On Sun, Sep 13, 1998 at 10:45:02PM -0400, Steve Kostecke wrote: > [snip] > > PGP v5 supports key escrow and it can be used without your knowledge or > > consent with v5.x, though it can only be specifically enabled in 5.5+ I > [snip] > > IIRC PGP5 can be configured, by your sysadmin, to automatically encrypt > a outgoing message session key with a "corporate public-key" in addition > to the recipient's public-key. And that PGP5 can be configured to refuse > to decrypt messages when the session key was not encrypted with the > "corporate public-key". As I understand it this NOT key-escrow. > > AFAIK PGP5 does not provide a mechanism to force you to send a copy of > your private key to an "Offical Key Escrow Authority". And that the > "key-recovery" feature has no effect on users of "PGP For Personal > Provacy" (the non-corporate version). > > Please correct me if I am wrong... I believe you are, but I haven't got (nor do I want) a windoze box to test it. The problem you outline still allows your employer (or anyone with access to the corporate private key, whether authorized or not--do you trust your pointy-hair's security methods and pass{words,phrases}?) to view any mail encrypted to you. Essentially it circumvents the security provided by PGP.
Attachment:
pgp0THrwol8L0.pgp
Description: PGP signature