At 7:50 PM -0700 10/12/97, iang(_at_)systemics(_dot_)com wrote:
I for one view this IETF forum as narrowly technical. But I think this
debate is raising issues that threaten the integrity of the process,
so a fullsome and noisy debate on open-pgp is unavoidable. Hence I am
responding in a political fashion where otherwise I wouldn't.
This forum is indeed narrowly technical, should remain narrowly technical,
this discussion is inappropriate for this forum, and if you want to discuss
it please take it to the many other lists that would be more appropriate
such as the cypherpunks list. We are jumping *way* ahead of ourselves by
discussing it at all at this time on this list when we don't even have a
draft spec yet. There will be ample time to discuss this later in the
context of OpenPGP when issues like this become relevant and after all the
hypotheses about it have been cleared up and people have actually tried the
product rather than making false assumptions.
[big snip]
What PGP 5.5 could have done was added facilities to CC outgoing messages
to a CMR, and to forward incoming ones. At the client level. This is,
IMHO, legitimate data storage, under the control of the user, who is
*always* capable of subverting central controls, or of disregarding any
well-meaning advice embedded within the super-privacy of PGP 2.6.
This is essentially what we have done. There is *no time* in PGP 5.5 when
the CMRK feature is not under the sender's control -- and I don't mean by
not sending the message. The CMRK feature only provides you with the
information that the corporation you are sending to will be able to read
this message -- potentially critical information you would not otherwise
have and have not had previously in other software including old PGP. If
you choose to not send to the CMRK, you can remove it by simply double
clicking the CMRK to remove it and the message will be encrypted to the
intended recipient only. (there is an enforcement option in the Business
version only, but there are many ways around that too including simply
deleting the self signature of the recipient) The point is that this is an
informational feature for the benefit of users since companies are going to
do this whether you like it or not, better that they do it in this way so
that everyone knows what's going on. If we had wanted to enforce this in
the client, we would have had to do something very different.
Some very experienced people have analysed the PGP 5.5 system and found
it wanting.
Some of these same people have since changed their minds after learning how
things really work now that some of the misinformation is clearing about
this feature -- which is one problem with discussing this on any list right
now: nobody commenting on this has actually tried this feature except those
working at PGP.
-Will
Will Price, Architect/Sr. Mgr.
Pretty Good Privacy, Inc.
Direct (415)596-1956
Main (415)572-0430
Fax (415)631-1033
wprice(_at_)pgp(_dot_)com
<http://www.pgp.com>
PGPkey: <http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x5797A80B>