At 12:19 AM 10/18/97 +0100, Adam Back wrote:
Padgett Peterson <PADGETT(_at_)hobbes(_dot_)orl(_dot_)lmco(_dot_)com> writes:
> Adam Back <aba(_at_)dcs(_dot_)ex(_dot_)ac(_dot_)uk> writes:
> >I'm not clear on this last one, but it may even be that a pgp5.0
> >implementation knows how to reply to a CMR key also.
>
> Source code is available, or am sure pgp will answer.
No answer so far. It would be quicker for someone who does know to
say yay or nay, than for me to read through the source. Or simply for
someone who has both pgp5.0 and pgp5.5 test rig to try it and see with
a CMR key to see what pgp5.0 thinks of it; and what pgp5.5 + policy
enforcer thinks of what pgp5.0 sends it in response.
Pardon me for being testy, Adam, but I've said this before, and I do have
other things to do. (Also, I am not caught up on my mail from last week,
even -- I'm not ignoring anyone, I'm just slow.).
With 5.0, it recognizes the CMRK and brings up a dialog box showing you
what you're about to do. You can always remove a CMRK using 5.0 or 5.5
personal privacy/freeware.
Even if you believe that PGP Inc will never get an export license to
tinpotdictatorsville, there will be other companies implementing to
the OpenPGP standard in countries with freer export regulations.
These people if they choose to implement to the OpenPGP standard, will
be forced to implement the CMR feature too, otherwise the software
will not interoperate.
No.
Software that does not implement CMR will always interoperate with software
that does. That's a feature.
Steganography, or other low bandwidth subliminal channels would work,
but such techniques are advanced, and PGP Inc are not making similar
scale efforts to develop and deploy these.
Actually, we *are* considering putting in stego and some other features.
The major deciding factor about when we do them all revolves around who
will buy them.
Also if Padgett is using pgp5.5 himself, and he attempts to send a
mail to someone living in tinpotdictatorsville, his client will
cooperate with the dictators wishes. If the CMR mechanism were not
used at all the dictator would find he had far less use for pgp5.6
(with CDR in place of CMR). This is because CDR does not provide any
third party access to communications. It provides third party access
for stored data. The dictator only has 1000 soldiers (it is a small
dictatorship), and they can only collect backup tapes from 100 houses
per day. They are never sure if the citizens aren't hiding another
machine somewhere. The process is inefficient and costs lots of
resources. In fact the dictators job is now much harder than it would
have been were PGP to keep the CMR method.
You are in error. The only time that you are forced to use CMR is when (1)
you share the CMRK with the other party AND (2) the strict flag is set. In
all other cases, you can opt-out, on a message-by-message basis.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
Chief Scientist 555 Twin Dolphin Drive
Pretty Good Privacy, Inc. Suite 570
(415) 596-1960 Redwood Shores, CA 94065
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)