Self Decrypting Archives

Joseph Bruni
Fri Jun 20 07:22:03 2003

I think it was hospitality which is notoriously full of Luddites. The 
vendors (airlines mostly) that I work with also like to generate 
separate keys for each partner. I suspect that they just don't grok 
what a public key really is. At my company we mandate either (1) SSH2 
or (2) OpenPGP. If they don't play, we tell them to take a hike 
regardless of the "sensitivity" of the information.

Once an interface has been put into place, it's all too easy for 
marketing people to add more and more information until you've crossed 
the line into violating the EU Privacy Directive and/or the US Safe 
Harbor policy. It the interface is already secure, the marketing people 
can have their way with it.

I feel your pain regarding the EOLN conversion. It seems like the 
vendors who are using Windows are the least helpful. They always expect 
us Unix people to do their EOLN conversion.

On Thursday, June 19, 2003, at 09:41 PM, Steve Butler wrote:

> Not sure what industry Jeff is in.  In the health care industry in the 
> US we
> can simply point to the HIPPA regs and tell our vendors that need to 
> run
> something compatible with PGP and provide us with their public key.
> Had one vendor that insisted on generating a new public key for us to 
> use!
> I've always wondered how they kept track of which pass phrase to use 
> when
> they had to decrypt.
> Thankfully cooler heads prevail here and I could simply provide them 
> with
> the same Public key we provide everybody else.
> But, to the point for Jeff.  I'd simply ask them for their public key 
> and
> state that you'll send them an encrypted file.
> Since we encrypt on a Linux box, it would be impossible for us to send 
> a SDA
> to those vendors that use Windows (and I know of at least two -- wish 
> them
> luck everytime we ship a file as they forget about the LF versus CR LF
> convention).
> -----Original Message-----
> From: John B []
> Sent: Thursday, June 19, 2003 4:50 PM
> To:
> Subject: Re: Self Decrypting Archives
> Hash: SHA1
> On Thursday 19 June 2003 16:07, Jeff Herrin wrote:
>> Nobody is actually clicking on anything. The file creation, the
> encryption,
>> the FTP transfers, the decryption is all done automatically by scripts
> that
>> are designed to specifically handle SDAs. I know they have the ability
> with
>> their commercial version of PGP to handle whatever I send them but 
>> their
>> system is specifically looking to read from an FTP folder and decrypt 
>> it
> as
>> an SDA.
>> Jeff Herrin
>   So tell them how *insecure* it is. It won't take any longer to truly
> encrypt
> a message/whatever than to make the same message/whatever an SDA. Tell 
> them
> that if they're worried about being secure, they need to stop the SDA 
> crud
> and do it right and tell them they need to quit being so lazy. It's 
> just
> plain ridiculous to have a paid-for version of PGP on a windows 
> machine, and
> just use it for SDA's, it's just simply ludicrous.
>   John
> - --
> "You will bring ussss.....A SHRUBBERY!"
> These guys looked dangerous...and hungry,
> so to placate them until I found a shrubber,
> I fed them an MSN butterfly. They dined
> quite happily it seemed.
> Version: GnuPG v1.2.2 (GNU/Linux)
> iD8DBQE+8kwpH5oDXyLKXKQRAnX2AJ9N5orRU/7+v77FuQ25/zwyLtqGCQCcCoOv
> DPFiJsBYRt1nL1c/4HHbbbQ=
> =jNOK
> _______________________________________________
> Gnupg-users mailing list
> We're Moving June 20th!
> 600 University St, Suite 1400
> Seattle, WA 98101
> CONFIDENTIALITY NOTICE:  This e-mail message, including any 
> attachments, is for the sole use of the intended recipient(s) and may 
> contain confidential and privileged information.  Any unauthorized 
> review, use, disclosure or distribution is prohibited.  If you are not 
> the intended recipient, please contact the sender by reply e-mail and 
> destroy all copies of the original message.
> _______________________________________________
> Gnupg-users mailing list