "Everything the FBI ever dreamed of"

[David Farber <farber () cis upenn edu>]

Date: Sun, 05 Oct 1997 19:10:27 -0700
To: farber () cis upenn edu
From: Rob Glaser <robg () real com>
Subject: Re: IP: PGP "Everything the FBI ever dreamed of"


Dave I think this article helps put in perspective why gov't mandated
escrow is so bad.


My company, like many companies, lets certain employees have locks on their
office doors.  The employees who choose locks get keys, and the company
retains a master key.  The main reason for this is practical -- for
instance if the employee is out of town and a colleague legimimately needs
something from his/her office.  The system works and, as far as I'm aware,
has never been abused.


An e-mail program that supports "master keys" for encrypted e-mail sent as
part of business is 100% analagous to how most companies choose to handle
physical keys.  Nothing wrong with this.   If the headline quoting Schneier
meant to suggest that there's something untoward about such a progam, then
I disagree with the headline writer.


Having said that, imagine if Congress were about to pass a law that said
that every time a company implemented a physical key system it needed to
give a master key to the FBI (or to the local police department).  The
public would be  appropriately outraged.   


If the FBI needs to get into my company, the FBI can ask me.  If I resist,
there are procedures for them to get a search warrant.   If the physical
security in my office is high (e.g. I run a bank and choose to make my bank
vault very secure), then that's my business as long as I run a legal
business.  


The argument that somehow "cryptography is different" and requires vast
police power beyond the current warrant system has never made any more
sense then, for instance, a system of government mandated escrow of all
physical keys.


Our challenge is to translate the snoops' outrageous plans into terms that
regular citizens can understand and fight.


At 07:43 AM 10/4/97 -0400, you wrote:
> Date: Fri, 3 Oct 1997 07:30:33 -0700
> From: Martin Minow <minow () apple com>
>
>
> An article in today's (Fri, Oct 3) New York Times (CyberTimes)
> <http://www.nytimes.com/library/cyber/week/100397pgp.html>
> describes the new release of "PGP for Business Security 5.5," which
> contains mechanisms that incorporate key recovery mechanism that can either
> be voluntary or be enforced by using PGP's software for controlling a
> company's SMTP server -- the server can verify that all encrypted messages
> include the corporate public key (or conform to other corporate policies):
>
> "The new version also includes some of the most sophisticated techniques
> for enforcing this policy through the corporation. The most novel may be a
> new version of software controlling a company's SMTP server, the machine
> that acts as the central mailroom for a corporation. PGP provides a
> software agent that will read all of the mail to make sure that it complies
> with the corporate policy. This may include requiring all messages to be
> signed with digital signatures or include a backdoor that the management
> can use to read the message. If the software agent discovers a message
> violates the policy, it can either return it to sender or simply log a copy.
>
> "PGP implements the backdoor with a central key. Each message is  encrypted
> with both the public key of the recipient and the public key of the
> management. The message can only be read by someone holding the
> corresponding private keys, in this case the recipient and the management.
> The software allows the management to use different master keys for
> different departments by customizing the software.
>
> ... "Bruce Schneier, an encryption expert and author of the popular book
> Applied Cryptography, said that the new announcement "sounds like
> everything the FBI ever dreamed of." He also predicts that criminals will
> find ways to circumvent the restrictions while honest people may be more
> vulnerable to illicit use of the master key."
> ---
> Coincidently, the same issue of the New York Times has an editorial
> <http://www.nytimes.com/yr/mo/day/editorial/03fri4.html> attacking
> FBI director Louis Freeh's request that Congress "outlaw the
> manufacture and distribution of encryption programs the Government cannot
> instantly crack.
>
> Martin Minow minow () apple com
>
>
>
>
>
>
>
>
> ************************************************************************
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."       - Ben Franklin, ~1784
> ************************************************************************








**************************************************
"Photons have neither morals or visas"  --  Dave Farber 1996
**************************************************