[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: comments on PGP *5*



On Sun, Sep 13, 1998 at 10:45:02PM -0400, Steve Kostecke wrote:
> [snip]
> > PGP v5 supports key escrow and it can be used without your knowledge or
> > consent with v5.x, though it can only be specifically enabled in 5.5+ I
> [snip]
> 
> IIRC PGP5 can be configured, by your sysadmin, to automatically encrypt
> a outgoing message session key with a "corporate public-key" in addition
> to the recipient's public-key. And that PGP5 can be configured to refuse
> to decrypt messages when the session key was not encrypted with the
> "corporate public-key". As I understand it this NOT key-escrow.
> 
> AFAIK PGP5 does not provide a mechanism to force you to send a copy of
> your private key to an "Offical Key Escrow Authority". And that the
> "key-recovery" feature has no effect on users of "PGP For Personal
> Provacy" (the non-corporate version).
> 
> Please correct me if I am wrong...

I believe you are, but I haven't got (nor do I want) a windoze box to test
it.

The problem you outline still allows your employer (or anyone with access to
the corporate private key, whether authorized or not--do you trust your
pointy-hair's security methods and pass{words,phrases}?) to view any mail
encrypted to you.

Essentially it circumvents the security provided by PGP.

Attachment: pgpsL95So8DlI.pgp
Description: PGP signature


Reply to: