Jon Callas <jon(_at_)pgp(_dot_)com> writes:
Right now, whoever has the corporate key can read everyone's email. What
happens when there is an insider trading lawsuit when the CIO reads the
CEO's "private" email? I can think of other examples. And if the
corporate key is compromised, I assume that compromises every piece of
email up to that point?
I don't think you've been reading the descriptions of how it works. You're
also focusing on using it with a single key. Every user can have a
different key. No user MUST have a key.
The fact that it is all optional does not mean that a company may
choose to use it in that way.
I suspect that many companies with their strict property ownership
opinions will have one CMR key, and use the pgp5.5 for business
framework to enforce that all users use it.
But let me ask a question about PGP, Inc. - Do they use the PGP 5.5
version with corporate key recovery internally?
No, we don't. We have no need to. It would be inappropriate for our
environment.
Most companies aren't as progressive as PGP, and most companies have a
corporate proprety ownership attitude even if they similarly have no
need for the actual functionality.
Adam
--
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/
print pack"C*",split/\D+/,`echo "16iII*o\U(_at_){$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`