[The question of list relevance... is there a better place to discuss
this where all the parties are reading (OpenPGP standards authors, PGP
Inc employees, and other interested parties)? The political
discussion does seem somewhat relevant in that both PGP with their CMR
system and the CDR proposal base many of the technical features on
privacy issues. One suggestion is perhaps to flag political
discussion [P] on the subject line. Then people seeking to discuss
purely technical issues can skip to those items. Comments?]
Tim Philp <tphilp(_at_)bfree(_dot_)on(_dot_)ca> writes:
At 10:11 AM 10/14/97 +0100, you wrote:
I'm not saying that the recipient's organisation doesn't have a
right to read their e-mail. I think everyone pretty much agrees on
this point by now.
I would NOT assume this. Does a company have the right to read any
snail mail that you receive at your office? Not if it is addressed to
you. I think that this is an extention of this privacy. This is off
topic for this list, but I felt the point had to be made. Don't give
up on issues like this or others may give up on issues such as GAK!
Tim has a good point there.
We, in discussing ways to design non GAK compliant company data
recovery software face an extremely fine balancing act.
We have to demonstrate to people who argue that GAK compliant software
such as pgp5.5 using PGP Inc's GAK compliant CMR design that software
designed to CDR anti-GAK design principles can meet all of their
perceived requirements. We have to do this otherwise they will throw
up their arms and claim that they couldn't possibly use CDR because it
can't do x. So far the closest to an x CDR can't directly cope with
is Zooko's example of off-site backup (backup in the hard disk backup
meaning) with company data recovery. CDR principles do however still
improve the anti-GAK rating of the software considerably through use
of foward secrecy and super encryption on the channel.
The thing to remember when the anti-GAK CDR side of the fence people
are running through these exercises thrown at them by the GAK-happy
CMRers (and also presented by CDRers to help think-ahead about things
CMRers may object to (I am fairly confident that both Zooko falls into
this category)), that it is likely that where the CMRers challenge
involves unsavoury overtones, that the person doing the demonstration
is fully aware of this, and merely doing the exercise to prove that
CDR has equivalent functionality.
In an effort to demonstrate this distaste, to prevent
misunderstanding, you may see the anti-GAK person make disclaimers
such as "not that I'd recommend you do this or anything, it seems more
than a bit big brotherish to me", or you may see them come up with
suggestions for what more liberal minded companies should so instead,
or offer as options. I will mark such counter points as "counter:"
below in the analysis of the types of recovery being argued for by the
CMRers.
Also it is important to note that just because something is possible
to implement with anti-GAK CDR principles doesn't mean you should
build it. Your company might make a stance against for example email
screening by not providing software which can do this. Or another
method is to maintain separate versions of your software which cater
to different levels, and to make the more snoopy ones progressively
more expensive to deter people from buying them unless they have a
need. Also your company can make risk assesments for the company and
suggest least snoopy versions.
There are three real requirements which are being argued for here:
1. recovery of data on a disk after the user loses keys (forgets
password, lets dog chew smart card etc)
2. recovery of email which is stored in mail folders in encrypted form
by a mail client (password loss again)
3. snooping on email with some weak amount of tamper resistance to
prevent the sender or recipient hacking around it
Type 1: is relatively uncontroversial: most people will agree with this
if the data on the disk has commercial value to the company, they need
good data availability, and good assurance that data will not be lost.
Counter 1: Disk encryption software can be designed with options for
more progressive companies to allow their users the option of a
separate encryption partition without company recovery facility.
(See, a disclaimer of the type I mentioned above:-)
Type 2: is a bit more politically sensitive people make points such as
you do drawing analogies to paper mail received at work and the
expectations of privacy that this has.
Counter 2: One way to diffuse the political aspects of this situation
is to encourage companies to have transparent policies (and this idea
is credited to the CMRers at PGP Inc, so they are not entirely lost
causes). This idea says that where the email address is archived such
that the company could read it when they recover the users key if he
forgets his passphrase, that this possibility for company reading of
archived email should be made clear to both the sender and the
recipient by their mail clients. This is a very good idea. There are
a whole selection of statements of intent about how email will be
treated which it might be nice to make clear to both sender and
recipient examples might be:
- no archive kept
- archive kept, but company has secret split recovery keys in small
tight nit company, and users have high expectation that company will
not snoop
- no recovery of this key, no archive either
and so on.
Counter 2b: Another way to diffuse this is to design the email
standard and client software so that it has two email address fields.
One for company use, and another private comments. People can fill in
the private field with their email account at a commercial ISP. The
keys used to encrypt to this second email would not be recoverable
through the companies data recovery mechanism.
Type 3: now we really get controversial, do companies have the right
to snoop employees email if they get suspicious, or even have policy
of screening outgoing and reading incoming mail. Most people get
uncomfortable about this one.
Counter 3: I'm not convinced that it's necessary for anyone without
NSA HQ style strip search at door, with no electronics allowed in or
out of building. Never the less it is possible with CDR to do
something similar, and this is good to the extent that certain CMRers
might argue against using CDR anti-GAK principles at all without this.
The over-riding principle is to field no GAK compliant software. CDR
allows that. A second principle is to encourage companies to behave
nicely, and to allow as much personal privacy as they can be persuaded
to allow.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`