pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Corporate person?

1993-08-15 10:11:00
from [Ned Freed] [Permanent Link] 
The thing that I dread more, is the use by your company of your private
key component after you have left.  What will others think of your
statements then.  Should it be legal (or moral) for a company to
continue use of DN's or keying material for recently dismissed
employees?  Or what about decrypting messages sent to that employee?  It
is certainly common practice for companies to open snailmail sent to
past employees, why not email?


You might want to take a look at some pending legislation in the House and
Senate: HR1900. If this bill becomes law (and I am informed that there's a good
chance it will) it will severely restrict an employer's right to access an
employee's personal but company-related materials without that employee's
explicit permission. The way it is currently written is so broad that the act
of looking through an sick employee's desk for a critical memo would probably
be illegal, to say nothing of using an employee's private key after that
employee is no more.

I have mixed feelings about this legislation. On one hand, it provides certain
protections I feel are urgently needed. (It started as an attempt to protect
communications workers like telephone operators and telemarketers from
excessive monitoring.) On the other hand, as written its scope is far too
broad. An amusing result may be extensive and immediate use of PEM and PEM-like
technology so employers cannot be put at risk by the unauthorized actions of
their own employees!

This legislation also has one very interesting side effect. In attempting to
comply with it, a company must come to grips with the distinction between an
employee and the position they hold. In other words, about the only way to
continue to do business legally under this law is to distinguish between the
private aspects of an employee as an individual (which are protected) and the
public aspects of an employee's job (which are not covered). In the PEM context
this would make it more or less essential that users have a different DN for
themselves as individuals and for the position(s) they hold.

On a more practical note, the PEM implementation I'm most familiar with
(TIS-PEM) lets a user encrypt their private key with a password. This password
is not stored, so unless an employer takes proactive steps to obtain the
private key there's no way they will be able to abuse it later.

                                Ned
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Corporate person?, Rex A. Buddenberg
Next by Date:  Re: Assertions About Attributes of Names, Ned Freed
Previous by Thread:  Re: Corporate person?, Rex A. Buddenberg
Next by Thread:  Re: Corporate person?, Steve Kent
Indexes:  [Date] [Thread] [Top] [All Lists]