William Geiger III <whgiii(_at_)invweb(_dot_)net> writes:
In <v03110703b06c42291a03(_at_)[206(_dot_)183(_dot_)203(_dot_)100]>, on
10/16/97
at 05, Roland Silver <rollo(_at_)artvark(_dot_)com> said:
I'm interested in PGP 5.x, but I don't understand the criticism of it. Do
certain versions of PGP have GAK or CMR capability built in? If I use
such a version to send a message encrypted with Alice's public key, will
someone other than Alice, such as the FBI, be able to read it without my
knowledge or consent?
If the answer to that question is on some FAQ, please point me to it.
Dispite some of the FUD and Fearmongering going on, there is no version of
PGP that allows a 3rd party to decrypt a message without your knowledge
(there is no backdoors in any version of PGP). Now what Alice does after
she has decrypted the message is another matter that is beyond your
control. :)
I don't think that is a fair answer. Roland asked "do certain versions
of pgp have ... CMR capability built in?"
The honest answer is yes: pgp5.5 for business does.
I think also that pgp5.5 for personal use probably knows how to reply
to a CMR key also.
I'm not clear on this last one, but it may even be that a pgp5.0
implementation knows how to reply to a CMR key also.
This is an apolitical explanation.
I welcome clarification of the question of what pgp5.0 knows how to
send to.
Now just for the those in the "cheap seats": If you encrypt a
message with and only with Alice's public key then only someone who
has a copy of Alice's private key can decrypt it. Hopefully Alice is
the only one who has that key, but like the decrypted message, you
really have no controll of what Alice does with her keys.
That is also generalising.
If Alice is using a key without CMR facility then what you said is
always true.
However if Alice is using a key with CMR then the user using a client
which understands CMR keys will present the user with a choice:
Do you want to allow the CMR key holder to be able read the message as
well as Alice?
Some CMR keys will be marked to state that if the CMR key holder does
not use the application to say he wants to allow the CMR key holder to
read the information, that the message will not reach Alice, because a
CMR policy enforcer will bounce it back.
In addition it is acknowledged that this is a weak enforcement in that
it is relatively easy to create messages which will fool the CMR
enforcement agent, which will still be decryptable by Alice.
This is also an apolitical explanation.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`