I _did_ say: "...for review, ... modify, ... resubmit and so on
a couple (times)."
That's _not_ a "rubber stamp."
I can effectively do CMR using 2.6.2 and batch files and server
file/dir rights, but it's a pain.
CMR is irrelevant. Set up the standard so it won't choke on
anyone's app that uses it and/or some other implementation
"add-ins" and move on.
No one is getting _anywhere_ with this more-or-less "off topic"
issue .... maybe this should be a _moderated_ list, eh? Get
something done and moving before RSA gets their foot in the
door? (Even a "rubber-stamped" PGP standard and CMR would
be preferable to _anything_ involving RSA IMO.)
I may use PGP's crypto API in a couple of our apps to protect
client confidentiality ... or I may use something else. I've used
PGP 4/BE with corporate keys (CMR) before it (CMR) became
such an overstated issue. When we use PGP here at work the
PGP key's passphrase is known _both_ to the user and, if I look
it up, to me and the COO (if he looks it up). We're NOT using our
own dime here at the office. At home we (and I,) do what we want
and keep our own personal/private keys to ourselves. At work we
"speak for the company" and encrypting files is a no-no. Though
we've played with Norton's YEO a little. YEO and SecurePC both
have some nice ideas that PGP should, perhaps, look at and
implement in some manner, if they can.
If your company PGP uses CMR, don't use CMR at home. The vast
majority of the time we only use PGP to "sign" plaintext emails, so
CMR is _not_ an issue.
I would be all for having 3 people required to access a user's key
and decrypt their messages, or (gasp) recover their password or
merely _reset_ it so they could get back in themselves. Norton
has such a feature in the Admin kit (a 1-time-only password, I
But then, Norton is a file/directory encryption product, not email.
Matter of fact, this would do away with the whole CMR idea - have
an Admin Kit for business users where the Admin/Supervisor can
just "reset" the password to "password" so they can get back in
and change it ... or the boss can if the employee is dead or in
How many of you expire your keys routinely? How many "normal"
users generate keys with expiration dates? Hmm.
Some of us keep a personal email address/key and a company email
address/key and never the twain meet.
And no, I'm _not_ kidding.
And I, too, am increasingly frustrated by the canine tail-chasing
But at least I'm not posting anonymously.
Last word on the subject.
On Wednesday, November 05, 1997 11:31 AM, Anonymous
Darryl Rowe getting with the spirit of Open Standards writes:
IMO, Phil/PGP should simply present the standard to IETF for
review, make any modifications, resubmit and so on a couple more
times and present a finished product.
Yeah, right on! They write it, we rubber stamp it without
Though W. Geiger, Jon and a couple others are signalling quite
On the topic of CMR? You're kidding, right?
others have an enhanced noise level which seems to be subverting
progress while others (i.e. RSA) manage to get their PR licks in
- An OpenPGP list member who is getting increasingly pissed off
with certain "PGP only is allowed to speak" attitudes around here