A weakly comparable example might be perhaps the IPSEC standardisation
process, and the effect of export regulations on key sizes. Are IPSEC
key sizes allowed to be restricted in the standards so that IPSEC
products can be exportable?
Hope you are not referring to PGP 5.5 here, key sizes are the same
as they have always been. Recovery key can be up to 2048 bits.
Now some would argue, and with some justification, that emails sent
using company equipment are the property of that company.
A bit different here: have never said that the e-mail was the property
of company (do not think of e-mail as property and doubt that the
transmission media would imply an immediate transfer/granting of copyright)
still, put enough money in front of a lawyer...
The notion I have put forward is that if you use someone else's property
to send e-mail, they have the right to read it (providing notice will generally
keep you out of court but have never heard of a decision that the owner
could not read).
Is a simple concept: if you use my system, I can control. Now it is true
that "common carriers" have gone to great lengths to absolve themselves
of any responsibility for content. Thusfar no-one has brought suit (that
I know of, ANAL) for someone failing to excercise control. Yet. But the
potential is there (why it is so important to say "may be monitored"
rather than "will be monitored").
However
there are other considerations also. Expectation of privacy is one.
Privacy IMNSHO is not a guarenteed right. In order to have an expectation
of privacy, the sender must perform an act establishing that expectation.
Sealing an envelope is such an act. Encrypting a message is such an act
(possibly even if you just use ROT13). Sending a message in the clear
does noting to provide that expectation - is really the same as sending
a postcard. Reading one may be bad manners but is not criminal.
The negative aspects of a society in which most companies have become
little brother institutions, becoming small versions of what many of
us are fighting: mandatory government access to keys, big brother
wanting the ability to read all traffic.
I would be somewhat concerned if PGP Inc's recently announced the key
escrow functionality becomes part of the Open-PGP standard, because it
will set a bad precedent, and possibly force others who would
otherwise wish to implement to the open-PGP standard to also implement
features useful to secret service special interests in enforcing
mandatory domestic government access to keys, or implement only partly
compatible systems.
Is hardly that, merely the addition of an additional recipient. Now to
do so without notice would not be a good idea. Really all that is needed
in the standard is the ability to send to multiple recipients - *how*
or *who* they are is up to the vendor, has nothing to do with the
transmission protocol.
Would expect that such a message would have no discernable difference from
any other encrypted message. True a gateway or postoffice could refuse to
handle any message that did not have a specified recipient(s) but again this
has nothing to do with the transmission protocol.
Final comment - suspect that large companies will not have just one such
key, rather there are liable to be hundreds - a *different* one for each
site/department/program.
Warmly,
Padgett