At 06:53 AM 11/5/97 -0600, William H. Geiger III wrote:
Plain and simple with or without CMR if the government is going to pass
laws requiring that all messages be encrypted with a government key then
you are f**ked, plain and simple.
Your statement supposes that _the_ (singular) government will do this. In
fact, there are many governments in the world. Some of them already have
draconian laws, some have rejected them, and many are still sitting on the
Debating what should or should not be in the Open-PGP specs based on what
law some government may or may not pass in the future does not have a
But it does. The world's governments must be lumped together as
"adversaries". From the point of view of a message sender, a government is
a well-funded, determined, but unauthorized recipient. PGP is supposed to
protect our information from adversaries, even democratically elected
It would be better NOT to have features which are easily abusable by
adversaries, even if those features have some legitimate use. Certainly
such features should not be REQUIRED elements of a standard.
That's where I think the OpenPGP standard, a protocol document, ends. The
rest is implementation choice.
My implementation choice is that GAK/GMR should be a high-profile feature.
I would prefer that other non-GAK/GMR implementations actively refuse to
cooperate with a GAK program. Thus, using GAK means cutting one's self off
from the rest of the non-GAK world. If the US government wants to require
GAK or GMR, they will. But it should be very painful to crypto's users, so
they can't just let it slip by unnoticed.
Switch Systems Engineering voice: 972-918-7236
MCI Communications, Inc. VNET: 777-7236
--If these thoughts were MCI's official opinions, the line above would
--read "MCI - Law & Public Policy Department".