Re: proposal: commercial data recovery

[Adam Back <aba@xxxxxxxxxxxx>]

Jon Callas <jon@xxxxxxx> writes:
>    Right now, whoever has the corporate key can read everyone's email.  What
>    happens when there is an insider trading lawsuit when the CIO reads the
>    CEO's "private" email?  I can think of other examples.  And if the
>    corporate key is compromised, I assume that compromises every piece of
>    email up to that point?
> 
> I don't think you've been reading the descriptions of how it works. You're
> also focusing on using it with a single key. Every user can have a
> different key. No user MUST have a key.

The fact that it is all optional does not mean that a company may
choose to use it in that way.

I suspect that many companies with their strict property ownership
opinions will have one CMR key, and use the pgp5.5 for business
framework to enforce that all users use it.

>    But let me ask a question about PGP, Inc. - Do they use the PGP 5.5
>    version with corporate key recovery internally?
>    
> No, we don't. We have no need to. It would be inappropriate for our
> environment.

Most companies aren't as progressive as PGP, and most companies have a
corporate proprety ownership attitude even if they similarly have no
need for the actual functionality.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`