On Thu, 2005-04-14 at 09:49 +0200, Johan wrote: > Hello, > > I am trying to decide if I should use GnuPG or PGP and I got confused when > I read point nine in the PGP whitepaper > "http://download.pgp.com/pdfs/whitepapers/Top10_Why-PGP_050105_FL.pdf";. To > me this say that "easy data recovery" is only a matter of money. Am I > right or where can I read about how ADK and key reconstruction etc > actually works.
I'm having a bit of a hard time decyphering your question, but I think I can answer it to some degree. Point 9 does NOT mean that another entity (e.g. a business competitor, system cracker, or government) will be able to decrypt your data if they have a whole lot of money and you're not using a PGP Corporation product. In fact, if you use binary programs from an entity like PGP Corporation instead of open source GPG as part of your security system, you are MORE vulnerable to this kind of attack. It would be much easier for a wealthy attacker to pay off or break the fingers of someone who works for PGP Corporation in order to get a back door inserted into their software than it would be to do the same with GPG. The reason is that you can download and examine the source code of GPG, and then compile this audited code for use in your system. This is the meaning of point 9 according to my interpretation: Suppose there's a company called Alice Corporation that has an employee named Bob. Bob has the only copy of an important document, and it's encrypted with his key. That means Bob is the only one who can decrypt this document. Now suppose that Bob loses his key, or refuses to decrypt the document; this would mean Alice Corporation is in trouble. One way to guard against this possibility is to keep a backup of Bob's private key. Then if Bob refuses to decrypt the document or loses his key, the corporation can still get at it. The essence of point 9 is that the above is a clumsy solution that creates a lot of new problems, and that PGP Corporation's software provides a more refined options for mitigating this risk. However, you'll notice this passage near the end of point 9: "PGP Corporation provides solutions that feature patented Additional Decryption Key (ADK) options [...]" This should set off alarm bells when you read it for two reasons: 1. When you make the choice to use patented software, you put yourself in a position to fall victim to vendor lock-in. With sufficient legal resources, the holder of the patent could prevent other software authors from creating competing software, thus forcing you to stay with the original company, even if the costs of staying with that particular vendor increase and the benefits decrease. 2. When you make the choice to use patented software, especially if you have to pay for the privilege, you make the statement that you support software patents. This is bad for everyone. Now, I should make it plain that I don't know whether or not PGP Corporation enforces this particular patent to the detriment of the general public. However, even if it doesn't, it could change its mind in the future. Hope some of this helps, Eric _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
