At 07:02 PM 10/17/97 -0400, nospam-seesignature(_at_)ceddec(_dot_)com wrote:
On Tue, 14 Oct 1997, Hal Finney wrote:
One thing PGP has not looked into would be having a master key such that N
bits will be the same from the corporate master key to any user's key.
Then you could recover any user key from the corporate key, but it would
requrire some expense and effort, so it would prevent casual
eavesdropping by the administrators.
A second method would require N (typically 3) escrow keys to recreate the
access key, and would work best if it only decrypted one user's messages.
I would rather not trust a single party within a corporation.
Take a look at my "Why CMR isn't Key Escrow" essay. In it I recommend not
using a single CMRK, and mention a couple of easy-to-implement,
fault-tolerant uses.
In our plans for the next release is putting in secret sharing for a number
of purposes. I'm in favor of requiring that a CMRK be secret-shared, even
if a tin pot dictator can easily own all the shares.
Right now, whoever has the corporate key can read everyone's email. What
happens when there is an insider trading lawsuit when the CIO reads the
CEO's "private" email? I can think of other examples. And if the
corporate key is compromised, I assume that compromises every piece of
email up to that point?
I don't think you've been reading the descriptions of how it works. You're
also focusing on using it with a single key. Every user can have a
different key. No user MUST have a key.
But let me ask a question about PGP, Inc. - Do they use the PGP 5.5
version with corporate key recovery internally?
No, we don't. We have no need to. It would be inappropriate for our
environment.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
Chief Scientist 555 Twin Dolphin Drive
Pretty Good Privacy, Inc. Suite 570
(415) 596-1960 Redwood Shores, CA 94065
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)